From dff8f11e23c5d92140a751f1b4a9a9bd7e524b8b Mon Sep 17 00:00:00 2001
From: Jared Ondricek <jondricek@mitre.org>
Date: Mon, 21 Apr 2025 21:48:43 -0500
Subject: [PATCH] ATT&CK v17.0 Mobile

---
 ...-00290ac5-551e-44aa-bbd8-c4b913488a6d.json |  62 +++---
 ...-039bc59c-ecc7-4997-b2b4-4ab728bd91aa.json |  84 ++++----
 ...-08e22979-d320-48ed-8711-e7bf94aabb13.json |   2 +-
 ...-08ea902d-ecb5-47ed-a453-2798057bb2d3.json |  50 ++---
 ...-0b761f2b-197a-40f2-b100-8152cb957c0c.json |  48 ++---
 ...-0bcc4ec1-a897-49a9-a9ff-c00df1d1209d.json |  23 ++-
 ...-0c71033e-401e-4b97-9309-7a7c95e43a5d.json |  94 ++++-----
 ...-0cdd66ad-26ac-4338-a764-4972a1e17ee3.json |  50 ++---
 ...-0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d.json |  52 ++---
 ...-0d95940f-9583-4e0f-824c-a42c1be47fad.json |  10 +-
 ...-0f4fb01b-d57a-4375-b7a2-342c9d3248f7.json |   8 +-
 ...-114fed8b-7eed-4136-8b9c-411c5c7fff4b.json |  54 ++---
 ...-11bd699b-f2c2-4e48-bf46-fb3f8acd9799.json |  17 +-
 ...-11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e.json |  52 ++---
 ...-16d73b64-5681-4ea0-9af4-4ad86f7c96e8.json |  56 +++---
 ...-198ce408-1470-45ee-b47f-7056050d4fc2.json |  52 ++---
 ...-1b51f5bc-b97a-498a-8dbd-bc6b1901bf19.json |  52 ++---
 ...-1d1b1558-c833-482e-aabb-d07ef6eae63d.json |  52 ++---
 ...-1d44f529-6fe6-489f-8a01-6261ac43f05e.json |  52 ++---
 ...-1f96d624-8409-4472-ad8a-30618ee6b2e2.json |  17 +-
 ...-1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee.json |  60 +++---
 ...-20b0931a-8952-42ca-975f-775bad295f1a.json |  50 ++---
 ...-2204c371-6100-4ae0-82f3-25c07c29772a.json |  49 ++---
 ...-22379609-a99f-4a01-bd7e-70f3e105859d.json |  52 ++---
 ...-2282a98b-5049-4f61-9381-55baca7c1add.json |  68 +++----
 ...-233fe2c0-cb41-4765-b454-e0087597fbce.json |   2 +-
 ...-24a77e53-0751-46fc-b207-99378fb35c08.json |  56 +++---
 ...-27d18e87-8f32-4be1-b456-39b90454360f.json |  52 ++---
 ...-27f483c6-6666-44fa-8532-ffd5fc7dab38.json |  82 ++++----
 ...-28fdd23d-aee3-4afe-bc3f-5f1f52929258.json |   2 +-
 ...-29e07491-8947-43a3-8d4e-9a787c45f3d3.json |  72 +++----
 ...-29f1f56c-7b7a-4c14-9e39-59577ea2743c.json |  52 ++---
 ...-2aa78dfd-cb6f-4c70-9408-137cfd96be49.json |  50 ++---
 ...-2bb20118-e6c0-41dc-a07c-283ea4dd0fb8.json |  52 ++---
 ...-2ccc3d39-9598-4d32-9657-42e1c7095d26.json |  52 ++---
 ...-2d646840-f6f5-4619-a5a8-29c8316bbac5.json | 104 +++++-----
 ...-2de38279-043e-47e8-aaad-1b07af6d0790.json |  58 +++---
 ...-2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d.json |  52 ++---
 ...-32063d7f-0a39-440d-a4a3-2694488f96cc.json |  52 ++---
 ...-351c0927-2fc1-4a2c-ad84-cbbee7eb8172.json |  52 ++---
 ...-351ddf79-2d3a-41b4-9bef-82ea5d3ccd69.json |  72 +++----
 ...-37047267-3e56-453c-833e-d92b68118120.json |  52 ++---
 ...-3775a580-a1d1-46c4-8147-c614a715f2e9.json |  56 +++---
 ...-3911658a-6506-4deb-9ab4-595a51ae71ad.json |  54 ++---
 ...-393e8c12-a416-4575-ba90-19cc85656796.json |  84 ++++----
 ...-39dd7871-f59b-495f-a9a5-3cb8cc50c9b2.json |  58 +++---
 ...-3b0b604f-10db-41a0-b54c-493124d455b9.json |  64 +++---
 ...-3dd58c80-4c2e-458c-9503-1b2cd273c4d2.json | 184 +++++++++---------
 ...-3e091a89-a493-4a6c-8e88-d57be19bb98d.json |  52 ++---
 ...-45a5fe76-eda3-4d40-8f22-c186efd6278d.json |   2 +-
 ...-45dcbc83-4abc-4de1-b643-e528d1e9df09.json |  17 +-
 ...-46d818a5-67fa-4585-a7fc-ecf15376c8d5.json |  52 ++---
 ...-498e7b81-238d-404c-aa5e-332904d63286.json |  10 +-
 ...-4c58b7c6-a839-4789-bda9-9de33e4d4512.json |   8 +-
 ...-4e6620ac-c30c-4f6d-918e-fa20cae7c1ce.json |  68 +++----
 ...-4f14e30b-8b57-4a7b-9093-2c0778ea99cf.json |  52 ++---
 ...-51636761-2e35-44bf-9e56-e337adf97174.json |  52 ++---
 ...-51aedbd6-2837-4d15-aeb0-cb09f2bf22ac.json |  17 +-
 ...-52651225-0b3a-482d-aa7e-10618fd063b5.json |  68 +++----
 ...-52eff1c7-dd30-4121-b762-24ae6fa61bbb.json |  72 +++----
 ...-53263a67-075e-48fa-974b-91c5b5445db7.json | 124 ++++++------
 ...-537ea573-8a1c-468c-956b-d16d2ed9d067.json |  84 ++++----
 ...-5abfc5e6-3c56-49e7-ad72-502d01acf28b.json |   2 +-
 ...-5ca3c7ec-55b2-4587-9376-cf6c96f8047a.json |  50 ++---
 ...-60623164-ccd8-4508-a141-b5a34820b3de.json |  74 +++----
 ...-62adb627-f647-498e-b4cc-41499361bacb.json |  68 +++----
 ...-633baf01-6de4-4963-bb54-ff6c6357bed3.json |  84 ++++----
 ...-648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e.json |  64 +++---
 ...-667e5707-3843-4da8-bd34-88b922526f0d.json |  10 +-
 ...-6683aa0c-d98a-4f5b-ac57-ca7e9934a760.json |  52 ++---
 ...-670a4d75-103b-4b14-8a9e-4652fa795edd.json |  50 ++---
 ...-693cdbff-ea73-49c6-ac3f-91e7285c31d1.json |  52 ++---
 ...-6a3f6490-9c44-40de-b059-e5940f246673.json |  68 +++----
 ...-6b846ad0-cc20-4db6-aa34-91561397c5e2.json |  17 +-
 ...-6c49d50f-494d-4150-b774-a655022d20a6.json |  52 ++---
 ...-6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe.json |  10 +-
 ...-6f86d346-f092-4abc-80df-8558a90c426a.json |  84 ++++----
 ...-6ffad4be-bfe0-424f-abde-4d9a84a800ad.json |  52 ++---
 ...-702055ac-4e54-4ae9-9527-e23a38e0b160.json |  10 +-
 ...-73c26732-6422-4081-8b63-6d0ae93d449e.json |  50 ++---
 ...-74e6003f-c7f4-4047-983b-708cc19b96b6.json |  50 ++---
 ...-76c12fc8-a4eb-45d6-a3b7-e371a7248f69.json |  54 ++---
 ...-77e30eee-fd48-40b4-99ec-73e97c158b58.json |  74 +++----
 ...-7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3.json |  10 +-
 ...-786f488c-cb1f-4602-89c5-86d982ee326b.json | 114 +++++------
 ...-789ef15a-34d9-4b32-a779-8cbbc9eb32f5.json |  60 +++---
 ...-79cb02f4-ac4e-4335-8b51-425c9573cce1.json |  52 ++---
 ...-79eec66a-9bd0-4a3f-ac82-19159e94bd44.json |  64 +++---
 ...-8197f026-64da-4700-93b9-b55ba55f3b31.json |  84 ++++----
 ...-82f04b1e-5371-4a6f-be06-411f0f43b483.json |  72 +++----
 ...-831e3269-da49-48ac-94dc-948008e8fd16.json |  17 +-
 ...-8605a0ec-b44a-4e98-a7fc-87d4bd3acb66.json |  50 ++---
 ...-88932a8c-3a17-406f-9431-1da3ff19f6d6.json |  62 +++---
 ...-89fcd02f-62dc-40b9-a54b-9ac4b1baef05.json |  39 ++--
 ...-8c7862ff-3449-4ac6-b0fd-ac1298a822a5.json |  62 +++---
 ...-8e097ec5-1755-41d6-807c-3882442b818a.json |  58 ++++++
 ...-8e27551a-5080-4148-a584-c64348212e4f.json |  62 +++---
 ...-8f0e39c6-82c9-41ec-9f93-5696c0f2e274.json |  72 +++----
 ...-8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json |  29 +--
 ...-939808a7-121d-467a-b028-4441ee8b7cee.json |  52 ++---
 ...-948a447c-d783-4ba0-8516-a64140fcacd5.json |  52 ++---
 ...-9558a84e-2d5e-4872-918e-d847494a8ffc.json |  52 ++---
 ...-986f80f7-ff0e-4f48-87bd-0394814bbce5.json |  52 ++---
 ...-99e6295e-741b-4857-b6e5-64989eb039b4.json |  60 +++---
 ...-9c049d7b-c92a-4733-9381-27e2bd2ccadc.json |  50 ++---
 ...-9d7c32f4-ab39-49dc-8055-8106bc2294a1.json |  84 ++++----
 ...-9ef05e3d-52db-4c12-be4f-519214bbe91f.json |  60 +++---
 ...-9ef14445-6f35-4ed0-a042-5024f13a9242.json |   2 +-
 ...-a0464539-e1b7-4455-a355-12495987c300.json |  82 ++++----
 ...-a21a6a79-f9a1-4c87-aed9-ba2d79536881.json |  17 +-
 ...-a5de0540-73e7-4c67-96da-4143afedc7ed.json |  74 +++----
 ...-a64a820a-cb21-471f-920c-506a2ff04fa5.json |  98 ++++------
 ...-a8c31121-852b-46bd-9ba4-674ae5afe7ad.json |  60 +++---
 ...-a8e971b8-8dc7-4514-8249-ae95427ec467.json |  52 ++---
 ...-a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9.json |  52 ++---
 ...-a93ccb8f-3996-42e2-b7c7-bb599d4e205f.json | 100 +++++-----
 ...-a9cab8f6-4c94-4c9b-9e7d-9d863ff53431.json |  17 +-
 ...-a9fa0d30-a8ff-45bf-922e-7720da0b7922.json |  46 ++---
 ...-ab7400b7-3476-4776-9545-ef3fa373de63.json |  50 ++---
 ...-acf8fd2a-dc98-43b4-8d37-64e10728e591.json |  50 ++---
 ...-b1c95426-2550-4621-8028-ceebf28b3a47.json |  60 +++---
 ...-b327a9c0-e709-495c-aa6e-00b042136e2b.json |  50 ++---
 ...-b332a960-3c04-495a-827f-f17a5daed3a6.json |  94 ++++-----
 ...-b3c2e5de-0941-4b57-ba61-af029eb5517a.json |  68 +++----
 ...-b765efd1-02e6-4e67-aebf-0fef5c37e54b.json |  17 +-
 ...-b7c0e45f-0206-4f75-96e7-fe7edad3aaff.json |  60 +++---
 ...-b928b94a-4966-4e2a-9e61-36505b896ebc.json |  17 +-
 ...-bb4387ab-7a51-468b-bf5f-a9a8612f0303.json |  58 +++---
 ...-bd4d32f5-eed4-4018-a649-40b229dd1d69.json |  62 +++---
 ...-be63612f-a48f-44f2-a7a6-1763509fcf80.json |   2 +-
 ...-c08366bb-8d11-4921-853f-f0a3b6a2a1da.json |  52 ++---
 ...-c4b96c0b-cb58-497a-a1c2-bb447d79d692.json |   2 +-
 ...-c5089859-b21f-40a3-8be4-63e381b8b1c0.json |  84 ++++----
 ...-c548d8c4-a0a3-4a24-bb79-2a84abbc7b36.json |  50 ++---
 ...-c6421411-ae61-42bb-9098-73fddb315002.json |  46 ++---
 ...-c6a146ae-9c63-4606-97ff-e261e76e8380.json |  52 ++---
 ...-c6e17ca2-08b5-4379-9786-89bd05241831.json |  50 ++---
 ...-c91c304a-975d-4501-9789-0db1c57afd3f.json |  17 +-
 ...-cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3.json |  50 ++---
 ...-ccde43e4-78f9-4f32-b401-c081e7db71ea.json |  52 ++---
 ...-cde2cb84-455e-410c-8aa9-086f2788bcd2.json |  92 ++++-----
 ...-cf28ca46-1fd3-46b4-b1f6-ec0b72361848.json |  52 ++---
 ...-d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a.json |  52 ++---
 ...-d1f1337e-aea7-454c-86bd-482a98ffaf62.json |  64 +++---
 ...-d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d.json |  52 ++---
 ...-d3bc5020-f6a2-41c0-8ccb-5e563101b60c.json |  46 ++---
 ...-d446b9f0-06a9-4a8d-97ee-298cfee84f14.json |  50 ++---
 ...-d4536441-1bcc-49fa-80ae-a596ed3f7ffd.json |   2 +-
 ...-d731c21e-f27d-4756-b418-0e2aaabd6d63.json |  74 +++----
 ...-d8940e76-f9c1-4912-bea6-e21c251370b6.json |  52 ++---
 ...-d916f176-a1ca-4a78-9fdd-4058bc28162e.json |  52 ++---
 ...-d9db3d46-66ca-44b4-9daa-1ef97cb7465a.json | 174 ++++++++---------
 ...-d9e88203-2b5d-405f-a406-2933b1e3d7e4.json |  50 ++---
 ...-dc01774a-d1c1-45fb-b506-0a5d1d6593d9.json |   2 +-
 ...-dd818ea5-adf5-41c7-93b5-f3b839a219fb.json |  56 +++---
 ...-defc1257-4db1-4fb3-8ef5-bb77f63146df.json |   2 +-
 ...-dfafc230-5465-4993-8dc5-f51fa9fec002.json |   2 +-
 ...-dfe29258-ce59-421c-9dee-e85cb9fa90cd.json |   2 +-
 ...-e083305c-49e7-4c87-aae8-9689213bffbe.json |  54 ++---
 ...-e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86.json |  52 ++---
 ...-e1c912a9-e305-434b-9172-8a6ce3ec9c4a.json |  64 +++---
 ...-e2c2249a-eb82-4614-8dd4-9c514dde65e2.json |  50 ++---
 ...-e2ea7f6b-8d4f-49c3-819d-660530d12b77.json |  78 ++++----
 ...-e30cc912-7ea1-4683-9219-543b86cbdec9.json |  17 +-
 ...-e399430e-30b7-48c5-b70a-f44dc8c175cb.json | 112 +++++------
 ...-e3b936a4-6321-4172-9114-038a866362ec.json |  58 +++---
 ...-e422b6fa-4739-46b9-992e-82f1b350c780.json |  52 ++---
 ...-e4c347e9-fb91-4bc5-83b8-391e389131e2.json |  52 ++---
 ...-e8b4e1ec-8e3b-484c-9038-4459b1ed8060.json |  54 ++---
 ...-ea132c68-b518-4478-ae8d-1763cda26ee3.json |   2 +-
 ...-eb6cf439-1bcb-4d10-bc68-1eed844ed7b3.json |  52 ++---
 ...-ec4c4baa-026f-43e8-8f56-58c36f3162dd.json |  52 ++---
 ...-ed2c05a1-4f81-4d97-9e1b-aff01c34ae84.json |  54 ++---
 ...-ef771e03-e080-43b4-a619-ac6f84899884.json | 102 +++++-----
 ...-f05fc151-aa62-47e3-ae57-2d1b23d64bf6.json |   2 +-
 ...-f1c3d071-0c24-483d-aca0-e8b8496ce468.json |  82 ++++----
 ...-f296fc9c-2ff5-43ee-941e-6b49c438270a.json |  17 +-
 ...-f58cd69a-e548-478b-9248-8a9af881dc34.json |  74 +++----
 ...-f856eaab-e84a-4265-a8a2-7bf37e5dc2fc.json |  52 ++---
 ...-f981d199-2720-467e-9dc9-eea04dbe05cf.json |  54 ++---
 ...-f9e4f526-ac9d-4df5-8949-833a82a1d2df.json |  17 +-
 ...-fa801609-ca8e-415e-815e-65f3826ff4df.json |  56 +++---
 ...-fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d.json | 124 ++++++------
 ...-fc53309d-ebd5-4573-9242-57024ebdad4f.json |  50 ++---
 ...-fcb11f06-ce0e-490b-bcc1-04a1623579f0.json |  52 ++---
 ...-fd211238-f767-4599-8c0d-9dca36624626.json |  52 ++---
 ...-fd339382-bfec-4bf0-8d47-1caedc9e7e57.json |  52 ++---
 ...-fd658820-cbba-4c95-8ac9-0fac6b1099e2.json |  82 ++++----
 ...-4603cf2f-06d0-4970-9c5d-5071b08c817f.json |   2 +-
 ...-a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4.json |   2 +-
 ...-d0695b5f-b761-49e0-b3e3-2e5307f8def3.json |  46 +++++
 ...-0beabf44-e8d8-4ae4-9122-ef56369a2564.json |  21 +-
 ...-1553b156-6767-47f7-9eb4-2a692505666d.json |  42 ++--
 ...-25dc1ce8-eb55-4333-ae30-a7cb4f5894a1.json |   8 +-
 ...-649f7268-4c12-483b-ac84-4b7bca9fe2ee.json |  21 +-
 ...-653492e3-27be-4a0e-b08c-938dd2b7e0e1.json |  25 +--
 ...-76a32151-5233-465f-a607-7e576c62c932.json |   2 +-
 ...-78671282-26aa-486c-a7a5-5921e1616b58.json |  24 +--
 ...-7b1cf46f-784b-405a-a8dd-4624c19d8321.json |  21 +-
 ...-8220b57e-c400-4525-bf69-f8edc6b389a8.json |  21 +-
 ...-8ccd428d-39da-4e8f-a55b-d48ea1d56e58.json |  21 +-
 ...-bcecd036-f40e-4916-9f8e-fd0ccf0ece8d.json |  25 +--
 ...-cf2cccb1-cab8-431a-8ecf-f7874d05f433.json |  21 +-
 ...-e829ee51-1caf-4665-ba15-7f8979634124.json |  22 +--
 ...-e944670c-d03a-4e93-a21c-b3d4c53ec4c9.json |  42 ++--
 ...-ff4821f6-5afb-481b-8c0f-26c28c0d666c.json |  25 +--
 ...-c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json |  16 +-
 ...-049cef3b-22d5-4be6-b50c-9839c7a34fdd.json |  35 ++--
 ...-18854f55-ac7c-4634-bd9a-352dd07613b7.json |  91 +++++++++
 ...-1f322d74-4822-4d60-8f64-414eea8a9258.json |   2 +-
 ...-381fcf73-60f6-4ab2-9991-6af3cbc35192.json |   6 +-
 ...-44d37b89-a739-4810-9111-0d2617a8939b.json |   2 +-
 ...-6eded342-33e5-4451-b6b2-e1c62863129f.json |  24 +--
 ...-7251b44b-6072-476c-b8d9-a6e32c355b28.json |  22 +--
 ...-7f848c02-4d1e-4808-a4ae-4670681370a9.json |   2 +-
 ...-8332952e-b86b-486b-acc3-1c2a85d39394.json |   8 +-
 ...-8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json |   2 +-
 ...-afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json |  45 +++--
 ...-bef4c620-0787-42a8-a96d-b7eb6e85917c.json |  26 ++-
 ...-cc613a49-9bfa-4e22-98d1-15ffbb03f034.json |   2 +-
 ...-d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7.json |  74 +++++++
 ...-efed95ba-d7e8-47ff-8c53-99c42426ee7c.json |   2 +-
 ...-007ebf84-4e14-44c7-a5aa-151d5de85320.json |  54 ++---
 ...-037f44f0-0c07-4c7f-b40e-0325b5b228a9.json |  54 ++---
 ...-05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1.json |  60 +++---
 ...-0626c181-93cb-4860-9cb0-dff3b1c13063.json |  54 ++---
 ...-085eb36d-697d-4d9a-bac3-96eb879fe73c.json |  38 ++--
 ...-08784a9d-09e9-4dce-a839-9612398214e8.json |  28 +--
 ...-0b9c5d11-651a-4378-b129-5c584d0242c5.json |  42 ++--
 ...-0ec9593f-3221-49b1-b597-37f307c19f13.json |   2 +-
 ...-108b2817-bc01-404e-8e1b-8cdeec846326.json |  46 ++---
 ...-1393fb21-d09f-4ce8-96cf-1bcc9881765f.json |  48 +++++
 ...-15d78a95-af6a-4b06-8dae-76bedb0ec5a1.json |   2 +-
 ...-172444ab-97fc-4d94-b142-179452bfb760.json |  28 +--
 ...-2074b2ad-612e-4758-adce-7901c1b49bbc.json |  28 +--
 ...-20d56cd6-8dff-4871-9889-d32d254816de.json |  40 ++--
 ...-20dbaf05-59b8-4dc6-8777-0b17f4553a23.json |  38 ++--
 ...-21170624-89db-4e99-bf27-58d26be07c3a.json |  54 ++---
 ...-21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901.json |  54 ++---
 ...-22b596a6-d288-4409-8520-5f2846f85514.json |  54 ++---
 ...-22faaa56-a8ac-4292-9be6-b571b255ee40.json |  54 ++---
 ...-23040c15-e7d8-47b5-8c16-8fd3e0e297fe.json |  28 +--
 ...-24c8f6db-71e0-41ef-a1dc-83399a5b17e5.json |   6 +-
 ...-2740eaf6-2db2-4a40-a63f-f5b166c7059c.json |  38 ++--
 ...-28e39395-91e7-4f02-b694-5e079c964da9.json |  28 +--
 ...-29944858-da52-4d3d-b428-f8a6eb8dde6f.json |  54 ++---
 ...-2aec175b-4429-4048-8e09-3ef6cbecfc64.json |  34 ++--
 ...-2cf00c5a-857d-4cb6-8f03-82f15bee0f6f.json |  44 ++---
 ...-3049b2f2-e323-4cdb-91cb-13b37b904cbb.json |  36 ++--
 ...-317a2c10-d489-431e-b6b2-f0251fddc88e.json |  38 ++--
 ...-326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb.json |  28 +--
 ...-3271c107-92c4-442e-9506-e76d62230ee8.json |  60 +++---
 ...-33d9d91d-aad9-49d5-a516-220ce101ac8a.json |   2 +-
 ...-35aae10a-97c5-471a-9c67-02c231a7a31a.json |  38 ++--
 ...-363bc05d-13cb-4e98-a5b7-e250f2bbdc2b.json |  38 ++--
 ...-366c800f-97a8-48d5-b0a6-79d00198252a.json |  52 ++---
 ...-3a913bac-4fae-4d0e-bca8-cae452f1599b.json |  38 ++--
 ...-3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50.json |  28 +--
 ...-3c3b55a6-c3e9-4043-8aae-283fe96220c0.json |  28 +--
 ...-3d6c4389-3489-40a3-beda-c56e650b6f68.json |  54 ++---
 ...-41e3fd01-7b83-471f-835d-d2b1dc9a770c.json |  38 ++--
 ...-429e1526-6293-495b-8808-af7f9a66c4be.json |   2 +-
 ...-4b53eb01-57d7-47b4-b078-22766b002b36.json |  34 ++--
 ...-4bf6ba32-4165-42c1-b911-9c36165891c8.json |  38 ++--
 ...-507fe748-5e4a-4b45-9e9f-8b1115f4e878.json |  28 +--
 ...-52c994fa-b6c8-45a8-9586-a4275cf19307.json |  56 +++---
 ...-55714f87-6178-4b89-b3e5-d3a643f647ca.json |   2 +-
 ...-56660521-6db4-4e5a-a927-464f22954b7c.json |  28 +--
 ...-5a5dca4c-03c1-4b99-bfcf-c206e20aa663.json |  54 ++---
 ...-5aff44ab-5a41-49bb-b5d1-b4876d0437f4.json |   2 +-
 ...-5b5d1e6c-e7de-4b46-ab8f-8556e8745927.json |  56 ++++++
 ...-5ddf81ea-2c06-497b-8c30-5f1ab89a40f9.json |  28 +--
 ...-6146be90-470c-4049-bb3a-9986b8ffb65b.json |  54 ++---
 ...-6447e3a1-ef4d-44b1-99d5-6b1c4888674f.json |  28 +--
 ...-680f680c-eef9-4f8a-b5f5-f451bf47e403.json |   2 +-
 ...-68156e5a-4c3a-46dd-9c5e-c0bfdec6651f.json |  34 ++--
 ...-6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65.json |  54 ++---
 ...-6e282bbf-5f32-476a-b879-ba77eec463c8.json |  54 ++---
 ...-6fcaf9b0-b509-4644-9f93-556222c81ed2.json |  54 ++---
 ...-8338393c-cb2e-4ee6-b944-34672499c785.json |   2 +-
 ...-838f647e-8ff8-48bd-bbd5-613cee7736cb.json |  54 ++---
 ...-86fc6f0c-86d9-473e-89f3-f50f3cb9319b.json |  38 ++--
 ...-89c3dbf6-f281-41b7-be1d-a0e641014853.json |  50 ++---
 ...-936be60d-90eb-4c36-9247-4b31128432c4.json |  28 +--
 ...-93799a9d-3537-43d8-b6f4-17215de1657c.json |  40 ++--
 ...-95811c0a-abe0-4e7f-a0cc-b0662ced5807.json |  61 ++++++
 ...-96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62.json |  60 +++---
 ...-9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce.json |  54 ++---
 ...-9cd72f5c-bec0-4f7e-bb6d-296937116291.json |  34 ++--
 ...-9ed10b5a-ff20-467f-bf2f-d3fbf763e381.json |  22 ++-
 ...-a0d774e4-bafc-4292-8651-3ec899391341.json |  54 ++---
 ...-a15c9357-2be0-4836-beec-594f28b9b4a9.json |  36 ++--
 ...-a1867c56-8c86-455a-96ad-b0d5f7e2bc17.json |  28 +--
 ...-a2ee7d2d-fb45-44f3-8f67-9921c7810db1.json |   2 +-
 ...-a3c59d82-2c7c-44e5-a869-68e0a3e5935e.json |   2 +-
 ...-a3dad2be-ce62-4440-953b-00fbce7aba93.json |   8 +-
 ...-a5528622-3a8a-4633-86ce-8cdaf8423858.json |   2 +-
 ...-a6228601-03f6-4949-ae22-c1087627a637.json |  54 ++---
 ...-a76b837b-93cc-417d-bf28-c47a6a284fa4.json |  50 ++---
 ...-a993495c-9813-4372-b9ec-d168c7f7ec0a.json |  54 ++---
 ...-aecc0097-c9f8-4786-9b39-e891ff173f54.json |  54 ++---
 ...-aef537ba-10c2-40ed-a57a-80b8508aada4.json |  54 ++---
 ...-b0a243dd-8075-42f9-86f6-64989600ed20.json |  48 +++++
 ...-c0efbaae-9e7d-4716-a92d-68373aac7424.json |  54 ++---
 ...-c19cfc89-5ac6-4d2d-a236-70d2b32e007c.json |  54 ++---
 ...-c41a8b7c-3e42-4eee-b87d-ad8a100ee878.json |  48 ++---
 ...-c6a07c89-a24c-4c7e-9e3e-6153cc595e24.json |  42 ++--
 ...-c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0.json |  54 ++---
 ...-c709da93-20c3-4d17-ab68-48cba76b2137.json |  28 +--
 ...-c80a6bef-b3ce-44d0-b113-946e93124898.json |  28 +--
 ...-c8770c81-c29f-40d2-a140-38544206b2b4.json |  28 +--
 ...-c91cec55-634c-4670-ba10-2dc7ceb28e98.json |   2 +-
 ...-ca4f63b9-a358-4214-bb26-8c912318cfde.json |  28 +--
 ...-cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4.json |  51 +++++
 ...-d05f7357-4cbe-47ea-bf83-b8604226d533.json |  38 ++--
 ...-d1c600f8-0fb6-4367-921b-85b71947d950.json |  38 ++--
 ...-d6e009b7-df5e-447a-bfd2-d5b77374edfe.json |  10 +-
 ...-d89c132d-7752-4c7f-9372-954a71522985.json |  28 +--
 ...-d9e07aea-baad-4b68-bdca-90c77647d7f9.json |  28 +--
 ...-ddbe5657-e21e-4a89-8221-2f1362d397ec.json |  54 ++---
 ...-dfdac962-9461-47f0-a212-36dfce2a97e6.json |  54 ++---
 ...-e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4.json |  34 ++--
 ...-e13d084c-382f-40fd-aa9a-98d69e20301e.json |  68 +++----
 ...-e296b110-46d3-4f7a-894c-cc71ea50168c.json |  54 ++---
 ...-ec13d292-6d8d-4c7a-b07c-a2bd2402569a.json |   2 +-
 ...-f082d7dd-20a9-4157-93c0-75e7aea09e42.json |  48 +++++
 ...-f082fc59-0317-49cf-971f-a1b6296ebb52.json |  54 ++---
 ...-f3975cc0-72bc-4308-836e-ac701b83860e.json |  54 ++---
 ...-f5ff006c-702f-4ded-8e60-ca6c540d91bc.json |  15 +-
 ...-f666e17c-b290-43b3-8947-b96bd5148fbb.json |  54 ++---
 ...-f6ac21b6-2592-400c-8472-10d0e2f1bfaf.json |  28 +--
 ...-f79c01eb-2954-40d8-a819-00b342f47ce7.json |  54 ++---
 ...-f7e7b736-2cff-4c2a-9232-352cd383463a.json |  54 ++---
 ...-f97e2718-af50-41df-811f-215ebab45691.json |   8 +-
 ...-f9854ba6-989d-43bf-828b-7240b8a65291.json |   2 +-
 ...-fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6.json |  36 ++--
 ...-feae299d-e34f-4fc9-8545-486d0905bd41.json |   2 +-
 ...-ff742eeb-1f90-4f5a-8b92-9d40fffd99ca.json |  28 +--
 ...-ff8e0c38-be47-410f-a2d3-a3d24a87c617.json |  54 ++---
 ...-fa42a846-8d90-4e51-bc29-71d5b4802168.json |   7 +-
 mobile-attack/mobile-attack.json              |   2 +-
 ...-0008005f-ca51-47c3-8369-55ee5de1c65a.json |   9 +-
 ...-006b3910-e9c3-4de8-ba49-dff36b1a3308.json |   9 +-
 ...-00dc2b34-1b74-4dae-b6e4-b676528d6341.json |  20 +-
 ...-0100020b-97d4-4657-bc71-c6a1774055a6.json |   9 +-
 ...-01563962-2ccb-4bbc-8ef7-512a950ea47c.json |  32 +++
 ...-01965668-d033-4aca-a8e5-71a07070e266.json |  16 +-
 ...-01fd0686-d67f-4396-8812-3533063dd6b4.json |  11 +-
 ...-020a1aaa-a444-4f3c-a08b-f1369be276f2.json |  20 +-
 ...-020f79c6-d5f8-49eb-beee-e716e1fa4e80.json |  20 +-
 ...-021ca5c4-7e8a-439b-8c2e-38f817db63e3.json |   9 +-
 ...-022e941f-30c3-45a9-9f6f-36e704b80060.json |   9 +-
 ...-024f9ee4-cb7d-49f4-b180-ad1e5e168a4c.json |  21 +-
 ...-027a36dc-cd9e-4282-b101-b9a0abbb312f.json |  20 +-
 ...-0291c9d5-8977-420d-8374-b786e3095a73.json |   9 +-
 ...-02b3c8fe-1539-4c77-b67e-07fa8a22c91e.json |  16 +-
 ...-02b5cb07-9eb5-4e47-a4df-9c3985ad70fc.json |   9 +-
 ...-02e4aedc-0674-4598-948b-0a32758af9ca.json |  19 +-
 ...-03038590-e0c3-4751-b6fb-8a9ffff27e1b.json |  20 +-
 ...-03172b09-4f97-4fb8-95f0-92b2d8957408.json |  25 ++-
 ...-0330db55-06e0-45a2-85a6-17617a37fdaf.json |  19 +-
 ...-035192e3-94f4-426d-9be9-312ddd1ce6a8.json |   9 +-
 ...-035bdf9a-dc4c-403a-b5c4-9b9b42675122.json |  32 +++
 ...-03ff6271-d7bc-40f3-b83d-25c541333694.json |  16 +-
 ...-042a4f26-612e-4ed5-b7f3-911a47ec5d71.json |  25 ++-
 ...-04530307-22d8-4a06-9056-55eea225fabb.json |  20 +-
 ...-046acda0-91de-4385-bcfb-157570d8e51d.json |   9 +-
 ...-049a5149-00c9-492a-8ffb-463f3d0cd910.json |  29 ++-
 ...-049b0c71-63e3-47ce-bb0b-149df0344b15.json |   9 +-
 ...-049c39ab-c036-457a-9b8f-4318416658b8.json |  21 +-
 ...-04ae1d87-1741-4cfd-84ff-3c5e46c0b112.json |  19 +-
 ...-04ec5f2f-b14f-46ae-b151-05f9b7af0bcc.json |   9 +-
 ...-04eeed4b-e0fc-4fff-8c61-4c175f26a0fe.json |  20 +-
 ...-05243ccb-0aeb-4db4-bb03-51a65fb715ab.json |  25 ++-
 ...-05563777-5771-4bd6-a1af-3e244cf42372.json |  16 +-
 ...-0569a1e0-1eb5-4e87-ae09-b698571012ef.json |   9 +-
 ...-05c36a8c-1526-4d5d-93c1-331fd132c30b.json |  11 +-
 ...-05c57e75-04b8-4bf6-8022-2e89f74e4b76.json |   9 +-
 ...-06348e22-9a06-4e4c-a57c-e438462e7fce.json |  20 +-
 ...-06869cb8-7384-4d85-aa0a-78256133c88d.json |  37 ++++
 ...-068c3d23-8aa2-48e9-acb3-c72651c94f0b.json |   9 +-
 ...-069b2328-442b-491e-962d-d3fe01f0549e.json |  25 ++-
 ...-06e2e07f-7835-4ef8-bcc0-bb5e2886839d.json |  11 +-
 ...-07036963-6f5e-4eb5-9b20-3f81dd582c85.json |  20 +-
 ...-0727ac06-5b46-4f79-abe9-63c1b923d383.json |   9 +-
 ...-076d8c54-e6f6-47c4-9f61-52964d4f1c35.json |   9 +-
 ...-078653a6-3613-4923-ae5a-1bccb8552e67.json |  20 +-
 ...-0791f28b-d06f-4fee-9cdb-85a6fd2eed61.json |  16 +-
 ...-079911c5-0db9-4eb2-ab85-6ed6e118fbbc.json |  19 +-
 ...-07c727a6-6323-477a-bb55-34e130959b4e.json |   7 +-
 ...-07dd3318-2965-4085-be64-a8e956c7b8da.json |  20 +-
 ...-07fd2c39-c3e2-4044-b00b-71250cd7df2e.json |  19 +-
 ...-0800f6bf-00c5-46d8-b876-1eeeb81b741f.json |   9 +-
 ...-082c3bd7-6088-4364-ae75-0eb45a635583.json |  32 +++
 ...-084786ee-9384-4a00-9e1b-48f94ea70126.json |  13 +-
 ...-085f8397-0233-42d7-855e-3dbd709f2eca.json |   9 +-
 ...-086c4c17-dde7-4a1f-90d1-79eb32f3c11f.json |   9 +-
 ...-087609b6-cc6c-402f-ada9-00dbcbfecbe8.json |  33 ++--
 ...-088c74f5-4b43-48aa-a2be-275f0c02ffc8.json |  11 +-
 ...-0891421a-8476-4d37-b274-645b90f139c7.json |   9 +-
 ...-08a43019-d393-451f-a23c-2dfa17ec40b2.json |  13 +-
 ...-08c81253-975c-4780-8e85-c72bc6a90c88.json |  25 ++-
 ...-08f1a4b1-96c9-44c2-bc5b-5a779541213b.json |   9 +-
 ...-09059576-658b-4944-9f7b-df003319fdaa.json |  11 +-
 ...-094f56d7-1a7d-4937-ac1a-d2337626feaa.json |  32 +++
 ...-0972d3cf-717e-4ed2-a89d-9cbe61081956.json |   9 +-
 ...-0993769f-63fb-4720-bbcf-e6f37f71515e.json |  20 +-
 ...-09ad7d9f-d618-46c2-a9f3-e4a943245a72.json |  11 +-
 ...-09c55c29-ce4f-4d3e-a940-f3a4b6f07bca.json |  19 +-
 ...-09c6bbd4-9058-4657-9d8e-656439637ac6.json |   9 +-
 ...-09d08f16-9e4d-4279-9a8c-bdda7afdb37d.json |   9 +-
 ...-0a28b2f2-ca0e-4d9f-9840-26e8ce944012.json |  16 +-
 ...-0a2e4b01-e78f-4c05-b157-c6714d34fddb.json |  20 +-
 ...-0a610208-06af-425f-a9af-cd0899261e33.json |  20 +-
 ...-0a737289-c62d-4c0a-a857-6d116f774864.json |  20 +-
 ...-0ae94053-1963-45ba-a3a9-62e508281c8e.json |   9 +-
 ...-0b1aae4b-4dcd-41b6-a708-1441e5a24070.json |  25 ++-
 ...-0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d.json |  25 ++-
 ...-0b1f2735-97d9-4f4a-9967-9fa1464bb651.json |  11 +-
 ...-0b531974-1a28-4f16-ba34-1f7c8371b6b2.json |   9 +-
 ...-0b5bfa77-51b4-41b4-ae03-88b585d143c1.json |  20 +-
 ...-0b693e45-cc20-45a9-846f-2f5f4d3a3253.json |  20 +-
 ...-0bb6f851-4302-4936-a98e-d23feecb234d.json |  20 +-
 ...-0bbe5936-04bf-4c9a-bb43-cd37f36c3349.json |   9 +-
 ...-0bc73d69-e769-4d0f-9d44-368c94225b6e.json |   9 +-
 ...-0bc73eaf-a771-4ed0-b1f9-081ff4ca73ad.json |   9 +-
 ...-0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db.json |  20 +-
 ...-0c077d44-1c79-473c-8623-d6267ab47f34.json |  32 +++
 ...-0c417238-738d-4bda-8359-d37d39414ebe.json |  11 +-
 ...-0c49a6e0-9837-424d-877b-4e232f5fe250.json |   9 +-
 ...-0c558826-5cea-422e-8e67-83e53c04d409.json |  25 ++-
 ...-0cabc5f9-045e-490c-a97f-efe00dbade86.json |  20 +-
 ...-0cae6859-d7d1-483b-b473-4f32084938a9.json |  16 +-
 ...-0cd58f68-2c93-4ecc-a7fb-b4aad483d14a.json |  32 +++
 ...-0ce5bf43-39e1-4afb-a939-1984cc2d235c.json |  19 +-
 ...-0cf39d51-2d80-4576-b088-e787b113513e.json |   9 +-
 ...-0cfbea52-d6ab-467f-97e5-8c74b332b16f.json |   9 +-
 ...-0d12ee41-9ac0-4083-bc28-6568be4b9d5b.json |   9 +-
 ...-0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a.json |  20 +-
 ...-0d305e1e-df8f-4028-bf6f-1d7fed9e6184.json |  19 +-
 ...-0d58e937-7e0f-4e1e-8c17-bab3906d7c43.json |  32 +++
 ...-0d82a9ed-4184-4f95-99f4-5ee467fe6594.json |  19 +-
 ...-0df1f5d1-f2fd-441e-b3ce-bcd64f5f5f50.json |  42 ++++
 ...-0e8607f6-daab-44df-b167-105403a4ef41.json |   9 +-
 ...-0e9968b7-ad1e-440d-9fe3-2599a1571f39.json |   9 +-
 ...-0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1.json |   9 +-
 ...-0ef4845d-994e-4f0d-9eed-7cf600fc03b4.json |  20 +-
 ...-0efe4125-504f-4eea-b19f-a44c81ee31dd.json |  25 ++-
 ...-0f116d99-9ce4-4790-aeda-ad9199d8bf7b.json |   9 +-
 ...-0f70bdf1-a6a7-406c-a4c0-cee509ff8369.json |   9 +-
 ...-0f7e7c29-43f0-4aff-ae83-dfff331915ef.json |  16 +-
 ...-0f949bc5-9f6a-4ec8-a29a-87e309aa08a2.json |   9 +-
 ...-0fd34764-8a5d-43da-9bdf-5a0b7e436936.json |  25 ++-
 ...-10560632-6449-4579-90eb-20fc46dcca08.json |   9 +-
 ...-10c07066-df05-4dff-bb95-c76be02ea4ef.json |   9 +-
 ...-10e02179-0434-4d4b-86b4-5d9fbc5d5451.json |  22 ++-
 ...-11113fa5-150e-4574-89fc-5db66479e268.json |  11 +-
 ...-112966ab-6e28-482b-8bea-ed9f4ed17064.json |  11 +-
 ...-114f4334-16f4-402e-981a-902b2c9be6fb.json |  11 +-
 ...-117a7e1e-d5dc-451d-ab79-f29bdfec40ae.json |   7 +-
 ...-119b848b-84b4-4f86-a265-0c9eb8680072.json |  25 ++-
 ...-11a1da8f-f0db-4abe-88bb-1ab06f271f3f.json |   7 +-
 ...-11a992e7-83a3-4dc3-b391-fbd79e518943.json |  11 +-
 ...-11b20d60-6bec-4ce4-b02f-38ec276b3c9a.json |  32 +++
 ...-11e30c59-c1bf-4354-9255-a6eb67d7a79e.json |  32 +++
 ...-12098dee-27b3-4d0b-a15a-6b5955ba8879.json |  20 +-
 ...-1218ed50-bd44-4f37-baba-1aae998b5a1f.json |   9 +-
 ...-122ffed0-5f5a-4588-88a4-16924db24e9e.json |  32 +++
 ...-1250f91c-723d-4b4c-afea-b3a71101951f.json |  20 +-
 ...-127e6672-d16a-4370-b277-4d04874a4cfe.json |   9 +-
 ...-1284ba4a-c48c-4533-ac35-664828616ee3.json |  11 +-
 ...-1284f6fe-d352-415c-9479-82141524380a.json |  19 +-
 ...-12852406-87df-4892-a177-e15e81739000.json |   9 +-
 ...-12d14048-793c-456c-a2b8-d812de547ca7.json |  11 +-
 ...-12d61e7d-7fa6-422d-9817-901decf6b650.json |  25 ++-
 ...-12de5aeb-9427-4665-81a0-257c76d6f188.json |  11 +-
 ...-12df8ac7-06a4-4389-8d86-d354c4536e28.json |  47 +++++
 ...-13078a96-2cda-4d0b-99f8-693a65a4b63d.json |  25 ++-
 ...-1317fb3d-ded3-4b84-8007-147f3b02948a.json |  21 +-
 ...-1329a866-0f6b-4660-b537-a6d208352502.json |   9 +-
 ...-1343f1a3-0f03-4bcf-a9e6-4f5697ae35dd.json |  11 +-
 ...-1348c744-3127-4a55-a5b4-2f439f41e941.json |   9 +-
 ...-13495d9c-6877-4bc9-888a-7d92362bcb40.json |   9 +-
 ...-13518e48-bb32-4ee3-9cd0-e5f367a2fb2d.json |  21 +-
 ...-13aba849-5004-4457-9f3b-49e470b589e0.json |   9 +-
 ...-13e69c40-1511-4fac-b4c3-d31fc4b6c579.json |  11 +-
 ...-13efc415-5e17-4a16-81c2-64e74815907f.json |  25 ++-
 ...-14143e21-51bf-4fa7-a949-d22a8271f590.json |  20 +-
 ...-1417d832-3fa5-4a87-a40b-5ca2d4ee5d1c.json |  19 +-
 ...-142532a6-bf7c-4b25-be23-16f01160f3c5.json |  20 +-
 ...-143833fb-8034-4e75-a030-d8e47f9bebef.json |   9 +-
 ...-14474366-938a-4359-bf24-e2c718adfaf5.json |  20 +-
 ...-146275c0-b6dd-4700-bded-bc361a67d023.json |  20 +-
 ...-147d82a6-a61a-41d0-8eef-b6193bdd92d6.json |  19 +-
 ...-148703c5-6d07-439c-a4ff-d77119c70857.json |   9 +-
 ...-15065492-1aef-4cf8-af3c-cc763eee5daf.json |   9 +-
 ...-1508c120-06fa-4da2-8fcd-7fdc133228fa.json |  32 +++
 ...-15706c6d-803b-4857-9fcb-ce9af2c9d73b.json |  42 ++++
 ...-15772932-8a5c-4616-9fea-b2bd1ecace4b.json |  47 +++++
 ...-1577a79c-5f70-41cc-95bd-2407cfd1acbd.json |  20 +-
 ...-158f71f5-e24a-4c5b-95d9-6f7e03257052.json |   9 +-
 ...-15d83ba8-be89-4151-9c6e-35d14df4fa80.json |  19 +-
 ...-15eccf44-e528-41fb-9cb8-834c8c0ca9d9.json |  20 +-
 ...-1687c7a0-a453-4737-a10d-c57b94d5a458.json |  37 ++++
 ...-16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d.json |  20 +-
 ...-16d969ca-59ae-4c87-888f-fa231ad863d1.json |   9 +-
 ...-17141729-226d-40d4-928d-ffbd2eed7d11.json |  19 +-
 ...-173c0c41-c7e3-48e9-b785-d9e0232d85ca.json |   9 +-
 ...-17558571-7352-470b-b728-0511fb3f699d.json |  16 +-
 ...-17697784-f6e0-4062-adaa-7779e44e2d62.json |  11 +-
 ...-17adf4c2-e278-41fc-9183-cda5c8b74de7.json |  19 +-
 ...-17e94f34-e367-491c-9f9f-79294e124b4f.json |   9 +-
 ...-18186ee9-0ae4-405c-bf73-4d9ca1689744.json |  52 +++++
 ...-1822e616-ae33-487c-8aa6-4fa81e724184.json |   9 +-
 ...-185764e3-b559-4a65-818e-1cad4db6d105.json |  11 +-
 ...-188c09ee-ca3b-4bac-ad69-36489c50b5bd.json |  19 +-
 ...-18905da3-a92e-4b1b-ae5c-1de1e4d35495.json |  11 +-
 ...-18a6020d-8fea-4a6e-84ab-a18343f2acea.json |  25 ++-
 ...-18afa4ad-4fd7-47ad-acdb-3b298b640d3c.json |   9 +-
 ...-18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c.json |   9 +-
 ...-1987b242-c868-40b2-993d-9dbeea311d4b.json |  19 +-
 ...-198b99e6-3954-4c93-90bc-4227b45270a4.json |  11 +-
 ...-19b95b83-bac0-455f-882f-0209abddb76f.json |  19 +-
 ...-19df76ee-fa85-43cf-96ce-422d46f29a13.json |   9 +-
 ...-19f220fd-94e8-4c8f-971d-ad37d7eeee80.json |  19 +-
 ...-1a2f6cdc-7c52-4f6e-9182-bc5b16a638dd.json |   9 +-
 ...-1a5bde32-aaa9-42d0-ab70-c9f11b0ae81e.json |   9 +-
 ...-1b633efc-762f-47f9-96c3-d08ba92e0e3e.json |  19 +-
 ...-1b6d332b-0ced-4bf1-b212-f1fccc850bee.json |  25 +++
 ...-1b7be26d-cb1d-497b-94bf-a34f11ed66c9.json |  20 +-
 ...-1b9b145c-ce80-4d0e-99f2-d756b806745b.json |  11 +-
 ...-1bcd4b25-a1e0-4511-b0bf-3923a1e74c4e.json |  25 ++-
 ...-1be8aca9-d5a6-4cc5-9fbe-7625f7ff8d6a.json |  11 +-
 ...-1c180c0e-c789-4176-b568-789ada9487bb.json |  20 +-
 ...-1c42ee3a-c400-4de6-84aa-b254422af7b9.json |  25 ++-
 ...-1c67b72f-7389-4c21-9347-2b1bba07aaaf.json |   9 +-
 ...-1c7d2d48-ea9a-448f-891f-66f635c95f73.json |  20 +-
 ...-1cc71849-142f-4097-9546-7946b0b546a6.json |   9 +-
 ...-1cca5e17-80ae-4b6e-8919-2768153aa966.json |  25 ++-
 ...-1d027925-7d63-459c-b5a5-48ffb49ba1de.json |   9 +-
 ...-1d2daf8f-ce51-47b5-b985-63ae4edfad4b.json |   9 +-
 ...-1d828f51-1c04-466c-beaf-2d4de741a544.json |   9 +-
 ...-1db350b2-1e8b-4d58-9086-eac41de1b110.json |  19 +-
 ...-1e286a4a-63cd-47df-a034-11a5d92daceb.json |  19 +-
 ...-1e29a9ce-ed11-44ae-b66e-8b90ee79de6a.json |   9 +-
 ...-1e822ff0-b1e1-4d80-b1a2-956919511809.json |   9 +-
 ...-1ed5b4fa-b871-4efa-87ee-1c91dcaa421e.json |  22 ++-
 ...-1f027bab-76d9-4f5f-a73e-ea733a1ab223.json |  20 +-
 ...-1f31e348-a4ee-4874-891f-393c65a7640a.json |  11 +-
 ...-1f32e107-aef9-42f8-84d1-4c4fcd863b7f.json |   9 +-
 ...-1f44936e-b84c-404f-a92e-6fb7e24b5435.json |  25 ++-
 ...-1f7428d7-6f6e-40d0-aedb-cb0578875ff9.json |   9 +-
 ...-1f7b7de2-10e8-4eec-9c8f-db44ac3f271b.json |   9 +-
 ...-1f8b1ee1-e44b-4a37-a407-5cbceba35d87.json |  20 +-
 ...-1f8f0021-6992-476c-ba1c-232542dc1633.json |   9 +-
 ...-1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd.json |   9 +-
 ...-1fdf9c43-0237-461f-86d4-1da843078744.json |  11 +-
 ...-20310407-9b05-4d7b-9548-961f545e14e1.json |  11 +-
 ...-20376a7f-897a-4f5d-a87a-93e64200a5a6.json |  20 +-
 ...-204e30ed-5e69-400b-a814-b77e10596865.json |  19 +-
 ...-2065382f-45ae-4b9a-a77c-027ecd6c1735.json |   9 +-
 ...-209aa948-393c-46b0-9488-ef93a6252438.json |  19 +-
 ...-20aaafe2-1f55-410f-9eb1-1fc979021fe0.json |   9 +-
 ...-20dcd886-56c4-421d-ba36-0f37a47a3f86.json |  19 +-
 ...-20e8cf98-b5c1-4ad8-bdba-a9bad0344bef.json |  32 +++
 ...-2115228b-c61a-4ebb-829a-df7355635fbf.json |   9 +-
 ...-212801c2-5d14-4381-b25a-340cda11a5ac.json |  25 ++-
 ...-2167de58-8453-4ac3-977d-30a2b3526818.json |  32 +++
 ...-21ab4328-7908-4fef-9636-d4d162e4a0cf.json |  11 +-
 ...-21e179f2-49c9-4ec9-ac7a-b8eae8e15bd9.json |   9 +-
 ...-22041a01-75e7-4ff6-8768-ad45188c53c7.json |   9 +-
 ...-22290cce-856a-46d5-9589-699f5dfc1429.json |  16 +-
 ...-22334426-e99f-4e97-b4dd-17e297da4118.json |   9 +-
 ...-22512e29-4524-45d3-88b7-d9ca764f7b3d.json |  42 ++++
 ...-22708018-defd-4690-8b0f-fe47e11cb5d6.json |  20 +-
 ...-2270d987-4698-4b59-9186-3d7637cf6599.json |  32 +++
 ...-22755928-b0e1-4004-a89e-5f5ea2504cf8.json |  11 +-
 ...-22773074-4a95-48e0-905f-688ce048b5ed.json |   9 +-
 ...-22e90a62-3f31-4190-98ee-eabede72eb07.json |  37 ++++
 ...-22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6.json |  20 +-
 ...-22f5308c-77ee-4198-be1c-54062aa6a613.json |   9 +-
 ...-2341fdfa-9699-4798-a35a-2cc4f150cd14.json |  20 +-
 ...-23522416-9493-4960-8408-f7befae7be60.json |  11 +-
 ...-2359ad4b-b00b-4fd5-aef8-2d2be8bcf081.json |  13 +-
 ...-23a67f24-a8eb-4e31-acf1-11cb5e9f88b2.json |   9 +-
 ...-23cac1d7-27ca-4c78-bfa0-2d6023d21798.json |  20 +-
 ...-23ecc134-0623-45ec-b8b5-52516483bda1.json |  11 +-
 ...-23fa0fcc-0193-45f2-9e0b-a5f68380015f.json |  19 +-
 ...-242dc659-c205-4e9e-95f9-14fee66195af.json |  19 +-
 ...-243bafe0-206c-4a17-94a6-4ff0492ebc7a.json |  42 ++++
 ...-24951cfe-d3ce-4802-86ff-028fc9cbbe53.json |  20 +-
 ...-24a7379e-a994-411b-b17c-add6c6c6fc07.json |  20 +-
 ...-24bcb2cd-1532-4e98-a485-a55e06d2577d.json |  21 +-
 ...-24de6f6e-86d3-4e4e-a965-3e0435205f48.json |   9 +-
 ...-25466097-53c6-4dc7-8409-197758e88673.json |  11 +-
 ...-25655385-5b0d-4700-a59f-d5d043625b84.json |   9 +-
 ...-257f4f86-950f-4f5a-b38c-0de85753d2d3.json |  11 +-
 ...-25cdb4f2-5b38-411c-bfb6-eca7ea4d4527.json |   9 +-
 ...-25de6cf6-38d5-4d1e-b3f1-6956a0ff0ac3.json |  11 +-
 ...-2621a020-8d4f-4ca4-b874-0be336a8cafd.json |   9 +-
 ...-268c12df-d3bc-46fa-99e9-32caab50b175.json |  19 +-
 ...-268c2962-a557-4782-a40b-eef430c87740.json |  32 +++
 ...-269d4409-e287-4ef3-b5f3-765ec03e503e.json |   9 +-
 ...-26b1025b-5c08-4b6e-8c50-7d2baf29e7b7.json |  19 +-
 ...-26bf27dc-f65d-477d-abbd-f4c3ce475c51.json |  17 +-
 ...-26c2626b-92a0-4798-b9f3-00abf12a817b.json |  32 +++
 ...-27050442-e578-44b7-9534-ada78824befe.json |  11 +-
 ...-271a311f-71bc-4558-a314-0edfbec44b64.json |  20 +-
 ...-27247071-356b-4b5f-bc8f-6436a3fec095.json |  16 +-
 ...-27490b14-8044-408a-8c6a-6d8427eb78ff.json |   9 +-
 ...-276bfd69-33cc-4665-8aa7-72bed65d01f9.json |   9 +-
 ...-2793d721-df10-4621-8387-f3342def59a1.json |  19 +-
 ...-279b016a-45c8-4961-88fa-48162e56c3fa.json |  13 +-
 ...-27b8153c-130e-44a7-84a9-840f4c23e2ea.json |  20 +-
 ...-27c8d474-f3f8-4a0e-a317-7e57b9de620c.json |  20 +-
 ...-27f5dc22-6ab9-406f-9092-6cb610d777a6.json |  19 +-
 ...-280aa15d-c7ff-4005-9861-9fc5c3bfe95a.json |   9 +-
 ...-2836dc3d-cbea-493b-af31-5f1fa8279ec2.json |   9 +-
 ...-289f5e23-088a-4840-a2a6-bab30da2a64b.json |  25 ++-
 ...-2908f0f6-2408-41a1-aaab-cf3e7db06aad.json |   9 +-
 ...-290a627d-172d-494d-a0cc-685f480a1034.json |   9 +-
 ...-290c9d3f-f59b-4e2b-9b7b-115014845c15.json |  16 +-
 ...-29357289-362c-447c-b387-9a38b50d7296.json |  29 ++-
 ...-295fab07-9f02-4504-9ae4-1a60c2e8c224.json |  20 +-
 ...-299931f0-4c60-4a9b-8a6a-4adb6362e590.json |   9 +-
 ...-29dc105c-0b1b-4645-85ef-436c096bd3e2.json |   9 +-
 ...-2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce.json |  20 +-
 ...-2a472430-c30e-4877-8933-2e75f1de9a01.json |  19 +-
 ...-2a5d081f-ba41-4dbe-873b-34b0efee1d92.json |  11 +-
 ...-2a5f4f05-bd60-4571-bcce-f3b764a5b5a0.json |  16 +-
 ...-2ac32eb8-ff7e-468a-8bbd-f5af82e0102a.json |  47 +++++
 ...-2acc0c1a-af30-4410-976b-31148df5378d.json |  19 +-
 ...-2ae97bcd-0481-415c-8337-12d3a30e6911.json |  15 +-
 ...-2af26be3-f910-4700-ab14-9d14532601cc.json |   9 +-
 ...-2b065fcf-7ed1-4f88-8910-2eb46bde9ab7.json |  13 +-
 ...-2b0f4c1d-8d99-4e80-8555-d9a454d5cab7.json |   9 +-
 ...-2b9a3dc1-5842-458a-97ed-3a1339d10c22.json |  15 +-
 ...-2bbd620d-6deb-4f81-a95b-98a7a74878e9.json |   9 +-
 ...-2be3d0a4-2e24-4d04-859e-37d24835ff16.json |  20 +-
 ...-2bedbf86-2ef0-45bf-950d-b9d072c03bdc.json |   9 +-
 ...-2c5b36b4-5381-4d9e-9ce5-cd7cd19041b1.json |   9 +-
 ...-2c9ad579-0c29-4f2a-80f3-242dc6b0bafd.json |  20 +-
 ...-2ca6ff09-827d-4e2e-a60d-daa30f113b57.json |  15 +-
 ...-2caddf52-2bc2-4f75-90bb-0f292952ada6.json |   9 +-
 ...-2cb834dd-d7cf-46f3-a19b-bdbfb5bfee07.json |   9 +-
 ...-2cdd5474-620c-499e-8b9c-835505febc2c.json |   9 +-
 ...-2ce1e63a-2e9b-4cac-9469-3fb78bf4640f.json |  11 +-
 ...-2d1b46d5-cc2e-4312-adf2-43fb130a506b.json |   9 +-
 ...-2d3198ff-a481-47ec-ae64-13d7be706929.json |  11 +-
 ...-2de76a24-ec87-4808-b0d3-b84d318ac22c.json |  16 +-
 ...-2e08820f-a81d-480e-9e60-f14db3e49080.json |  20 +-
 ...-2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8.json |  20 +-
 ...-2e3a5d0d-a80a-4606-8be2-208302e995d1.json |   9 +-
 ...-2e55d0cf-afe6-41f1-8ad3-0d1a910ad010.json |  11 +-
 ...-2e59d381-eac6-41c6-a5e6-f9617c10259e.json |  20 +-
 ...-2e6d507e-afbb-4fa5-b459-2b060ab52db3.json |   9 +-
 ...-2e797961-356f-4763-bdb2-0ebc2ad4c8b0.json |  21 +-
 ...-2e7f8995-93ae-41bb-9baf-53178341d93e.json |   9 +-
 ...-2e826926-fd5b-407c-adbc-e998058728d3.json |  20 +-
 ...-2e913583-123a-47af-8872-98fc12ab4a6a.json |  20 +-
 ...-2ebd5c4c-af03-4874-a6fd-1e58d51cc055.json |   9 +-
 ...-2f1e5d77-0054-4f8a-8e01-7c0318278a76.json |  21 +-
 ...-2f2ae4a3-1ed9-4c90-86dc-d12c3a860349.json |  32 +++
 ...-2f41ab75-3490-4642-8111-9d4d43b88df7.json |   9 +-
 ...-2f55e452-f8b3-402b-a193-d261dac9f327.json |  19 +-
 ...-2f8b5252-551c-4a0d-8e72-8da4050757f3.json |  20 +-
 ...-2f9b95b2-0ef4-40b8-a230-86f273000dc7.json |   9 +-
 ...-2f9c31d2-2e6c-4e95-9058-c9a8def46865.json |  11 +-
 ...-2fcc6291-9a68-45c2-a5c5-94b1973ed3d2.json |  19 +-
 ...-2fdcc49e-1875-4618-b3c5-c0ecfab97386.json |  11 +-
 ...-300c824d-5586-411b-b274-8941a99a98fb.json |  19 +-
 ...-3020bb16-fb1f-46f9-9e1c-3b3317af6b96.json |   9 +-
 ...-3057267c-fdd5-41d8-a9d8-76c0a87b28fa.json |  11 +-
 ...-30990c1a-ed7d-4552-a1aa-c5934ffa5761.json |  11 +-
 ...-30ab9ce7-5369-402a-94ee-f8452642acb9.json |  19 +-
 ...-3115a062-e7d0-4eac-9d78-9a9c797e7546.json |  11 +-
 ...-312950f2-80d2-4941-bfce-b97b2cb7a1ff.json |  20 +-
 ...-31330d32-50c8-4499-91fb-e1dcffa9ea8f.json |  29 ++-
 ...-319d46b5-de41-4f23-9001-2fa75f954720.json |   9 +-
 ...-322d0123-ea4c-4562-a718-672952c83d05.json |   9 +-
 ...-3230c032-17e0-49f7-b948-c157049aafe2.json |  21 +-
 ...-3272111a-f31d-47d5-a266-1749255b5016.json |  25 ++-
 ...-327d0102-2113-4e12-be68-504db097a6fd.json |   9 +-
 ...-32958f57-ad9b-4fe1-abf3-6f92df895014.json |  20 +-
 ...-32be51e2-f74d-441f-aa0d-952697a76494.json |  20 +-
 ...-33316f49-f1fb-453a-9ba7-d6889982a010.json |  20 +-
 ...-3364dd33-c012-4aaf-852b-86e63bd724ac.json |   9 +-
 ...-33857221-2543-4a7f-8255-b0d140d70ad7.json |  20 +-
 ...-34351abd-1f58-420a-a893-ad822839815d.json |   9 +-
 ...-346b7e4a-dbd1-486b-ba26-55ae2ac613d0.json |  20 +-
 ...-348d1acd-3f37-4523-95cd-ae002c02c975.json |  11 +-
 ...-3498d304-48e3-4fe4-a3ab-fc261104f413.json |  20 +-
 ...-349c2f82-1166-4dab-88d0-cfe920804b70.json |  11 +-
 ...-34a8a945-cc6c-474b-8db1-ffe8b5ecf99f.json |   9 +-
 ...-34b6abb0-d199-46bb-af21-b65560e75658.json |  19 +-
 ...-34dd5c26-eec9-4288-8e53-677271d490b2.json |   9 +-
 ...-34f9aed0-48a7-4815-8456-5541a7b8210f.json |  25 ++-
 ...-352fabc8-48fe-4190-92b3-49b00348bb22.json |  25 ++-
 ...-35453bbb-c9b3-4421-8452-95efdd290d21.json |  20 +-
 ...-3565140f-1570-494d-9d6f-91c9203ece69.json |   9 +-
 ...-35927c96-7645-4ef3-b3da-e44822386a10.json |   9 +-
 ...-3598ab6e-9271-40ca-9771-b9a6bbce497c.json |  11 +-
 ...-35a12ae8-562d-4e24-979e-ef970dde0b94.json |  19 +-
 ...-35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f.json |  25 ++-
 ...-3616bacc-6f6e-41f2-832c-cdbbae9622f3.json |   9 +-
 ...-36268322-9f5e-4749-8760-6430178a3d68.json |   9 +-
 ...-36298fd6-d909-4490-8a04-095aef9ffafe.json |  20 +-
 ...-3644d1dd-8d9f-4a89-a618-c6b22c2a1a96.json |  13 +-
 ...-36c71b5d-e453-488c-ae63-8fb063924c27.json |  11 +-
 ...-370bf74f-7499-4d66-9626-a61926af8f84.json |  11 +-
 ...-37123a8d-5c03-459c-bd0b-c17e2ee75a10.json |  20 +-
 ...-373223d8-f18c-4151-8fe0-7d40c0c6e631.json |  20 +-
 ...-373f33be-9b40-44f5-bfd3-db2a9f5fa72c.json |  16 +-
 ...-3752c235-0576-47dc-b05d-d3eaeaccfecc.json |  20 +-
 ...-37d14338-b629-4b54-b734-446789b79f6f.json |   7 +-
 ...-37fd2f2a-e4f4-4d39-8698-d17305fb2517.json |   9 +-
 ...-3832d2cf-0568-451d-aac9-6fb809fc423d.json |   9 +-
 ...-383e5b12-061e-45c6-911b-b37187dd9254.json |  20 +-
 ...-3841024e-1047-40fa-9e25-ac6d5c14612a.json |   9 +-
 ...-3857f790-6ea1-4f37-8d90-90904f175d63.json |   9 +-
 ...-38634e49-f19e-41bc-bb6d-e711f0cabd91.json |   9 +-
 ...-386b0a9f-9951-4717-8bce-30c8fbe05050.json |  20 +-
 ...-3874eaf6-aa14-4d8e-ad44-7ad227ecda1b.json |  11 +-
 ...-38962b26-7cbe-4761-8b4f-50a022167c4d.json |  25 ++-
 ...-38cb6365-40ba-47c6-a5e4-1a9be665f951.json |   9 +-
 ...-38ec048f-7f6e-4bbd-9455-1b1e54968af4.json |  11 +-
 ...-38f37e3f-1d4b-4f04-b176-1cae6d22931e.json |  20 +-
 ...-38f96449-dfb1-49db-b0d0-f257c3ee2c5d.json |   9 +-
 ...-393300c4-6852-466d-a163-1d51330fe055.json |   9 +-
 ...-395cb6b2-0848-43c7-ac4a-617e103fb66a.json |   9 +-
 ...-3997b2a1-2b70-4eeb-aa8f-1053bb3744c2.json |   9 +-
 ...-39b854c1-5906-4d14-a0bc-1242c3eaa5b0.json |  19 +-
 ...-3a18f41d-876c-403a-80cc-47ef57ae630d.json |  11 +-
 ...-3a282967-0536-474d-8831-30cd60b818a9.json |  11 +-
 ...-3a5dee7b-92a2-4382-aa02-2c14d0b82010.json |  15 +-
 ...-3a7d4872-2bfb-4df3-ad53-91c8229b9b41.json |   9 +-
 ...-3a8fea40-69ba-4cfe-b577-c3112a60887a.json |  19 +-
 ...-3abc80ad-4ea0-4e91-a170-f040469c2083.json |  20 +-
 ...-3abcd7f4-5f6d-4b5d-9b37-eee68751dcbd.json |  19 +-
 ...-3acbaa64-fb6e-4c26-ada4-1aab88798265.json |   9 +-
 ...-3ae62d66-6405-413f-86e3-ccdb66fac7ba.json |  21 +-
 ...-3b0cb886-dabc-4622-b91f-3851e2a71bf2.json |   9 +-
 ...-3b24a287-36e1-49b9-811d-c0080147ff57.json |   9 +-
 ...-3bcd5bc8-4998-4f71-85d6-27f0cb22e895.json |  37 ++++
 ...-3be6ad82-722d-4699-8e3a-c1ea60018244.json |   9 +-
 ...-3bf4b093-a1a3-48da-9236-bce9514765eb.json |  25 ++-
 ...-3bf5a566-986b-478c-b2da-e57caf261378.json |  22 ++-
 ...-3c0b0763-78d2-4d6e-8e57-b4f27af7e414.json |  21 +-
 ...-3c291ee5-1782-4e5b-8131-5188c7388f45.json |  16 +-
 ...-3c3c957e-7a23-4801-9f6a-ba599ad727d7.json |  16 +-
 ...-3c43d125-6719-420e-bb69-878cc91c2474.json |   9 +-
 ...-3c4ea7a5-251c-4d10-a724-f4a247f44637.json |  47 +++++
 ...-3c57ee56-34bc-4f0c-b363-68dab3e5e7b3.json |   7 +-
 ...-3c6776b9-258c-460c-b4b4-ea1a1453e5c5.json |  11 +-
 ...-3c874ffa-63c3-491f-8d8c-623b19a7fdad.json |   9 +-
 ...-3c90dc4c-8156-49ae-8144-76526268a6c1.json |  11 +-
 ...-3ca284e7-062c-4f23-b95d-9f9c6a2d882a.json |   9 +-
 ...-3ca453a4-bd78-4087-a93f-9261fb2e3f00.json |  20 +-
 ...-3d24d88e-a0ab-42c6-8e8f-11f721082bba.json |  16 +-
 ...-3d5a1472-4042-49a4-8b66-7ff1fcfee92c.json |   9 +-
 ...-3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b.json |  20 +-
 ...-3d65c2b7-c907-45e1-b942-95f7d765e749.json |   9 +-
 ...-3db58541-3870-424d-ad74-f2b84ff87abb.json |   9 +-
 ...-3dd0cd4d-bcde-4105-b98e-b32add191083.json |   9 +-
 ...-3dff770d-9627-4647-b945-7f24a97b2273.json |  16 +-
 ...-3e11a61b-14b3-4268-a6dd-937d4baef6de.json |  11 +-
 ...-3e2474d3-f36d-4193-92f6-273296befdd3.json |  19 +-
 ...-3e2b9dc1-5da0-46a1-a576-4b41a10f3a60.json |   9 +-
 ...-3e3cad6c-dd73-43c9-bf99-d4796ba97fb1.json |  20 +-
 ...-3e5b5c7a-32e1-4745-8ceb-c46ce7276364.json |  11 +-
 ...-3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56.json |  21 +-
 ...-3ebdc17d-401e-4f6a-af51-2dc57437b817.json |  25 ++-
 ...-3ec30b37-1db2-4048-9dd9-22d863f034bb.json |   9 +-
 ...-3ee5c123-416f-4d02-920d-ce44be7f11a5.json |  32 +++
 ...-3efe7dcc-a572-45ac-aff2-2932206a0632.json |   9 +-
 ...-3f2daf2e-c28c-46cd-bf91-ae35e873f365.json |   9 +-
 ...-3f31b209-dbc7-4c7e-bb0a-e37801121c13.json |   9 +-
 ...-3f392718-87c4-483b-b89f-4f0cc056d251.json |  20 +-
 ...-3f47f048-badd-4476-8534-d06e20c02ec6.json |  11 +-
 ...-3f5dbd48-5899-4e97-96a6-ad7e68b673cd.json |   9 +-
 ...-3f81a680-3151-4608-b83f-550756632013.json |  20 +-
 ...-3f973c3c-45f8-432a-9859-e8749f2e7418.json |  16 +-
 ...-3fcd2177-2030-4781-bd19-8b9fa8c6e645.json |  20 +-
 ...-3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a.json |  25 ++-
 ...-3fdb8bfb-1b2d-4fac-bb41-d26a5ad18dbb.json |  11 +-
 ...-4009ff40-4616-4b1c-bff9-599e52ccab37.json |   9 +-
 ...-4088b31b-d542-4935-84b4-82b592159591.json |  20 +-
 ...-40c9adb5-9d1a-4f51-8ef2-a80c2d78e4e4.json |  19 +-
 ...-40f30137-4db9-4596-b4c7-a12f1497fd92.json |  25 ++-
 ...-4159bc09-ddf3-4d88-9bf0-853ace9c8151.json |  11 +-
 ...-418168ad-fee9-42c8-ac27-11f7472a5f86.json |  13 +-
 ...-41b7cdc1-0b0a-49da-b694-774c22e6cd27.json |  32 +++
 ...-41da5845-a1a8-4d10-8929-053be3496396.json |   9 +-
 ...-4220ec84-3c30-462b-9bad-4fb4de42cfd4.json |  19 +-
 ...-42342d72-a37c-477e-b8f1-1768273fcb7f.json |  21 +-
 ...-42510b9a-7e72-4a52-bc7a-6e1a7ebacff7.json |  11 +-
 ...-42536c96-ae61-41ab-a1bf-3e7d126a4000.json |  19 +-
 ...-42624ee9-1bf5-46aa-87d0-9fda0de9a06e.json |   9 +-
 ...-4267ebfa-d932-4949-9d7f-8e183f51f2d9.json |  11 +-
 ...-429a4b02-f774-4b1e-aaef-5fd9c654dd09.json |  20 +-
 ...-42ae42eb-ea75-457a-bf39-4ea04304dd0b.json |  25 ++-
 ...-42f8d024-64a7-4bbf-8c05-2b0c7e667396.json |  20 +-
 ...-430b2b14-9d63-401c-b76b-d0247ee7e27b.json |  20 +-
 ...-433af79b-ce77-4a4c-84f7-6cdc34e70674.json |   9 +-
 ...-433ba5b0-76eb-49e1-a2ed-e54994e94041.json |  16 +-
 ...-437f719c-d602-4cb8-a2b9-c33e85ad7c50.json |   9 +-
 ...-439d905b-1ad8-461a-ab0d-b2f426cb2c3a.json |   9 +-
 ...-43a62244-29f1-4f7f-bc9f-9b7b8e488b38.json |  20 +-
 ...-43af5696-ac4d-4618-9da9-0784b8f7e433.json |  11 +-
 ...-43eeee7f-339a-4f6e-9df3-ccbf08ecf358.json |  20 +-
 ...-442dd700-2d7d-4cad-8282-9027e4f69133.json |  19 +-
 ...-44304163-9a44-4760-bd04-0e14adb33299.json |  25 ++-
 ...-4449ac76-8329-4483-b152-99b990006cbc.json |   9 +-
 ...-4454a696-7619-40ee-971b-cbf646e4ee61.json |  25 ++-
 ...-44a673c9-7ce7-42a0-8ab4-60bbb5001ce2.json |   9 +-
 ...-44b63426-1ea7-456e-907b-0856e3eab0c3.json |  20 +-
 ...-44da429b-9dee-43c9-9397-445c6f9e647e.json |  19 +-
 ...-450a1b75-efa5-4d7a-bcd5-d3e63723b408.json |  25 ++-
 ...-45253350-c802-4566-a72d-57d43d05fd63.json |  16 +-
 ...-45383213-4323-4f77-9f9f-360d6d43c128.json |  11 +-
 ...-45505ae7-0e54-4279-82c3-f92f4a832ed9.json |  19 +-
 ...-455b1287-5784-42b4-91fb-01dac007758d.json |  25 ++-
 ...-4586277d-bebd-4717-87c6-a31a9be741ed.json |  20 +-
 ...-45da5ed9-3a9b-4491-98cb-96db68e245bb.json |  25 ++-
 ...-465b7a4a-32d5-475c-9fb9-6335c44fb0d1.json |  19 +-
 ...-465d14e7-eb9e-4794-9cb3-1de2cff86a8e.json |   9 +-
 ...-4667e169-d85a-4d0c-9da7-2fe22d1ba873.json |  32 +++
 ...-4761145d-34ac-4b45-a0d6-a09b1907a196.json |  20 +-
 ...-476e269e-3c49-4fda-a54b-3f0cb577c5af.json |   9 +-
 ...-477edf7d-cc1f-49b7-9d96-f88399808775.json |  19 +-
 ...-4819f391-01de-4525-992b-7e4a4f6667de.json |  20 +-
 ...-481e5d33-eca4-453c-9fec-27ee01d50989.json |   9 +-
 ...-48486680-530c-4ed9-aca3-94969aa262b6.json |   9 +-
 ...-48552acc-5f1a-422f-90fa-37108446f36d.json |  19 +-
 ...-48854999-1c12-4454-bb7c-051691a081f9.json |  19 +-
 ...-4896e256-fb04-403c-bbb7-2323b158a6e0.json |  19 +-
 ...-4897ef75-0035-4ae5-b325-de2f6b27565f.json |  11 +-
 ...-48c0d9f7-9293-4f38-8ae5-9f5342621f74.json |  20 +-
 ...-48cd0af5-9ad1-44b3-beeb-d576974dadee.json |  11 +-
 ...-4920a041-86f7-495b-896c-4d964950ed7e.json |  20 +-
 ...-492d5699-f885-411a-8431-254fcf33fb12.json |  25 ++-
 ...-4943cca6-69b1-4565-ac09-87ebda04584c.json |  19 +-
 ...-494ece43-ebba-4519-86be-cd5c4d4dd337.json |  37 ++++
 ...-496976ef-4a0c-4782-95e7-231bd44df162.json |  20 +-
 ...-49c0c003-433c-467f-93b7-ca585aab8232.json |  11 +-
 ...-4a408dee-07da-4855-b2ff-be512480ccb5.json |   9 +-
 ...-4a4aba6e-2dc4-43a5-bcac-876c89114a57.json |   9 +-
 ...-4a608d3b-aa02-4563-8b6b-c64a491856f5.json |  11 +-
 ...-4a67b14a-e489-4e8f-b545-5bdf134e146e.json |  20 +-
 ...-4a77c56b-ed2c-4e43-bd0f-7acf9cce1952.json |   9 +-
 ...-4a936488-526c-40c1-b2d5-490052cb0e73.json |   9 +-
 ...-4aae6ab8-2a67-4780-a69e-b15ecff7fc5d.json |  11 +-
 ...-4ab1867c-b924-4b0d-a332-c0e150a28d7d.json |   9 +-
 ...-4ad83f33-c64a-4ad6-ab6f-0548c9dde257.json |  20 +-
 ...-4ae0c45f-4ff0-4296-aaf4-c3e0d2e355e3.json |   9 +-
 ...-4aec0738-2c76-4dc7-af8a-87785e658193.json |   9 +-
 ...-4af26643-880f-4c34-a4a8-23e89b950c9d.json |   9 +-
 ...-4b16e681-9542-4f32-b23a-f1b0caf44b6a.json |  20 +-
 ...-4b3cfd7c-5e41-4d9e-8879-b126ba66eaf1.json |  25 ++-
 ...-4b68bcb1-a512-40f7-9aee-235b3668f022.json |  20 +-
 ...-4b7e117b-0c82-49d0-bee6-119158b3355b.json |  16 +-
 ...-4b838636-bfa4-4592-b72f-3044946b8187.json |   9 +-
 ...-4b8d027d-5da2-4a01-ad31-b6644a5cda61.json |  20 +-
 ...-4bdda427-2fff-428d-ba19-4bee5d2508e1.json |  20 +-
 ...-4c035760-9bf2-40cd-87d1-f286afd76376.json |  11 +-
 ...-4c6f1475-3b92-4a37-8bb5-4dcc69660b11.json |   9 +-
 ...-4c7e776d-ed19-4e5a-842c-81612f5c07bd.json |  13 +-
 ...-4cb926c1-c242-45c2-be46-07c22435a8a5.json |  11 +-
 ...-4cc8a16f-562a-42c7-b5d9-10e1088af89c.json |   9 +-
 ...-4cccb708-b51b-4e71-94a1-78d6819eaac1.json |   9 +-
 ...-4d431474-1dcc-4d0e-9906-129eb02f00b3.json |  11 +-
 ...-4d4dfc26-3ab7-4798-abf2-be8dc278fdfa.json |  20 +-
 ...-4d537065-9a82-42d5-923d-45194453cc25.json |  25 +++
 ...-4d542595-1eb0-45aa-9702-9d494142b390.json |  20 +-
 ...-4d6a900d-d1c4-4a91-bded-c9062aae384b.json |   9 +-
 ...-4d7e937d-7ea1-49cb-939c-5244815e51d7.json |   9 +-
 ...-4d88c5ac-68c0-4304-9474-d07372d0ad99.json |  11 +-
 ...-4dcbb081-a0b3-4b80-a63e-28547cb6f89c.json |  11 +-
 ...-4de3f794-63df-4f9e-8bd8-59796d91aa36.json |  25 ++-
 ...-4df6a22e-489f-400c-b953-cc53bfb708a3.json |  20 +-
 ...-4e68feca-083f-40ed-88d8-2b6a3935c949.json |  13 +-
 ...-4e6b726d-9ef4-4eb6-b9a7-74059caee5b7.json |   9 +-
 ...-4e7a1b10-0f68-4a48-a13d-0c7bc13fb819.json |  20 +-
 ...-4e9f021d-3cf4-4790-8f7d-f87f33133446.json |   9 +-
 ...-4ed97a0d-2fcf-4c53-8aaa-21e174b28309.json |   9 +-
 ...-4ee57616-7205-490c-86c3-c27dcffd8689.json |  19 +-
 ...-4efa4953-7854-4144-8837-d7831ccbe35d.json |  20 +-
 ...-4f2ae057-ef0b-4995-b24d-348a76a74a4f.json |  25 ++-
 ...-4f366c8c-9c70-44ed-baa8-d433d5dbfe49.json |   9 +-
 ...-4f6f4def-e76d-4d1b-9416-b6543e7dbc54.json |  20 +-
 ...-4f812a57-efdc-463b-bf37-baa4bca7502b.json |   9 +-
 ...-4fc165fd-185e-4c70-b423-c242cf715510.json |   9 +-
 ...-4ff5f854-bfe9-45bc-b11a-196cf826b760.json |  25 ++-
 ...-4ff9b16f-3643-4fa0-b107-f93a9bb847c3.json |   9 +-
 ...-5012c647-9b58-4a4f-b64f-468c9b76a60c.json |   9 +-
 ...-501c3f2a-1ae0-4832-9730-3fdf5f31df5c.json |  32 +++
 ...-502fc83c-ce03-4ce7-a202-095bbe0b492b.json |  11 +-
 ...-503ca6f2-a747-43fb-8fc5-7be095dcb966.json |  11 +-
 ...-506d657b-1634-442e-8179-7187f82feb3a.json |   9 +-
 ...-5088a10e-03d2-4643-8df8-b7b601c2cc24.json |  20 +-
 ...-50ad2a8c-ed45-4376-be31-8bafa26ba794.json |   9 +-
 ...-50bab448-fee6-49e9-a296-498fe06eacc7.json |  20 +-
 ...-50c81a85-8c70-48df-a338-8622d2debc74.json |   9 +-
 ...-50d8e788-d405-45e8-b6b7-0f02f353cc97.json |  11 +-
 ...-50e3b570-2e9a-409b-973a-3ce91b9579d4.json |   9 +-
 ...-50f03c00-5488-49fe-a527-a8776e526523.json |  20 +-
 ...-5107be8a-b5fc-4442-af0d-2c92e086a912.json |  20 +-
 ...-51457698-e98b-435a-88c2-75a82cdc2bda.json |   9 +-
 ...-5151b976-cfcf-4771-a75a-995d49bcc1ab.json |  19 +-
 ...-51757971-17ac-40c3-bae7-78365579db49.json |   9 +-
 ...-51b0a4fb-a308-4694-9437-95702a50ebd5.json |  20 +-
 ...-51bd38a1-465b-49c0-9218-5984f391a51c.json |  11 +-
 ...-51bf6ffc-85c7-4910-8821-9736a1ec60f1.json |  25 ++-
 ...-51d31e17-6c80-4ab3-9e8e-6231483e0999.json |   9 +-
 ...-51f75dd5-b584-482f-8f7f-dbee2d5cf6f3.json |  21 +-
 ...-520668a0-2523-4515-8ed9-f8059023632f.json |  11 +-
 ...-520c7112-9768-42c5-8917-1950efd182f9.json |   9 +-
 ...-526099a3-132d-430f-9559-fc067e39b227.json |  37 ++++
 ...-52649ab6-8d1c-41d0-9804-3fd4b6a1ba48.json |   9 +-
 ...-526ce88f-ee58-4a55-a1b2-b72e1b5971aa.json |  19 +-
 ...-529107fd-6420-4573-8dbf-cdcd49c2708c.json |  20 +-
 ...-52ad5145-3b04-4cc8-bed8-4a14501afe25.json |  20 +-
 ...-52f7e464-db89-4201-aea8-38d9b44bbd1b.json |  20 +-
 ...-53364899-1ea5-47fa-afde-c210aed64120.json |  20 +-
 ...-533e5ce5-138c-4bfc-9a59-eb0ced8e6e1a.json |   7 +-
 ...-5340f466-abf0-4bb9-a7e9-44694014561d.json |  52 +++++
 ...-535d2425-21aa-4fe5-ae6d-5b677f459020.json |  19 +-
 ...-53ebd5b6-e60e-4aa4-a342-de586917f06d.json |   9 +-
 ...-54151897-cc7e-4f92-af50-bed41ea78d92.json |   9 +-
 ...-5417959b-9478-49fb-b779-3c82a10ad080.json |  20 +-
 ...-544e8fc3-c656-4081-9b4f-8a5d60926f47.json |  19 +-
 ...-545d9313-3fcc-4d4a-b9d2-7555430df8f2.json |   9 +-
 ...-5482462c-08bc-4e28-bc20-bfbbc60f3f81.json |  19 +-
 ...-54bfecbc-4d1d-4bca-bb9c-652d09b29515.json |   9 +-
 ...-54ce9375-cc0f-456e-ac22-e6fe822a6cec.json |  19 +-
 ...-54da16fe-c3af-4283-8e73-434beca633d4.json |  32 +++
 ...-54dac52d-5279-407f-b7b4-5484ae90b98c.json |  20 +-
 ...-554ec347-c8b2-43da-876b-36608dcc543d.json |  25 ++-
 ...-557e6d99-d7d8-4e2f-bc01-66b0754de089.json |  19 +-
 ...-55afe9a0-d261-48ea-b5a8-0b1685ff2f15.json |  20 +-
 ...-55b3df0f-252d-4208-bdb8-91fa1e1119b4.json |   9 +-
 ...-55f1c604-f3e1-4eef-8313-d136425be83d.json |  32 +++
 ...-5619e263-d48c-47a5-ab68-8677fe080a15.json |  19 +-
 ...-56551987-326a-46ad-a34a-59bb7ab793a9.json |   9 +-
 ...-56758bb5-230e-43ac-9851-167c296c3dfa.json |   9 +-
 ...-56816b86-3c80-429b-8360-7b4e77538c97.json |  42 ++++
 ...-56a0173f-68ec-48f6-88d8-ed1e7a2470ba.json |  11 +-
 ...-56a255a5-9fa2-45bb-8848-fd0a68514467.json |  19 +-
 ...-56c8af86-2924-46f8-a1d7-8309ee6f0282.json |  13 +-
 ...-5706742b-733d-44e9-a032-62b81ba05bcf.json |   9 +-
 ...-57293fc9-8838-4acd-a16f-48f516d0921e.json |   9 +-
 ...-5738479d-47fb-4d6f-9f04-5ce988327694.json |  11 +-
 ...-5749763a-0aef-460a-b081-849adba8d58f.json |  11 +-
 ...-576dfa89-d400-4cac-b32d-8ee85a9de5d7.json |   9 +-
 ...-57881f4b-8463-430c-912a-0e3c961e7784.json |  11 +-
 ...-57a069a0-399f-43ab-9efc-50432a41b26b.json |   9 +-
 ...-57a5ae72-6932-45e6-83f2-609943902b35.json |   9 +-
 ...-57df3046-2f14-4bb8-93e9-84a9c8b46791.json |  19 +-
 ...-57e441f8-6799-4d1b-8e2a-13d8ac1c8e78.json |   9 +-
 ...-583720d0-8b15-4662-822e-bb40bc1df940.json |  11 +-
 ...-58c0fe4b-612d-4fc6-973f-16914b0f4b72.json |  20 +-
 ...-58c15bce-1593-4be1-ae56-7e7b2634fc56.json |   9 +-
 ...-58c857f8-4f40-48e0-b3ac-41944d82b576.json |   9 +-
 ...-592331d2-60a7-4264-b844-fbeb89b6386c.json |   9 +-
 ...-597579b4-7e2f-4843-8cd3-f9143eca34f2.json |   9 +-
 ...-5976af4f-2fd4-46a0-baab-a4ae69e98bc1.json |  32 +++
 ...-5977289e-d38f-4974-912b-2151fc00c850.json |  20 +-
 ...-59aaa62b-a629-42c8-9bd2-8e75810135a9.json |  19 +-
 ...-59c2bfb5-a55b-43d3-b1e9-3fbaff0fb7fc.json |   9 +-
 ...-59ccdf54-af53-45f2-9ada-549bbc9fb53f.json |  32 +++
 ...-59d463d3-3a41-4269-be9a-7a69f44eca78.json |   9 +-
 ...-59e225fa-b181-4906-9f0b-ef8f6ce7f2ef.json |  19 +-
 ...-5a036fb8-9f72-4383-91c5-0f47b33b2c9d.json |   9 +-
 ...-5a18e6c3-4bbf-4418-8815-55ebf283c8a1.json |  25 ++-
 ...-5a277966-4559-487e-bdfb-7be6366ccdb6.json |  22 ++-
 ...-5a2bff26-f5e5-41f9-b3da-a558988ef3f3.json |  20 +-
 ...-5a50d9da-3fa5-443e-8367-8a0520d58cae.json |   9 +-
 ...-5a55b7a2-52ab-4cf8-abc1-8ec4e42102cb.json |  32 +++
 ...-5a64b957-32fb-4dd6-84ae-48a2c74c560f.json |   9 +-
 ...-5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a.json |  25 ++-
 ...-5a7295a2-ad95-4362-8b2c-9265ad5c73b0.json |  25 ++-
 ...-5a836ae1-c2a0-49b8-a0b4-851b7f3939fb.json |  32 +++
 ...-5a96d87e-f70e-49dc-a272-c98aad672ce0.json |  16 +-
 ...-5aa167b8-4166-440b-b49f-bf1bab597237.json |   9 +-
 ...-5b04c8d0-c026-4838-9383-e4146de36d4d.json |   9 +-
 ...-5b235ed4-548d-49f2-ae01-1874666e6747.json |  19 +-
 ...-5b37d94a-64a3-432a-b340-1c9a4f553d02.json |  20 +-
 ...-5b4128cc-ae1b-4a1b-bc51-d4fdc507bc27.json |  42 ++++
 ...-5b5586b9-75ee-476f-b3eb-49878254302c.json |  20 +-
 ...-5b670281-0054-42b4-8e54-ea01a692f5bf.json |  20 +-
 ...-5b7c73d3-a983-456e-82fe-1c823a282eb0.json |  13 +-
 ...-5b87bb01-9587-42bd-aa6b-30158ca8f55f.json |   9 +-
 ...-5b9a2c93-95bf-4f39-aeac-b2af051faca9.json |  11 +-
 ...-5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c.json |  20 +-
 ...-5c447471-2b97-4d96-b75f-1cbb574b39cf.json |   9 +-
 ...-5c746ac8-4034-4ae3-98c3-66d89f5a6d6a.json |   9 +-
 ...-5c7508ae-5d05-49fd-a489-b944d3b45dd0.json |  20 +-
 ...-5ceb24c4-f32d-4eca-ad91-aed9ef8d459b.json |  32 +++
 ...-5ced57a7-b674-40d4-98b8-a090963a6ade.json |  20 +-
 ...-5d0fdc8a-af17-4334-88e6-111aa290b22f.json |   9 +-
 ...-5d2a3a9f-2467-4ac6-ab64-ffe91ec584da.json |  20 +-
 ...-5d37400f-80f9-4500-9357-185650e5a7b2.json |   9 +-
 ...-5dc4eaca-ff82-412a-a8dd-168de1857d8c.json |   9 +-
 ...-5dd9e0aa-e4dc-4776-9580-5a765c2cc08d.json |   9 +-
 ...-5de0caa8-81f8-453c-b70c-a74e7ea9e5c2.json |  19 +-
 ...-5e360913-4986-4423-8d3c-46d3202b7787.json |  20 +-
 ...-5e6cb0d7-6e82-450a-bcf5-e0113e7ad41e.json |  11 +-
 ...-5e74f4f8-5057-42f4-9796-aee60122cf6d.json |  25 ++-
 ...-5e95ca90-bf75-4031-a28f-f8565c02185c.json |   9 +-
 ...-5ec3fcbb-d2ac-44ba-a2d4-99e7ddacf3a2.json |   9 +-
 ...-5fb59cf9-9af5-4dd5-9878-dda2ba228ae5.json |  11 +-
 ...-6001f77a-da30-4ebc-85fd-5bf9afe5f0a1.json |   9 +-
 ...-603df08f-22d3-4418-9151-4b3a3c9c7c24.json |   9 +-
 ...-60439118-3ceb-490b-9df5-e35e7fca9009.json |   9 +-
 ...-605d95a1-0493-418e-9d81-de58531c4421.json |   9 +-
 ...-606b07b9-b5a4-464f-8381-062e2134d0ab.json |  11 +-
 ...-60782df8-1e96-48eb-a6b7-843c94b32b59.json |   9 +-
 ...-6086e1e2-1b39-4ff2-910e-4a4eb86d57b7.json |  25 ++-
 ...-609ec9f8-f702-444b-b837-72a0880d429b.json |  11 +-
 ...-60ad088f-3133-4b0c-a441-e1e06fff1765.json |   9 +-
 ...-60da837d-a635-4533-b96a-db2689cc4771.json |  32 +++
 ...-60db521a-ae2d-4a9a-8c6d-47a5528f1ecb.json |  20 +-
 ...-60e2ebd0-90dc-4131-ba4f-adc9b49ec113.json |  25 ++-
 ...-60ecd154-e907-419a-b41d-1a9a1f59e7c3.json |   9 +-
 ...-61071d73-fcdf-4820-afd0-e3f0983e0a71.json |   9 +-
 ...-61550ef4-41f0-4354-af5c-f47db8aca654.json |  20 +-
 ...-6176a297-3097-42e2-b1c2-815e7fd8c81c.json |  20 +-
 ...-618ec7db-fb08-4693-905b-49e9e2a0ad95.json |  32 +++
 ...-6209cccd-2877-4941-ac0c-bec3ba7a5544.json |  19 +-
 ...-62623afc-8222-4d59-b5d0-7bc1ccc7fadc.json |   9 +-
 ...-626d4c6c-97e4-4aa3-922b-c1a81e677213.json |   9 +-
 ...-628435f7-7d1e-40f1-a29a-7c5861b14c7d.json |  19 +-
 ...-6294e276-e4ac-4097-a5cd-3b81e0d4498f.json |  20 +-
 ...-62cc60d9-1581-4a0f-b7e2-a18d386511e6.json |  19 +-
 ...-6315b6ec-35f8-4b28-8603-664664311a33.json |  11 +-
 ...-634071ce-d386-4143-8e6e-b88bc077de6d.json |  20 +-
 ...-638f3d4b-f1d4-4c61-91a0-7c125ef8437a.json |  16 +-
 ...-63e67cba-4eae-4495-8897-2610103a0c41.json |  16 +-
 ...-642a2599-a50c-480c-8e07-2a3a217f4a46.json |  11 +-
 ...-64489abc-5c2f-4620-833d-9ac010040955.json |  11 +-
 ...-644a19d3-c94f-40d9-87ac-02ef20b14eda.json |   9 +-
 ...-64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65.json |  20 +-
 ...-6556536c-d5ea-4a3d-ae48-4016d4d762ff.json |  20 +-
 ...-657f1d8c-3982-4ee5-95dc-c8ec3164cb2e.json |  20 +-
 ...-65803bfa-7601-44ad-95ea-64d8bfd778a4.json |  20 +-
 ...-6588186c-2fa1-408d-bef4-2d63ccf49c28.json |   7 +-
 ...-6588914f-d270-47d3-b889-046564ad616f.json |  11 +-
 ...-65a24b75-4bb0-441a-8cb2-a34077b13f61.json |  20 +-
 ...-65acbbe2-48e1-4fba-a781-39fb040a711d.json |  22 ++-
 ...-65dc7cc1-e047-4087-8b2b-7d0d0f67576a.json |  11 +-
 ...-6603a556-9732-4f8b-ac9c-5c3949b251ed.json |   9 +-
 ...-6609b892-d388-4b8a-ac21-5cbf12e0d574.json |   7 +-
 ...-66132260-65d1-4bf5-8200-abdb2014be6f.json |   9 +-
 ...-6661823b-4fdd-4879-ad5d-64c9a4b12519.json |  19 +-
 ...-66ba3094-7c14-41b9-b7c1-814d026156b9.json |  20 +-
 ...-66c7fdcf-b9ef-429e-81b2-e97e971cfb42.json |  20 +-
 ...-66fb8a34-9d48-4599-a56e-19b057380030.json |   9 +-
 ...-6701f90c-6fce-4f7b-a785-a585601d366a.json |  32 +++
 ...-670a0995-a789-4674-9e91-c74316cdef90.json |  20 +-
 ...-67aa692c-24e4-483e-996e-02ce1e861ec8.json |   9 +-
 ...-67c2b73d-cd51-4894-a7bd-fdd5d14b33a2.json |  25 ++-
 ...-67db22d4-6f89-40c6-b31b-737c1e3dec3f.json |   9 +-
 ...-681161b2-4e30-4d49-8524-6cc0d94585cb.json |   9 +-
 ...-681d5e61-9412-4c58-bef1-c6ef7bffcb0c.json |  21 +-
 ...-6846dc09-b66a-42d3-aea2-c80b51f22952.json |  11 +-
 ...-684c17bb-2075-4e1f-9fcb-17408511222d.json |  20 +-
 ...-6859be95-c11a-4085-b8d3-c4ea4e2add44.json |  11 +-
 ...-686a6bc8-d660-40ad-97bc-9c900195cd5b.json |  32 +++
 ...-6885280e-5423-422a-94f1-e91d557e043e.json |  29 ++-
 ...-68c17e9b-1fda-49dd-982b-566d473cc32b.json |  19 +-
 ...-68e5789c-9f60-421e-9c79-fae207a29e83.json |   9 +-
 ...-6920d0d0-27f4-4d29-8622-c8a92090eec3.json |   9 +-
 ...-6935752c-e400-4dfa-863f-1d44a8f6dd50.json |   9 +-
 ...-6945812f-959b-4f4c-9bf4-6dbdc6d9f7c8.json |  37 ++++
 ...-694857ba-92e8-462e-8900-a9f6fdcf495d.json |  20 +-
 ...-6961eec4-8e31-4be1-88d9-dca682e38b8c.json |  25 ++-
 ...-69718f1d-7761-41ae-b9d0-12c45f6b4ac4.json |   9 +-
 ...-697f5584-667f-4489-a535-586dd1a8b48c.json |   7 +-
 ...-69bb264a-3f44-4132-9248-dd80a9f5efa2.json |   9 +-
 ...-69de3f7e-faa7-4342-b755-4777a68fd89b.json |  25 ++-
 ...-6a1d8b2f-9007-46ba-b559-356b81632cee.json |   7 +-
 ...-6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b.json |  20 +-
 ...-6a5926f3-8c44-4806-83c2-e8ed0be36bc2.json |  19 +-
 ...-6a5f151f-36cb-496a-9d0c-d726f1b00d4e.json |   9 +-
 ...-6a715733-cde6-4903-b967-35562b584c6f.json |  20 +-
 ...-6a813057-5fe0-46b5-89a3-c804d223568c.json |   9 +-
 ...-6a821e14-8247-408b-af37-9cecbba616ec.json |  20 +-
 ...-6a87a107-e607-460b-a08c-cc693b15268c.json |  42 ++++
 ...-6a924f93-6a3a-4931-b0b3-b8bc37f0587a.json |  13 +-
 ...-6ac2d9a5-248b-42c5-af71-3ffad7bc7f3e.json |   9 +-
 ...-6ad4f199-99fe-4366-87be-7a462f6c89b0.json |   9 +-
 ...-6b41d649-bcd0-4427-baa1-15a145bace6e.json |  20 +-
 ...-6b623a18-a3cf-4f94-b3a8-19f7369a2b61.json |  11 +-
 ...-6b64d3f4-96d6-48e5-a57e-b5cf897670f9.json |   9 +-
 ...-6b74d347-4d28-401f-9ac2-b3e1c9428bab.json |  13 +-
 ...-6ba09d73-4ed5-4a37-8191-fc54a8f01696.json |  19 +-
 ...-6bac4ccd-d810-40f4-937e-3ac4bfa959ec.json |  32 +++
 ...-6bb4de7d-1ef9-4bc8-8d34-62e176d4188a.json |   9 +-
 ...-6bdc24f1-36a7-4cf8-8a3e-f7f36840a7b2.json |  32 +++
 ...-6c0105f3-e919-499d-b080-d127394d2837.json |  19 +-
 ...-6c35f99c-153d-4023-a29a-821488ce5418.json |   9 +-
 ...-6c859d6b-28b1-409d-90ea-d4eba64edf82.json |  20 +-
 ...-6c887e1b-ff9a-4d7f-baec-7d19e1c982bd.json |  11 +-
 ...-6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e.json |  20 +-
 ...-6cace9e3-f095-4914-bddc-24cec8bcc859.json |  16 +-
 ...-6ce36374-2ff6-4b41-8493-148416153232.json |  20 +-
 ...-6d2c7743-fc75-4524-b217-13867ca1dd10.json |   9 +-
 ...-6d38782e-2c88-411b-8328-72347d4c6024.json |  32 +++
 ...-6d659130-545b-4917-891c-6c1b7d54ed07.json |  20 +-
 ...-6d88242f-e45b-481c-bd41-b66a662618ce.json |  19 +-
 ...-6d8ffc4a-6496-423e-a44d-d5a973ee1acf.json |  52 +++++
 ...-6d910b1c-df72-4fcb-9d9e-0bb666c9c108.json |   9 +-
 ...-6dada572-9e79-4835-9f8c-fcb6a94947af.json |  42 ++++
 ...-6db7839a-5699-4e2a-8410-4e33bf88ba05.json |  11 +-
 ...-6de29595-e63e-4d7e-992f-b4622b7b8e23.json |  20 +-
 ...-6e642c09-751c-43d8-9b99-aabb1703cad7.json |  47 +++++
 ...-6e811d89-6526-480f-be40-1ad6483182ff.json |   7 +-
 ...-6ee69225-7c42-49e6-bfe4-c7009c82e76a.json |   9 +-
 ...-6f240b1d-de8f-465d-a0f1-f75e828493c3.json |   9 +-
 ...-6f27a13d-b353-47f3-8a71-a13e8c4c3d60.json |  20 +-
 ...-6f30b02b-5d88-453d-af1e-305a75bfaf87.json |  20 +-
 ...-6f63395f-a826-45e2-8d3b-dccd6375f54d.json |   9 +-
 ...-6f9f892e-56ec-480b-aa40-337f20f2bb9c.json |  20 +-
 ...-6faacfdd-d17d-4c6e-a33e-5fdea2cc3998.json |   9 +-
 ...-70000e5a-cdff-4ff8-a565-5f7db60f8c49.json |  11 +-
 ...-7017085c-c612-48b2-b655-e18d7822d0e7.json |   9 +-
 ...-70367e5c-15e0-4bcd-b538-7a90c4eefd30.json |   9 +-
 ...-706c698c-aa8d-4fac-a6c1-2e047c3f965c.json |  16 +-
 ...-70ec9e67-b755-41ee-a1db-71d250a90b4e.json |  20 +-
 ...-70f8cbed-b20d-4ff2-ad02-8d78e7d49159.json |  16 +-
 ...-70fa8498-6117-4e15-ae3c-f53d63996826.json |  20 +-
 ...-71490fdb-e271-4a67-b932-5288924b1dae.json |  16 +-
 ...-716f68ee-1e77-4254-8f67-d8f3c71db678.json |  20 +-
 ...-717feaf1-493b-4a3e-b886-40652f41168d.json |   9 +-
 ...-718a612e-50c5-40ab-9081-b88cefeafcb6.json |  25 ++-
 ...-71fbb52a-1808-45a1-8cc2-13b461376e4a.json |  11 +-
 ...-721cc30c-74cf-4eed-89a8-7a8e63e6c0e1.json |   9 +-
 ...-724e1b64-7c9b-4a8f-a2ab-3f9cab539e68.json |   9 +-
 ...-7258542e-029b-45b9-be69-6e76d9c93b35.json |   9 +-
 ...-725dc68b-e56d-42ac-b35e-651a7b3a2db8.json |  11 +-
 ...-7260c8fe-6b3b-48a2-889f-f329fb5b4ef0.json |  21 +-
 ...-72a5350f-f0cf-4f44-82d5-28a25492c6af.json |  20 +-
 ...-72a88d43-4144-444e-8f71-ac0d19ae3710.json |  20 +-
 ...-732ca9b5-961d-4734-9f8d-339078457457.json |  11 +-
 ...-73410b22-5aca-4b86-8efc-98c1ad75399a.json |   7 +-
 ...-734fa2bf-17af-4e54-8d83-4cf9759e4ba9.json |  20 +-
 ...-73d22490-4043-42d7-ad25-74e4a642bf6a.json |   9 +-
 ...-73d78f2c-dd3b-469c-a622-e2e89cb521d3.json |  21 +-
 ...-73e78aab-bcd9-4d3c-96f8-832f399bf2ee.json |  11 +-
 ...-74080f4f-1de2-464f-8ec1-0635fc142273.json |  11 +-
 ...-740ea19e-d248-44e5-a0e5-3e9420df9dc8.json |  20 +-
 ...-746eaf98-bd95-4e9a-a4ed-0e3f20402276.json |   7 +-
 ...-749dcdbd-9be9-403b-850f-8ee5452b7aed.json |   9 +-
 ...-74a137c7-b3f8-421f-bc52-bf9f0785d0ba.json |  11 +-
 ...-74c3c88c-956b-4bc7-9ea2-585e7366fe69.json |  25 ++-
 ...-74c8c9e7-cd8b-4f3a-830d-a7e6e9668330.json |  19 +-
 ...-74eb8469-1cce-40f8-8b6b-486338e8cfbe.json |  20 +-
 ...-75400f2e-8a9a-4bc6-a40b-f860b38868b6.json |   9 +-
 ...-75472bf8-c7fd-4fc7-a11e-74189bc23b78.json |  20 +-
 ...-75770898-93a7-45e3-bdb2-03172004a88f.json |  25 ++-
 ...-75989cf6-c023-4ed3-9d23-a83f55690186.json |  11 +-
 ...-759a2e09-32b6-4857-9b6d-adf5dcee142b.json |  20 +-
 ...-75a8614f-bf92-455d-b2ef-7085aff9a64d.json |   9 +-
 ...-75ed2348-279f-4485-97a3-9a5ada27d799.json |  11 +-
 ...-760037f0-f027-41bb-adf8-1ced6c7085be.json |   7 +-
 ...-760faa7b-06cb-48b7-9103-1c52f2ca408f.json |  20 +-
 ...-76336d14-0dcb-4fc4-8423-9996dca9a9f2.json |  32 +++
 ...-764ba23e-9902-4a60-8ec3-e0ae1abf92ce.json |  11 +-
 ...-7657a4d4-1ba3-4b66-83f7-6db5eab14847.json |  19 +-
 ...-7696b512-ba2f-4310-86e1-7c528529fc5e.json |  20 +-
 ...-76cc66f4-ce85-4873-a63e-879b4a14a540.json |  11 +-
 ...-76f852f3-f218-40e2-8fa1-6fb15c4cbf98.json |   7 +-
 ...-7793a066-d72b-4a60-9579-e16369ea7185.json |   9 +-
 ...-77efa84c-5ef0-4554-b774-2dbfcca74087.json |  20 +-
 ...-7825f4b1-75ca-4377-b8f6-0dda9311d889.json |  11 +-
 ...-78417fce-5aaa-4ad3-a2f1-279fa18bfe45.json |  11 +-
 ...-7850d933-120b-4ae6-998d-8dc4dfd6d164.json |  20 +-
 ...-7863ef22-130a-4670-80c6-9bdeee58b8c9.json |  11 +-
 ...-7885c84c-b832-42d4-b3d3-49b82849262f.json |  15 +-
 ...-789699c2-44f1-4280-bf86-ab23e6a13e84.json |   9 +-
 ...-789cb76e-27b0-4762-a2f7-3ff32ce0762d.json |  16 +-
 ...-789dd0f9-527c-49b3-93b7-851ce4961f0f.json |  22 ++-
 ...-78cc0d6d-6347-45a4-a18c-ca76150aa7a9.json |  16 +-
 ...-78fc4506-5c80-4638-8f51-44a2e28f7aaf.json |  20 +-
 ...-792ae0c6-8b0c-4adf-9c7f-83ebee84bb57.json |  11 +-
 ...-794c3cb4-1a1f-4d7e-969f-c97dfcd006c7.json |   9 +-
 ...-7965128c-89d6-411e-b765-c60e0cae96c6.json |   9 +-
 ...-797e82a0-0132-4adc-8885-c9e9d88386dd.json |   9 +-
 ...-79c3fe5d-585b-401a-8bb4-84bfdc7252a1.json |  19 +-
 ...-79ef0025-3e1c-4914-9873-19808c2a5bec.json |  11 +-
 ...-79f04c05-8299-4e5e-b4c1-3f82637fa47a.json |  16 +-
 ...-7a50961b-9be4-4042-a6a0-878b612c520e.json |  16 +-
 ...-7a860f1b-fd19-48aa-b0b3-fbaa3d045dac.json |  11 +-
 ...-7a8e1611-1a7e-45a0-b518-6efd744fce4f.json |  20 +-
 ...-7accde36-cb29-43c6-8c66-6486efd867a8.json |  16 +-
 ...-7af7d094-3a49-4e5e-99d0-385c79f95f06.json |  16 +-
 ...-7b1477bc-8fd0-45ce-8eaa-b3b307f18024.json |  13 +-
 ...-7b3fa5cb-bd70-47e0-acfb-7db99e29e70f.json |  19 +-
 ...-7b45e72f-5741-4942-aa28-ee7abb6f7046.json |  19 +-
 ...-7b611c76-0ea1-49c5-9b9a-2e504a0bbe14.json |   9 +-
 ...-7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb.json |  25 ++-
 ...-7b8c3ae2-7e52-4f1d-ad30-788b367a7531.json |  20 +-
 ...-7ba30703-c3aa-425a-9482-9e9941fd7038.json |  20 +-
 ...-7ba4fb2e-99ff-41ff-8b07-f02e9f74e890.json |  13 +-
 ...-7baa3cab-c4f8-4b91-a6c3-189ad7a6416c.json |   9 +-
 ...-7bbbd2aa-104f-443a-907e-6e1fbcf0a73e.json |  11 +-
 ...-7bc6460d-b36e-41ed-baa0-82d54ec19e57.json |   9 +-
 ...-7bf2e05e-496f-49d1-8a37-48cc3ff8d6cc.json |   9 +-
 ...-7c4a4766-cb63-4a3c-85ef-a1dba3be4a47.json |  11 +-
 ...-7c6207c7-d738-4a17-8380-595c86574b64.json |  20 +-
 ...-7c67e8eb-4967-4858-8bfe-bb68c3f30cfd.json |  32 +++
 ...-7cae8c80-c603-4352-a704-f3a2f4aa4a56.json |  25 ++-
 ...-7d2f869d-a117-4b1f-a783-c6d3fc002562.json |  11 +-
 ...-7d481598-ece7-469c-b231-619a804c25e5.json |   9 +-
 ...-7d6bba99-ea81-42bc-b02a-e5e98b34a688.json |   9 +-
 ...-7db33293-6971-4c0d-88e0-18f505ebd943.json |  19 +-
 ...-7de1af68-d893-40a0-b27a-c9010f5cdc62.json |   9 +-
 ...-7ded1b79-cf7c-435d-b6ed-2c8872f9393f.json |  20 +-
 ...-7defdb15-65d1-40ca-a9da-5c0484892484.json |  25 ++-
 ...-7e00d3ac-a97a-4db0-9699-7474d81413a8.json |  21 +-
 ...-7e2d9773-1320-4c8f-a595-2b92bf0fd8ed.json |   9 +-
 ...-7e8956e3-7d90-412d-a82f-d61e43239923.json |   9 +-
 ...-7ec3ee9a-6710-46ed-aecb-c0f2a64739ad.json |  20 +-
 ...-7ee49e53-e75d-4e65-a71f-79919ebb08f4.json |   9 +-
 ...-7ef9f4cf-863b-4bc4-bdaf-55055263c030.json |  19 +-
 ...-7f3f4abd-f097-4ab5-b9ae-7ffc1a2e015e.json |  11 +-
 ...-7f4e1ac1-145e-4983-b735-7f70003893aa.json |  11 +-
 ...-7fa860d3-fa92-4953-8e79-05238b7dff99.json |  11 +-
 ...-7fcfc36b-bebc-481f-b9af-b65008b045ec.json |  29 ++-
 ...-7fe8ab9f-b207-4c39-ab5c-e929a1c949f9.json |  29 ++-
 ...-806a9338-be20-4eef-aa54-067633ac0e58.json |   9 +-
 ...-80778a1e-715d-477b-87fa-e92181b31659.json |   9 +-
 ...-80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9.json |  20 +-
 ...-80eb5ebc-ae6f-461e-8e78-a18702249343.json |  11 +-
 ...-812490b8-2160-47e9-9e1e-c1749b7ee86d.json |   9 +-
 ...-81722aad-f503-4a74-91d5-1843adf8a995.json |  11 +-
 ...-818b8c2b-bd23-4a83-9970-d42063608699.json |   9 +-
 ...-81d4d8cf-3785-4847-9c9e-5ea27580f93a.json |  47 +++++
 ...-81db3270-4cb8-4982-8ff8-c28a874e8421.json |  16 +-
 ...-81dbe111-0f02-49a1-9bba-42a31e6bb416.json |   9 +-
 ...-81e1311e-4fe1-4177-ae12-1d50037c5e4f.json |  25 ++-
 ...-81fb62ac-ba04-48d2-8817-52d0652f61a0.json |  16 +-
 ...-821db003-f7ad-4e28-b07d-2e3fc4f208a7.json |  32 +++
 ...-8244700e-6f96-463a-a9c3-810c489a2c60.json |   9 +-
 ...-82555171-8b78-40f3-84d9-058359ae808a.json |  16 +-
 ...-825ffecc-090f-44c8-87be-f7b72e07f987.json |  19 +-
 ...-826e3bad-fa02-4fd9-b8f1-1d23f374b43d.json |  11 +-
 ...-828417ec-c444-41c8-95b4-c339c5ecf62b.json |  19 +-
 ...-82a51cc3-7a91-43b0-9147-df5983e52b41.json |   9 +-
 ...-82b58c75-239e-4dac-b848-bc1f3354adc4.json |   9 +-
 ...-82e93a9e-6968-497f-8043-a08d0f35bd32.json |   9 +-
 ...-82f12052-783e-40e4-8079-d9c030c310fd.json |  19 +-
 ...-82f51cc6-6ce4-459e-b598-7b2b77983469.json |   9 +-
 ...-83358774-0857-429c-9f7a-151403e52881.json |   7 +-
 ...-833b4c44-7370-4b27-b9b2-a058c27dcf8c.json |   9 +-
 ...-834c9a7e-6520-486d-ba60-c3a8b2f9eb1a.json |   9 +-
 ...-8375c6f6-4450-4aa5-ae26-672aecf91d1b.json |  11 +-
 ...-83991b5c-59b9-4fe5-9ef2-39c6ddc8b835.json |  16 +-
 ...-83d95d05-7545-4295-894b-f33a2ba1063b.json |   9 +-
 ...-841dcc87-1c22-4775-abe8-606aa6a48bf7.json |  52 +++++
 ...-848581bc-bf8f-40e2-871e-cd67042b4adf.json |  13 +-
 ...-8499ffce-1045-4a8a-9e09-ec53d535a021.json |   7 +-
 ...-84dbe7c6-421b-4bfb-b022-6c585c2e50c4.json |   7 +-
 ...-84ece53a-eb31-4c2e-9257-a055e0a190c0.json |  15 +-
 ...-850e249d-c0a1-4608-9a60-bcf9c02b741c.json |  11 +-
 ...-8570b7ef-a84d-480e-b1ca-b15f15d12103.json |   9 +-
 ...-8578441b-00d2-4416-a011-380647e6ccdd.json |  11 +-
 ...-85c7e956-3ce5-4495-b52e-385ae2ee4f9b.json |  16 +-
 ...-85d9c54e-a434-4533-9755-aff1aeb9cc23.json |  32 +++
 ...-85e0d8c5-b9d6-4a10-963a-aeb54eba4f02.json |   9 +-
 ...-8611661c-04b4-4a82-9669-2d0e26b7b3f3.json |   9 +-
 ...-86170d29-0e41-44d0-94b0-de7d23718302.json |  25 ++-
 ...-8634a732-1c5e-4931-a24f-cdcc2f81c788.json |   9 +-
 ...-8650e2e8-d8bd-472d-8b9b-54befbea05b8.json |  19 +-
 ...-867b4929-20f2-47cd-9ab3-43a5a6ea98b5.json |   9 +-
 ...-86afe8cc-6d6d-4952-8fee-619e95d53a7f.json |  19 +-
 ...-86e3c37c-1e4a-450c-850b-c80be8156fe3.json |  20 +-
 ...-8726b157-3575-450f-bb7f-f17bb18e6aef.json |  19 +-
 ...-873b98de-d7cf-471b-9aa2-229eb03c9165.json |  20 +-
 ...-875dc21d-92c3-45bf-be37-faa44f4449bf.json |   9 +-
 ...-876fc8ee-aeae-4d4b-b4ce-541b432e5298.json |   9 +-
 ...-886849fc-f83c-4d69-b700-bfad0def765d.json |   9 +-
 ...-8870c211-820a-46a1-96fc-02f4e6eaec03.json |  20 +-
 ...-88de8869-2b01-4702-8518-e4e78fde44d9.json |  11 +-
 ...-88ded3fb-759e-4e96-946b-e7148c54856e.json |  19 +-
 ...-88e33687-e999-42c8-b46b-49d2adfa17d0.json |  19 +-
 ...-88ea5004-8bdb-4af4-a2dc-a8c56236ff03.json |  20 +-
 ...-891edea2-817c-4eeb-9991-b6e095c269a8.json |   9 +-
 ...-8936c564-b11a-4c9e-a32a-76e7d7e0c8b0.json |  20 +-
 ...-89565753-23c4-422d-a9ba-39f4101cd819.json |  20 +-
 ...-89d0de37-87ba-4aa8-832a-a2305e658a7d.json |   9 +-
 ...-89fcec02-8696-4c41-a7b1-8a75236a4c05.json |  15 +-
 ...-8a255d63-a770-4b9d-911c-bd906733ceef.json |  13 +-
 ...-8a55c28d-9cdd-4b6f-91e7-bcb3b05f6724.json |  19 +-
 ...-8a89f675-4e43-4fe1-8bbd-8e49e07d11be.json |  11 +-
 ...-8a961514-3372-4c3e-b7ee-e3d053c3d5f3.json |  20 +-
 ...-8b27a786-b4d9-4014-a249-3725442f9f1d.json |  20 +-
 ...-8b2c2716-a62b-4c3a-a211-d72bb5ed29b9.json |   9 +-
 ...-8b3756f1-327a-4625-bde0-26b216ecb07a.json |  32 +++
 ...-8b3e74ad-7cc4-4ed2-84d2-c745e6997711.json |  13 +-
 ...-8b5baec3-60bf-4663-bc5c-ec9ad821c785.json |  11 +-
 ...-8b66543e-2ea1-4ff7-84d9-f8f431f53781.json |  20 +-
 ...-8b8a9c44-c8a4-4f30-a3d8-a23310f6c090.json |   9 +-
 ...-8bc0abc2-a413-4c05-b2b8-2a92d9cc5556.json |   9 +-
 ...-8bc21e5d-b6bb-4c93-9419-19a12061de52.json |   9 +-
 ...-8bcc9da8-c390-4151-b72d-30604820673e.json |  11 +-
 ...-8c034c66-18ad-4b30-9f17-ed574c10918f.json |   9 +-
 ...-8c3296f6-3520-4d1b-8b57-bdd48a5aac91.json |   9 +-
 ...-8c50e9e7-e13c-4814-98d0-088d73b10005.json |  11 +-
 ...-8c656539-aa1e-42db-9016-d38f1daaae16.json |  13 +-
 ...-8c7598a6-6046-491d-99a7-52c31974a9a9.json |   9 +-
 ...-8c8ce536-d9b5-4dfc-93f1-84c4f222b49e.json |  20 +-
 ...-8c9dbc53-27d2-420c-b698-98c23a7ead2b.json |   9 +-
 ...-8cb42e3d-69f4-4b0d-98c9-0bb7560947c1.json |  25 ++-
 ...-8d027310-93a0-4046-b7ad-d1f461f30838.json |  20 +-
 ...-8d3ca04e-867f-4274-bc61-f18c0282a0a9.json |   9 +-
 ...-8d71e646-74d1-4d62-8989-2ad4ddf7a67b.json |   9 +-
 ...-8d72c224-0cf5-4b9b-a98a-76ee3a406803.json |   9 +-
 ...-8dc4b237-e466-4a3d-9d28-896f1389996d.json |  25 +++
 ...-8e67f2e0-65da-4d27-9d41-e2f9a174331b.json |   7 +-
 ...-8e6b9c1e-5e28-4519-95c3-6b4a836661de.json |  13 +-
 ...-8ea39534-6fe9-404c-94b7-0f320af95404.json |  19 +-
 ...-8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc.json |  20 +-
 ...-8ed14c81-0b30-4bfc-8552-439aa0e920c3.json |  16 +-
 ...-8f142643-0448-4b04-8260-8e4e62ad80bb.json |   9 +-
 ...-8f22a4ce-f075-4343-acb0-1d45c56e91e8.json |  29 ++-
 ...-8f2929a9-cd25-4e07-b402-447da68aaa56.json |   9 +-
 ...-8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc.json |  20 +-
 ...-8f4c7030-f3e2-4c7d-b5b1-dc6815055c68.json |   9 +-
 ...-8f52e1ab-284e-4d0c-bae1-3a8544a22f57.json |   9 +-
 ...-8f72a070-cfcb-4d75-ace6-b4427f3ba8d3.json |   9 +-
 ...-8f88d438-3150-4317-b1fe-b14f13c15ac5.json |  22 ++-
 ...-8fd05d96-552d-4ef9-98e3-ea70dc84f6a9.json |  25 ++-
 ...-8ff45341-60d6-40d3-bb38-566814a466f9.json |   9 +-
 ...-901492b5-b074-4631-ad6e-4178caa4164a.json |  20 +-
 ...-907db911-b39c-4230-b6ad-a0ba5ef6926a.json |  11 +-
 ...-90d4d964-efa2-46ac-adc2-759886e07158.json |   9 +-
 ...-90d58c65-acb9-4d7b-89b9-f4b35593c861.json |   9 +-
 ...-90e76d57-90b2-4d5d-8928-f6e6f5414bd4.json |  37 ++++
 ...-910009da-65c0-4e6a-aeb2-386c643d1c0e.json |   9 +-
 ...-91831379-b0da-4019-a7bb-17e53cda9d0b.json |  20 +-
 ...-919a13bc-74be-4660-af63-454abee92635.json |  20 +-
 ...-91a4924f-2519-4662-91f2-b7ef715a459f.json |   9 +-
 ...-91dd9ddf-185f-496d-a20f-88c66476cfdd.json |  32 +++
 ...-91de92af-fe1d-469e-8c36-1a9f4b621a27.json |  20 +-
 ...-91fa8232-f987-415b-8cb4-1ff3302a6c63.json |  32 +++
 ...-92129d5b-7822-4e84-8a69-f96b598fba9e.json |  16 +-
 ...-922fa6eb-7274-477c-821e-ae6684c08934.json |  13 +-
 ...-92879f0e-d1db-4407-9cc6-c1dbcc47caea.json |  21 +-
 ...-92c9106d-a71b-4a4f-a9d4-ef692a0294eb.json |  20 +-
 ...-92cc4942-453e-49af-bc04-18cb99493b73.json |  32 +++
 ...-93395e61-0d3e-4ea6-9c1b-08d4a04005a0.json |  25 ++-
 ...-935d2296-2a9d-42dd-af8c-2d8873dd7e8f.json |   9 +-
 ...-935fd3e3-dd47-4c43-bdd8-1668af26395f.json |  25 ++-
 ...-9366529d-fba9-4ef6-b4ee-b6b41aa3b18c.json |  20 +-
 ...-9373912a-affa-4a3c-ad97-1b8311e228ee.json |  20 +-
 ...-9398bf9d-be77-4ac2-acea-893152cafd16.json |  19 +-
 ...-93b2474b-0ba6-469e-a4e8-d17a41d0d016.json |   9 +-
 ...-93b6bf37-5614-4317-8ed7-42f098152c40.json |   9 +-
 ...-93c16b23-305c-418d-9792-6e44525ed85a.json |  11 +-
 ...-93c20f43-6684-471c-910f-d9577f289677.json |  25 ++-
 ...-94040d2e-3f60-423c-8a93-a83b61cafe7d.json |  16 +-
 ...-9424ebbb-d375-4bfa-96f9-a24d00dfbd6a.json |  11 +-
 ...-9432fabf-9487-469c-86c9-b9d26b013c85.json |  19 +-
 ...-945db15a-b356-4e05-a6a0-9b24ca9aa348.json |  13 +-
 ...-947e2398-4565-4ae0-8cc2-fb0ef5f9c73f.json |   9 +-
 ...-94bf07c4-3bf0-4ecc-8043-644e59fb9ec4.json |  19 +-
 ...-94e111fa-81d1-4882-ae73-4d6ad6367b9f.json |  19 +-
 ...-950e1476-83ca-4e81-b542-c91a19b206d7.json |  20 +-
 ...-9557dc5c-272d-46ba-bd39-0ac2be35df19.json |  32 +++
 ...-95725b00-f40e-4a3a-af2a-92156595cd37.json |   9 +-
 ...-95bf4e8b-f388-48a0-b236-c2077252e71e.json |  20 +-
 ...-95fec5e4-d48a-471f-8223-711cd32659b8.json |  19 +-
 ...-96298aed-9e9f-4836-b29b-04c88e79e53e.json |  19 +-
 ...-9634001c-575b-47aa-acd2-c3b1e900bd0b.json |  20 +-
 ...-96475ee5-39ed-46c5-85f6-f08462875a9e.json |  11 +-
 ...-96490f73-d8ef-4c6b-9a3a-3c66fc963306.json |  20 +-
 ...-96569099-db95-4f3c-8ded-6d9cf023e55e.json |  25 ++-
 ...-96ec33c8-78b6-421f-bab3-bd9d0564db31.json |   9 +-
 ...-97158eda-5092-4939-8b5c-1ef5ab918089.json |  20 +-
 ...-972f0703-f4d7-42d2-8ca2-bec175dac0bf.json |  20 +-
 ...-97408547-bacd-4308-a8be-556e9ff04951.json |   9 +-
 ...-97417113-1840-4e00-98d3-bb222e1a1f60.json |  20 +-
 ...-97738857-d496-4d39-9809-1921e0ad10b7.json |  20 +-
 ...-980430c1-6173-440e-b75e-c1cdb4c41560.json |  11 +-
 ...-980c49f8-d991-4e1f-8feb-6173e3dfca1f.json |   9 +-
 ...-9814ecd5-911a-4776-9dc0-4a4ae0bf6a39.json |   9 +-
 ...-9819974c-f093-482b-8b2b-93a05ab7382e.json |  11 +-
 ...-98360714-5239-442f-9619-d562b4b7ce76.json |   9 +-
 ...-9858ae0b-140b-4dd2-8ba9-1ef22183dec3.json |  25 ++-
 ...-98632824-9fe4-4992-aafe-31c5eac66ec1.json |   9 +-
 ...-98a4a746-e7bf-494c-9ee3-584403d76d3e.json |   9 +-
 ...-98ae9cb2-1141-48c6-81fd-f16adb430031.json |  13 +-
 ...-98aee077-156a-4d11-94fe-b5b7c4945ff9.json |  11 +-
 ...-98b14660-79e1-4244-99c2-3dedd84eb68d.json |  20 +-
 ...-98dec4bf-6753-4d7a-8983-d4fd6d1d892a.json |   9 +-
 ...-98fb2884-c912-42ff-9c87-4fbabfa70115.json |  11 +-
 ...-99011840-f920-44d1-82f9-a6ff0d4f8c07.json |  13 +-
 ...-991ef2f2-c196-4d5d-bd29-504ea25831f4.json |  20 +-
 ...-9951d8c0-d210-4776-808b-421b613f244f.json |   9 +-
 ...-99b4be95-74f2-48f7-b4e9-8b4d88ecd31f.json |   9 +-
 ...-99fabe9d-0202-4d12-aa7c-34e2a15b2648.json |  32 +++
 ...-9a575420-cdce-4a9f-9ea9-2ae5c469cad9.json |   9 +-
 ...-9a90aacf-3b03-4100-a600-5c455d4e48de.json |  32 +++
 ...-9b34ae1e-027f-4b52-9a4f-1e58f6efdc25.json |   9 +-
 ...-9b56528f-cf04-4d81-80ee-7bacb862383a.json |   9 +-
 ...-9b5ec339-28f3-40b2-b5b2-450e1e303e78.json |  11 +-
 ...-9b8b51fb-c380-4516-b109-821f015506d4.json |   9 +-
 ...-9bbfa759-5555-4048-a79d-fed27a1efd93.json |  11 +-
 ...-9c02b7a3-df00-4191-8249-ed53d9bb954d.json |  25 +++
 ...-9c284d41-21ef-4009-bb47-3ae09b08f38d.json |  19 +-
 ...-9c302eb1-1810-48a5-b34d-6aae303d2097.json |  19 +-
 ...-9c545cbb-4949-4695-8d6b-b480478d3e20.json |  11 +-
 ...-9c6b1915-24e2-48ac-909a-0af43053b053.json |  32 +++
 ...-9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708.json |  16 +-
 ...-9c853c22-7607-4cbd-b114-08aaa4625c35.json |  20 +-
 ...-9caeaf97-ca4e-4417-8148-d9a38b141047.json |  32 +++
 ...-9caf7cd5-fa15-45f0-8e1e-75917ea33af2.json |   9 +-
 ...-9cfc30de-3e68-4361-a213-3c37ce27b70e.json |   9 +-
 ...-9cfcda7d-bb82-4122-a38b-fec4f5532856.json |   9 +-
 ...-9d264e84-27b2-4867-82c8-55486a969d7c.json |  20 +-
 ...-9d2a9348-5d0a-43b0-8776-e9bbddc659c7.json |   9 +-
 ...-9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de.json |  20 +-
 ...-9d72c60b-d5d1-4b50-a01f-3882ddb335d9.json |   9 +-
 ...-9dec6b2f-790a-4da9-86c9-1f4b7141c32c.json |  20 +-
 ...-9e3921a8-a9e1-48c4-9b61-ff190c104f63.json |  20 +-
 ...-9e458d77-c856-4b02-82a7-50947b232dc3.json |  20 +-
 ...-9e66ec3b-cdd6-461c-bd84-e75316818e15.json |  16 +-
 ...-9e95ef68-0650-49eb-888f-47c211481be9.json |   9 +-
 ...-9f83d618-a42d-4797-b9fe-030affdbd13f.json |   9 +-
 ...-9f9a0349-ca95-4bde-8d8d-af524ce19bc7.json |   9 +-
 ...-9fa03a70-ad00-4148-ae5e-8315f3e618d2.json |   9 +-
 ...-9fb0c414-6216-4b42-a080-cb42ef4011c5.json |  11 +-
 ...-9fdc5fee-2250-4894-8333-466910023533.json |  11 +-
 ...-a011bcc6-b5d8-4923-b533-55abec69ff2f.json |  19 +-
 ...-a042d55c-b31e-41c1-9cd0-66070ec9a11d.json |  20 +-
 ...-a0464679-71b6-4ab4-a72d-0428e4d75d5e.json |  19 +-
 ...-a04ae7d7-1500-49c9-bada-1a75a8670f5c.json |  25 ++-
 ...-a04dfb58-b7d3-4abe-9f4a-fad4f7158965.json |  20 +-
 ...-a09f8daa-aa02-45f1-8dac-9bea355c9415.json |  20 +-
 ...-a1023a75-31cc-420a-9c59-b440f7fb27e6.json |  24 +--
 ...-a111958f-bb98-48c1-ad44-bf55fad232e9.json |  52 +++++
 ...-a111ab3c-97f2-4b17-b291-f141e9b7613f.json |  19 +-
 ...-a120ac54-32fa-43ad-a826-8325823b656d.json |  11 +-
 ...-a153f40b-ba34-4419-9189-d61b5cd29802.json |  32 +++
 ...-a1814198-1f91-41d4-a413-d55e1a66c8e9.json |  20 +-
 ...-a186540d-d235-48f1-8757-d0b46f13c6ce.json |   9 +-
 ...-a1a9db79-4a80-4e65-91bf-72e358d2ce41.json |   9 +-
 ...-a1c53fcf-a691-4233-a136-0a51d5a3840f.json |  13 +-
 ...-a1fac829-275a-409a-9060-e7bd7c63057e.json |  20 +-
 ...-a1ff77ee-76fd-4dd3-94aa-dbf35d971e58.json |  11 +-
 ...-a20493e1-4699-405d-a291-c28aae8ed737.json |  25 ++-
 ...-a20581b4-21fa-4ed9-b056-d139998868e8.json |   9 +-
 ...-a2323d47-348c-4e3c-9c25-7feb20e2e457.json |   9 +-
 ...-a2365c91-60f6-4249-af13-6bc2fdb80d52.json |  25 ++-
 ...-a25a0454-d6da-4448-a3c5-33648ee6675a.json |  11 +-
 ...-a25d58af-dbb3-4025-b91d-898c6adffcb3.json |  16 +-
 ...-a26a09cd-1718-403f-99f3-fdb127ac3599.json |  32 +++
 ...-a27b771e-430b-4044-aa04-7e755f74ae2f.json |  32 +++
 ...-a2803d73-f5bf-4815-bfbf-662c372e1f5a.json |   9 +-
 ...-a285f343-09c3-49af-9c18-1dccf89e9009.json |  20 +-
 ...-a28a53e9-7a42-4f81-bced-0efbc3128cbd.json |  20 +-
 ...-a290a8ca-e650-456c-b33e-03343fe5ea4e.json |  16 +-
 ...-a299e0a6-cada-4629-a6c6-ed73dc4422aa.json |  20 +-
 ...-a2ca7663-5ce0-447f-beeb-ad0f66a1a1e7.json |  17 +-
 ...-a32db277-593f-4fd1-bdcb-9f677b1a05e1.json |  20 +-
 ...-a34f3873-3df7-4e93-915c-fc2b4af3444d.json |  25 ++-
 ...-a394e5e5-1d98-4e08-ba29-866cf7ff9a62.json |  32 +++
 ...-a3a8b2f2-f1aa-49ba-be55-a674f371f209.json |   9 +-
 ...-a3c4b392-2879-4f31-9431-3398e034851b.json |  19 +-
 ...-a3c9d5d6-acc5-46e9-9e4f-b078aeac553c.json |  25 ++-
 ...-a3f36e9e-e2f4-4745-a9a3-0d1231db116d.json |  20 +-
 ...-a427ce33-d1e1-4c38-a024-e44fc00033d3.json |  25 ++-
 ...-a451966b-f826-422b-9505-f564b9988a9c.json |   9 +-
 ...-a466f8f0-c9da-46d1-80d0-b8654e727526.json |  11 +-
 ...-a46c3b05-07d5-461c-b1b1-4a81912b79f8.json |   9 +-
 ...-a4e72b4f-7ee4-4ee3-82c9-acc3aedb1f2d.json |  11 +-
 ...-a501b700-250f-4e9a-a20f-656ae9bf90f9.json |  20 +-
 ...-a503ca06-7f98-4ab4-a8fc-ff55c3da7f0a.json |   9 +-
 ...-a54c8c09-c849-4146-a7cc-158887222a6d.json |   9 +-
 ...-a563fc97-a452-4348-a831-f4fb55c71e35.json |  11 +-
 ...-a585e2dd-83c9-461c-8631-25d58c6ba74e.json |  11 +-
 ...-a5b37f26-7629-4195-9536-12e349e5843b.json |   9 +-
 ...-a5b72279-f99e-4f03-8669-04322b40ee6b.json |  16 +-
 ...-a5dac41f-4a16-44ea-b279-b84c927ce62d.json |   9 +-
 ...-a5f64f9e-3ed9-442b-a244-9857b926d93b.json |   9 +-
 ...-a609b20b-6955-4c59-84d4-a3496d95fba1.json |  11 +-
 ...-a617fa0d-0dfc-432a-95f5-94ee4ae63860.json |  11 +-
 ...-a63bafb6-6647-410f-8673-a53ef2dee5e2.json |   9 +-
 ...-a67c5611-00bc-4e1a-a1be-2512a2bcf072.json |  20 +-
 ...-a68b17af-5277-4722-9a2d-0924f07ca421.json |  11 +-
 ...-a6bb6c55-3b33-4cd4-981b-055551edc4c2.json |   9 +-
 ...-a7336f2c-8f89-4d54-ac2b-77743afb2943.json |  20 +-
 ...-a76d731b-484c-442a-b1a3-255d8398aefd.json |  16 +-
 ...-a772d1fc-e2d1-4553-b93f-12412cdc8360.json |   9 +-
 ...-a7b276ac-6f07-4d1f-8d24-dc5682acf62d.json |   9 +-
 ...-a7cc0168-247d-4a6d-b6f4-d5a04f99216c.json |  16 +-
 ...-a8079e6a-ef87-4e3b-9f71-cf1ea2360892.json |   9 +-
 ...-a808c887-b2b8-4b05-9cab-47c918e48d48.json |  20 +-
 ...-a81431c4-ac34-4b63-9647-eb7c8e529e03.json |   9 +-
 ...-a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7.json |  20 +-
 ...-a8565c17-7054-4d3f-bca5-6e17dc931491.json |  11 +-
 ...-a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5.json |  20 +-
 ...-a8ac5084-5631-4670-8ac6-6fbe7bdb0a84.json |  20 +-
 ...-a8bf6bbd-88f0-4725-ba4f-3b9317dca388.json |  19 +-
 ...-a8c21a71-f3e9-43e9-9212-faf9181e70ce.json |  19 +-
 ...-a8dd6ed7-910d-4bae-a2a8-19f3f32c915c.json |  20 +-
 ...-a92a805e-d5f5-4e94-8592-c253e03e4476.json |  25 ++-
 ...-a93ee044-bd5d-48f3-972e-0abab780c35c.json |   9 +-
 ...-a95fe853-d1d1-47dc-a776-b905daacfe32.json |   9 +-
 ...-a9689f2c-ad8f-4861-8cad-d78e07fd1530.json |  20 +-
 ...-a98c127b-8da9-4ea5-980e-d154ea541ec9.json |   9 +-
 ...-a9e97a14-ea3c-47b1-a865-0a1edea9c81c.json |  20 +-
 ...-aa1deed1-800c-470b-ac88-eb8013c11ec0.json |  29 ++-
 ...-aa40d01f-0741-4bf2-bacd-75e1f3a77af0.json |  19 +-
 ...-aa468fe9-e580-41da-a888-100a799e8c6b.json |   9 +-
 ...-aa490344-f7e0-4e5a-abb1-af9209f15ce4.json |  32 +++
 ...-aa5877fd-ef7d-435e-86af-c427f086b3c5.json |  25 ++-
 ...-aa628e44-ff05-4ac9-bb0b-11c22384a443.json |  25 ++-
 ...-aa65aa77-ce74-49fd-8295-c5b7395a703c.json |  52 +++++
 ...-aa8e45c2-4276-451b-b1eb-59c396bf720a.json |  16 +-
 ...-aad084c4-97ea-4f4b-8d96-d18f57534e01.json |  37 ++++
 ...-aaf55dd1-33df-4f02-8025-eaae01f30b33.json |   9 +-
 ...-ab18ee61-f94a-411c-9893-941714ce713e.json |   9 +-
 ...-ab67b233-2c3d-4ac2-a3f0-13b6484ea920.json |  19 +-
 ...-ab7cd212-7faa-46a8-9666-92a67ae7a6b0.json |  21 +-
 ...-abd2e863-4bd3-4686-b2aa-f8a097a41c99.json |  25 ++-
 ...-abf03652-acd0-4361-8a66-f7e70e8e4376.json |   9 +-
 ...-abf3b5c8-9ee5-42ff-ba94-2b3a15317783.json |   9 +-
 ...-ac31f650-4bd2-4bb6-b450-71e66db4888f.json |  19 +-
 ...-ac415e32-e204-4382-b500-2370cec7a608.json |  11 +-
 ...-ac53e382-a140-4bbf-a59d-db3fe21acfaa.json |  16 +-
 ...-ad0c873b-9e45-44e0-adaf-529921ee7a77.json |  24 +--
 ...-ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c.json |  22 ++-
 ...-ad723fb0-7439-407e-9bf5-1cb3fd7df8aa.json |  11 +-
 ...-ad76b0ad-fa76-4d56-8a6e-8818bbc6509e.json |  19 +-
 ...-ada67532-039d-4b4f-93ab-82ceba13ec56.json |  11 +-
 ...-adbacfe1-1d78-4652-b32c-4d31a0c33ef3.json |  32 +++
 ...-adc9957c-fa57-4e81-9231-b60f01b69859.json |  20 +-
 ...-ade5c0c5-8b53-4bc5-9d81-0284be2e5fee.json |  11 +-
 ...-ae5c93a8-fee8-42dc-b3cb-c6864481f025.json |  11 +-
 ...-ae8619a9-9142-4f0f-8778-09756341b472.json |  11 +-
 ...-aeb2d1a0-2180-4032-a395-7573dbd392f4.json |  11 +-
 ...-aeeadd6b-30d3-4b4f-ac61-fd0bc367b415.json |  19 +-
 ...-af06eaaa-161e-4913-8668-49bdd25b2eff.json |  11 +-
 ...-af55d12a-5f58-4135-90d0-f465a66f7a3f.json |  20 +-
 ...-afba6b19-7486-4e5a-8fda-e91852b0b354.json |  16 +-
 ...-afc0e8b2-2e85-4640-8517-fb2e16831082.json |   9 +-
 ...-afc0f502-39bb-41e3-b4fc-5b5bb1a1175b.json |  16 +-
 ...-afe9e326-01f7-4296-a11b-09cfffd80120.json |  20 +-
 ...-b018fe06-740b-4864-b30a-f047598506b3.json |  20 +-
 ...-b01f11f2-064b-4210-a8f2-f5c6360f64e4.json |   9 +-
 ...-b05668b9-aa06-4191-a4fa-f7e5a7804694.json |  20 +-
 ...-b0625604-e4c4-402b-b191-f43137d38d99.json |   9 +-
 ...-b0bade50-bcca-4924-9746-c4ed0c3be76c.json |  11 +-
 ...-b0d0541d-caeb-43c0-906c-2e1e2ec25f69.json |   9 +-
 ...-b0f009b5-cf5e-4333-a969-03adbe4de3ee.json |  37 ++++
 ...-b0fe69e0-d08f-488d-b1cf-3f0dbb28accc.json |   9 +-
 ...-b110d919-acd4-4fe0-a46a-ac4819508667.json |   9 +-
 ...-b162dc6b-6b4e-4bba-928a-00a423b112b3.json |  11 +-
 ...-b19082d2-c151-45dd-8844-82335fbe3ed9.json |  11 +-
 ...-b1e5bd2f-01e4-402d-a9b6-255110510a83.json |  20 +-
 ...-b2277deb-0ddb-45a7-9690-4a2168e1026b.json |   7 +-
 ...-b22addc1-6a23-4657-8164-3705e12bb95b.json |  11 +-
 ...-b23e1e5d-3acc-456a-b63e-31c0bd5fe4a5.json |  11 +-
 ...-b24553a7-01c7-49b2-b1e0-fb961e788de2.json |  20 +-
 ...-b247a4f6-3629-4123-84b0-c7c5b3e7e37e.json |  25 ++-
 ...-b263e4e9-972d-4ba7-8be8-e55eb6a483c0.json |  25 ++-
 ...-b2896068-4d54-41e1-b0f2-db9385615112.json |  20 +-
 ...-b309c25a-6baf-4874-829d-63712a38652c.json |   9 +-
 ...-b30fa851-75cf-46ac-aa1b-cfa8b7f36545.json |   9 +-
 ...-b336b44d-1810-4672-8e51-a63e91681907.json |  42 ++++
 ...-b356d405-f6b1-485b-bd35-236b9da766d2.json |  20 +-
 ...-b360a1c8-8939-428e-bc6e-3f4755bd9ee0.json |   9 +-
 ...-b37ebb4e-0536-4de0-8e00-7b3d942a02b7.json |   9 +-
 ...-b3866c07-e143-4d0d-9176-c2845f85c5ab.json |  11 +-
 ...-b3a14001-e0c0-4f13-ac03-04e56dc0e312.json |   7 +-
 ...-b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b.json |  16 +-
 ...-b402664b-a5b4-45e4-832f-02638e6c67a7.json |  19 +-
 ...-b40e34ad-b699-4196-aa07-5bd71fe8f213.json |  25 ++-
 ...-b4180067-52b6-4109-91df-52fd9a7ed2e8.json |   9 +-
 ...-b43c87a7-de40-4673-9808-57c7ffca7b98.json |  11 +-
 ...-b43f4cef-138e-4b5d-8e68-e8eeae3591be.json |   9 +-
 ...-b45cf5e0-7427-4d5c-be2c-22f5231493d1.json |  20 +-
 ...-b4735277-516a-4cd2-9607-a3e415945d93.json |  20 +-
 ...-b477afcb-7449-4fae-b4aa-c512c22d7500.json |  20 +-
 ...-b49ecb71-92b3-4813-be4d-9f8c2aa67ccd.json |   9 +-
 ...-b4ef35e9-3dba-49c7-8842-a7dff403241f.json |  20 +-
 ...-b536f233-8c43-4671-b8e8-d72a4806946d.json |  19 +-
 ...-b53d1c92-b71f-434e-aa4f-08b8db765248.json |  16 +-
 ...-b5590b50-0aaa-4f43-9b29-f17ee717b551.json |  20 +-
 ...-b5e8cef4-e8a1-484f-baae-cf12b26e6070.json |  25 ++-
 ...-b5f3b110-fc66-4369-89f3-621c945d655f.json |  20 +-
 ...-b610c587-576a-40cc-9f76-6362455c8ff4.json |   9 +-
 ...-b6323cf4-8141-4910-8743-e42cd15b49e9.json |  11 +-
 ...-b641e5b8-5981-452a-99f0-3598c783e5ee.json |   9 +-
 ...-b6726136-3c20-4921-a0cb-75a66f59107c.json |  20 +-
 ...-b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab.json |  16 +-
 ...-b697a198-8949-43e0-b2b8-23498373c920.json |   9 +-
 ...-b6feb018-65e3-46ff-b872-e4385b6f3b34.json |   9 +-
 ...-b7282bf9-63f8-49ad-8ee0-f2ad523a367e.json |  16 +-
 ...-b7652f27-1cf6-4310-bf6b-5fb99c4fd725.json |  16 +-
 ...-b7a31a11-6c84-4c28-a548-4751e4d71134.json |  25 ++-
 ...-b7c8abf7-d4e4-40a4-aa2a-ee995a6f4f10.json |  11 +-
 ...-b7cf1c31-8722-4eeb-ae59-66936c15fa87.json |  20 +-
 ...-b81a284d-34ec-4e61-a073-bf6cd85e4c3f.json |   9 +-
 ...-b81ba10a-73c2-4616-a8bc-eeb422e1c5ea.json |  25 ++-
 ...-b81f9698-b9d1-4a6a-b836-f7e29232693a.json |  11 +-
 ...-b8606318-8c12-4381-ba33-5b2321772ea0.json |  19 +-
 ...-b8879a8a-84ff-4625-b487-7922d8a1b6a6.json |  32 +++
 ...-b8afc5b9-3ffc-4b3c-b2d8-ee2888a7b6ad.json |  25 +++
 ...-b96e8699-4bd2-4793-8f9c-88d6e4c50e98.json |  11 +-
 ...-b98fa6ef-a5f2-4867-8108-8daf8534cc3c.json |  19 +-
 ...-b9af8369-a6b2-4081-9f07-2ee15d56bffc.json |  20 +-
 ...-b9b9ce86-89f6-41ea-8ba1-9520985acb49.json |  20 +-
 ...-ba02a1dc-d5b9-41cb-9adf-883119e1aa51.json |   9 +-
 ...-ba116807-ef1c-4621-84c8-9921fa7b735e.json |  11 +-
 ...-ba5fc090-d420-4006-9dc0-57b75260b5f6.json |  20 +-
 ...-ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae.json |  20 +-
 ...-baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d.json |  20 +-
 ...-baad8ab8-f05f-4e31-9671-44c009ae3ecf.json |  11 +-
 ...-bb006be2-7d2c-4bb3-ab48-7c95e0ab8106.json |  20 +-
 ...-bb11b7d1-e661-49af-9746-9fa4c56324bf.json |   9 +-
 ...-bb34aff0-9af9-463b-a1aa-7f5ec7b84630.json |  25 ++-
 ...-bb3bd38c-0b82-4c58-8e25-2fbab235a551.json |  32 +++
 ...-bb3be217-08e2-4bb0-9f1a-d8e538010451.json |  16 +-
 ...-bb77cfbe-ac95-4cc2-acbc-8cefa15b9387.json |   9 +-
 ...-bb83ee25-8875-4806-9f69-ac39bf7cb402.json |   9 +-
 ...-bba8b056-acbe-4fed-b890-965a446d7a3c.json |  19 +-
 ...-bbc6308e-f7f6-40c7-80cb-f760d623c8af.json |   9 +-
 ...-bbd619c8-bd9a-4107-a60f-7a3a9f953735.json |   9 +-
 ...-bbe1af69-7303-4205-82d8-5b03c43e39c1.json |  20 +-
 ...-bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005.json |  25 ++-
 ...-bc0d86de-0642-4cbf-a785-7ff70507a9a2.json |   9 +-
 ...-bc4e848a-adb7-40a2-94a1-d5ab9854ff0f.json |  16 +-
 ...-bc59883f-672e-4dc8-a7de-f713a26f88e1.json |  11 +-
 ...-bc79a212-139f-4dce-be72-e90585f38f03.json |   9 +-
 ...-bc79d59b-1828-4133-9f8f-df8cad9543a8.json |   9 +-
 ...-bc870a55-5499-4146-91ef-ea74647c3e10.json |  11 +-
 ...-bcc8eb7a-d2a8-41d2-832e-f435e51c685a.json |  19 +-
 ...-bce64ec2-43d5-4501-a0aa-0abe65551a19.json |  20 +-
 ...-bd1e016a-1ebb-4f30-9342-998f656dd8b8.json |   9 +-
 ...-bd29ce15-1771-470c-a74b-5ea90832ce23.json |   9 +-
 ...-bd351b17-e995-4528-bbea-e1138c51476a.json |  20 +-
 ...-bd6829ee-dc51-477b-9739-1cd1cd304b6c.json |   9 +-
 ...-bd889077-d4bd-4475-8e1f-6f507a7bedb9.json |  19 +-
 ...-bd952153-4902-4fc4-8e2e-b7c7b8bad7f1.json |  13 +-
 ...-bd99b570-5966-4337-8ab4-2d6f4afd0f7f.json |  20 +-
 ...-bdb29822-63c5-4dd0-961b-cdf3f2482adf.json |   9 +-
 ...-bdc59dcf-0e0a-4d47-b289-0c298115215f.json |  11 +-
 ...-be07d829-9a12-4d90-ad8c-9e56782af120.json |  11 +-
 ...-be136fd1-6949-4de6-be37-6d76f8def41a.json |  20 +-
 ...-be17dc63-5b0a-491a-be5f-132058444c3a.json |  16 +-
 ...-be256f8a-8bae-4a00-8682-22797ba7e0ce.json |  20 +-
 ...-be27a303-5748-4b72-ba69-a328e2f6cc08.json |  20 +-
 ...-be39c012-7201-4757-8cd6-c855bc945a9e.json |  16 +-
 ...-be526f3a-480f-4ede-b772-2b29b8a3ca2b.json |   9 +-
 ...-be7c3f83-b164-4d53-bfac-65f7437dabec.json |   9 +-
 ...-be8d0cd6-be77-456e-bcfb-6325cb8ba137.json |  11 +-
 ...-bed52256-e5d2-4f15-8c4c-27f709e10c6c.json |  20 +-
 ...-bee6407a-1f05-4f91-b6e7-a8f8b58fa421.json |  16 +-
 ...-bee919a6-c488-49a0-9848-fff19aa2c276.json |  16 +-
 ...-bef936d5-736e-491a-9c30-37b8362a5d96.json |  11 +-
 ...-befa3b5a-e4f4-4ed3-ada1-860a034284d2.json |  11 +-
 ...-bf02dea9-17cb-41f8-b362-c3081da81199.json |  32 +++
 ...-bf19207a-ac71-436d-8ef4-4ab059b533c8.json |   9 +-
 ...-bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1.json |  16 +-
 ...-bf33711d-a4d2-4957-9b1f-49c5b83958db.json |  20 +-
 ...-bf901bab-3caa-4d05-a859-d9fb4d838304.json |  20 +-
 ...-bfad064a-0a49-44e3-b283-94653edc12af.json |  11 +-
 ...-bfd0d9cb-27e2-42a2-9207-764bb1491962.json |  19 +-
 ...-bff3f22c-660d-4ceb-b1bb-dbd064d363c0.json |   9 +-
 ...-c00031dd-0466-4fd2-9724-ab1c04232bad.json |   9 +-
 ...-c021d9b9-3850-425d-b3d2-6b7bd7e62b95.json |  16 +-
 ...-c052da1e-4a1e-48bb-9b8d-b68839d4347e.json |  47 +++++
 ...-c056b1d4-c70b-403e-b396-18840865ca7d.json |  11 +-
 ...-c0f03d23-03d6-4457-b783-792d1b8f2994.json |  11 +-
 ...-c1453cd9-44bb-4dd2-bdbd-eb06a239d38c.json |  19 +-
 ...-c14efc74-8a5c-4a2d-b9ba-a231738c90dd.json |  25 ++-
 ...-c1512591-7440-4a69-93b9-fe439a4c197e.json |  19 +-
 ...-c16c7904-3c85-49de-a0f4-872f4227d775.json |   7 +-
 ...-c186864b-0af9-42eb-92ba-b8a6952e89b6.json |  11 +-
 ...-c1abb6fd-04b4-4b0e-89f4-fd3f160ea3a6.json |  11 +-
 ...-c1cafa91-9891-4e65-b75d-d83ef6838653.json |  11 +-
 ...-c1d78c3d-9ed6-4e3f-9cad-b98b5dfb8ebd.json |   9 +-
 ...-c23d9eff-1d4e-479f-a114-acc535540a23.json |   9 +-
 ...-c2536a3c-bb84-42b7-8ac6-05f26205a4ad.json |  25 ++-
 ...-c264d954-8b5f-4be1-acf0-6387b7f04fae.json |  20 +-
 ...-c32cbb0c-b5d7-44ad-94aa-43e2fbade91d.json |  11 +-
 ...-c33b7dfb-82ad-4a7c-a84c-6e7e9849253b.json |  11 +-
 ...-c340b30d-0ad5-4e90-94ce-b6a6b229a7c4.json |   9 +-
 ...-c3439bdd-a0db-401b-97fd-5e2ec135a396.json |   9 +-
 ...-c368c932-7d5a-40e3-a18b-f30e82b9e4e6.json |  20 +-
 ...-c374c9ce-ff30-4daa-bdec-8015a507746a.json |  20 +-
 ...-c393fe8f-5708-40eb-ada9-6ca0d9b16c7d.json |   9 +-
 ...-c3c0ff44-71bb-4774-a850-7b7c9dccb619.json |   9 +-
 ...-c3c2bf20-fa33-4af4-92ec-d60679e1d4ee.json |  21 +-
 ...-c40cba48-7714-4d03-b748-cadd03360e7a.json |  11 +-
 ...-c41d817e-913e-4574-b8d4-370de9f0034b.json |   9 +-
 ...-c43341e3-6fb9-46f1-8ea3-8daede1a4c77.json |  19 +-
 ...-c438b973-c2f3-43fc-8312-2a5bbde4facb.json |   9 +-
 ...-c49bae52-63b4-4e5e-adfd-65a0e852ed76.json |   9 +-
 ...-c49cdcb7-3cb8-40ed-a745-0cebad20b1fd.json |  20 +-
 ...-c4d71eb8-2099-44b9-be45-758f9e6a771a.json |   7 +-
 ...-c4e73a6c-d523-4f3c-bcb6-200f63867fb4.json |  20 +-
 ...-c50b4da7-f0e1-4f6d-969c-dbc739d49d7c.json |   9 +-
 ...-c53170a0-ca7f-4827-9c3c-1803ecd131f9.json |  21 +-
 ...-c546dd04-2060-44bf-ba1e-d1c1edc54687.json |   7 +-
 ...-c574251b-93ad-4f55-8b84-2700dfab4622.json |   9 +-
 ...-c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c.json |  20 +-
 ...-c5cb9fb4-2593-412f-82f8-a04a125bd429.json |  19 +-
 ...-c5db5bb5-9877-43cd-8851-5aa62405dcb2.json |  20 +-
 ...-c61c16a9-8d1a-4329-b784-ba71f8421b33.json |   9 +-
 ...-c6241ba3-e0f9-48a7-9ed7-a5544a090081.json |  20 +-
 ...-c6464a84-e23b-412f-b435-5b23853d3643.json |  25 ++-
 ...-c65661a6-6047-4901-ac2c-3ca4b1bbbb28.json |   9 +-
 ...-c659256c-82e3-4f4c-ac70-3d2400cf6695.json |  20 +-
 ...-c6759fbe-ae7c-438e-9b30-dff3cc0b8e6c.json |  32 +++
 ...-c6770405-985b-4e24-8b09-01bce16426da.json |  11 +-
 ...-c6a32f64-3105-4a94-8172-28ac0e10dd93.json |   9 +-
 ...-c6adc765-20b4-48ef-ad5a-27fbd26c63c8.json |  19 +-
 ...-c720fd30-5694-42b7-bf77-d948f7ba2b6f.json |   9 +-
 ...-c75f3a08-b58f-4681-8ef0-75fa634503b9.json |  11 +-
 ...-c773998e-a140-4498-827a-573df96e4331.json |  57 ++++++
 ...-c778593c-1583-48cc-a99d-0ac1b5b537e2.json |   9 +-
 ...-c78a3e66-b7aa-4feb-bc18-b8af77f27a47.json |   9 +-
 ...-c7d382f1-6fa7-4d6b-bd18-9a0e9d9ee17c.json |  11 +-
 ...-c7f876d4-99f2-41ac-993c-57a3f2b4e0eb.json |   9 +-
 ...-c81757a7-16b1-4b48-ae52-3d375f533dfd.json |  19 +-
 ...-c83c84e8-a556-4efe-ae24-75970ee8ad4b.json |  25 ++-
 ...-c8559423-10b0-4d5e-9057-65cbfd7ee1c0.json |  20 +-
 ...-c86918a3-6e41-4dfb-8b18-650fff596801.json |  20 +-
 ...-c877df57-0b8b-4286-aebb-6cca709638f3.json |  32 +++
 ...-c89d6493-3f33-4568-ac77-ba13b206ae69.json |   9 +-
 ...-c89f8f8d-222b-4b83-9fa4-47fd716a271f.json |   9 +-
 ...-c8bfe893-49d8-4d6c-8f7d-5cd9fc932dee.json |  11 +-
 ...-c8d0d360-eb9e-4fb4-97a2-efaf6d4f1059.json |  11 +-
 ...-c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9.json |  19 +-
 ...-c943d462-fea7-4c01-88b2-de134153095b.json |   9 +-
 ...-c96c3405-1d9b-46e4-8f57-a6c49eb68a31.json |  19 +-
 ...-c9769c36-d89b-40eb-92cb-8faa7d37a140.json |  11 +-
 ...-c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b.json |  32 +--
 ...-c9c22e0d-c427-42ef-ae76-beb8ae9f6bf2.json |   9 +-
 ...-ca06c79e-8cbd-480a-92a4-cd7cdaaf81c1.json |  11 +-
 ...-ca0d9894-0c37-4a34-9b24-1887b7cd1106.json |   9 +-
 ...-ca486783-9413-4f39-8d2f-3adcb3e79127.json |  20 +-
 ...-ca4eb452-4a2f-41d7-a015-81f43e96737e.json |  20 +-
 ...-ca568149-9971-4d15-b3db-ff7dabd49695.json |  11 +-
 ...-ca8c38e6-8343-4f5e-929d-2759a0d49d59.json |  25 ++-
 ...-ca9e5e50-49e9-44cc-a0a4-4ec8633a9506.json |  20 +-
 ...-cacc0b72-9d73-4381-90e9-545ba908722c.json |  20 +-
 ...-cb5465c0-a577-45b1-becf-305e0bd47497.json |  11 +-
 ...-cb5a81bb-a3c6-4d7c-836c-c0bd6227b48f.json |  11 +-
 ...-cb80178a-5f9c-41bd-95a2-a7c5fe23c12c.json |  19 +-
 ...-cbb07bef-f1da-41f6-b786-4a255e8bf985.json |  11 +-
 ...-cbb48fa1-0677-4a07-bdbf-eda1827e52f1.json |   9 +-
 ...-cbf17fea-141e-44b8-831c-b3cc41066420.json |  20 +-
 ...-cc0b8984-f561-4453-a2be-9be8bd62561e.json |  11 +-
 ...-cc345ae4-0d60-4f21-98b3-596c15118745.json |   9 +-
 ...-cc3cf438-7206-46df-a4a4-999472ea6a9a.json |   9 +-
 ...-cc3e1864-0b7b-4ca1-b123-d9c7553f3398.json |  11 +-
 ...-cc49561f-8364-4908-9111-ad3a6dcd922c.json |  16 +-
 ...-cc4ae06f-0258-4fe9-b63a-334d283e766d.json |  20 +-
 ...-cc81b56c-cf73-4307-b950-e80246985195.json |  21 +-
 ...-ccb6f906-a785-4695-91a5-f1bc210892dc.json |  11 +-
 ...-cce1848e-5f32-429a-8c9d-e32367052675.json |   9 +-
 ...-cce49043-52b0-407c-b4f0-0f4727351d4b.json |   9 +-
 ...-cce5d90f-edff-454d-bafa-caf33b71ed6c.json |  20 +-
 ...-cce82a76-5390-473d-9e7c-9450d1509d1d.json |  20 +-
 ...-ccfffa97-17fd-4826-9a16-c9d8174fb8ac.json |  20 +-
 ...-cd0f76da-ea06-4710-ab1d-53a7e29a6328.json |  19 +-
 ...-cd1ad516-d953-40cb-b0d5-b384ceb410f2.json |  37 ++++
 ...-cd440baa-9989-486e-b34b-d9469ffc79a5.json |  37 ++++
 ...-cd503879-ccb4-4d47-af5a-90fe7e37c438.json |   9 +-
 ...-cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3.json |  20 +-
 ...-cd7a2294-1e14-42e8-b870-d99d73443b88.json |  19 +-
 ...-cd7f9e74-e134-408d-aeb2-1ce19d4dd4e3.json |  32 +++
 ...-cd8c383a-2a62-45e5-917f-a26efe5ba03c.json |   9 +-
 ...-cd9e8334-2ff6-4f64-993f-4e11a68ef7ca.json |   9 +-
 ...-cda58372-ae70-4716-8baf-cc06cb884ad6.json |  20 +-
 ...-cdb9788e-7d16-482e-92b6-cbde0b3de357.json |  20 +-
 ...-cde60121-3d7c-47c8-abeb-582854425599.json |  20 +-
 ...-cdf06664-903e-499b-86b4-b7bcce3c0740.json |  11 +-
 ...-ce26f077-c47a-4185-8ed7-ec0d9ae2b625.json |  19 +-
 ...-ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef.json |  25 ++-
 ...-ce5f506a-8fc9-40a2-a78e-96796c896f1b.json |   9 +-
 ...-ce645a25-160f-443d-b288-fdd108b78a06.json |   9 +-
 ...-ce6c7f21-91a5-4d63-bd03-a6b57e025afe.json |  21 +-
 ...-ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd.json |  20 +-
 ...-cea30219-a255-43ae-b731-9512c5044523.json |  19 +-
 ...-ced70cea-b2ac-45b8-9f7d-779eedbdf06c.json |  20 +-
 ...-cf26d49c-1d1b-4861-9d6e-959f4f15b73a.json |  20 +-
 ...-cf2cfc6e-896a-4c99-b286-41f8dbd6fa4c.json |  11 +-
 ...-cf4243f5-562a-457f-bb15-d45a2047f7ca.json |  13 +-
 ...-cf4fe189-58cf-42aa-89c7-75bd0a83a263.json |   9 +-
 ...-cf696296-751a-41e5-a9b0-907c7b991b2a.json |  11 +-
 ...-cf80894a-07e5-4c45-83a6-ed1eed81d2d8.json |  11 +-
 ...-cf879fe8-9c31-48de-9e49-668d6cda67c5.json |  11 +-
 ...-cfa1d194-7401-46ba-bfed-5f311aeb22d3.json |   9 +-
 ...-d01b311d-8741-4b58-b127-88fecb2b0544.json |   9 +-
 ...-d056308f-dca7-493e-b152-6f77fa13155d.json |  11 +-
 ...-d0669f8d-0aa2-416f-9ec4-a991a2000d3e.json |  11 +-
 ...-d09a4d42-45bd-4b2a-aef4-3aa3982115ad.json |  19 +-
 ...-d09abcd8-49bf-4d0f-8b17-0db7ada10ec2.json |  20 +-
 ...-d0c039cb-c815-4d9c-a100-a45f923bc65b.json |  20 +-
 ...-d0c21324-62e3-46e5-823b-ea0c03a4885d.json |  20 +-
 ...-d1318f71-7f70-4820-a3fc-0d05af038733.json |  25 ++-
 ...-d13724d0-a5e2-433b-86bf-ead04359edec.json |  33 ++--
 ...-d170a088-b115-4a86-b093-8aa32666a470.json |   9 +-
 ...-d1e11627-23e4-40f3-bcbc-2b832b0bbaa3.json |  11 +-
 ...-d22be48b-90fa-4dba-ab6f-f3ad5e08c03e.json |  11 +-
 ...-d22d309b-ab00-4f17-b6bf-7706f499cc5e.json |  22 ++-
 ...-d22f2c45-d6fa-419a-8f25-65ea37529ccc.json |   9 +-
 ...-d2304825-cd71-4d74-ab9c-0f4ad510cad3.json |  32 +++
 ...-d2749285-47d9-44a4-962f-9215e6fb580e.json |   9 +-
 ...-d2d7476e-66a4-4d46-877c-6e80678bbb38.json |  19 +-
 ...-d300eb82-5ca0-48aa-a45f-d34242545e27.json |  19 +-
 ...-d32003ba-959b-4377-aa04-f75275c32abf.json |   9 +-
 ...-d358ac0b-4c67-44e3-939b-24cd36d3c3fb.json |   9 +-
 ...-d39ceb9c-ef0c-4820-b363-dc8ce0f0d00c.json |   7 +-
 ...-d3b4f74a-5183-405b-b64b-b79e1c4bd6fc.json |  11 +-
 ...-d3d901d7-1ddd-476c-af65-15a1affc422f.json |  15 +-
 ...-d3e06522-2a30-4d56-801e-9461178b80ce.json |   9 +-
 ...-d3e52467-d090-4ebd-b9b1-3022cc6d5df0.json |   9 +-
 ...-d3e6bc20-1f9c-41b6-89f0-ef95689add86.json |   9 +-
 ...-d4154247-90ce-43b9-8c17-5c28f67617f5.json |  20 +-
 ...-d447a927-c8a1-4123-bdac-ff9ab36f49be.json |  11 +-
 ...-d44b097a-1bba-40bd-8ec8-d717a3f3df0c.json |  11 +-
 ...-d499cfc8-d5f8-4e05-ad82-a18d2823c558.json |  32 +++
 ...-d4a5a902-231e-4878-ad5b-39620498b018.json |  20 +-
 ...-d53a8ff0-7252-477e-8767-fd485dd62e7c.json |  20 +-
 ...-d54bdaff-8eb8-4a02-9f64-bc33c892e9d1.json |  16 +-
 ...-d54d3475-19ee-4ac5-98b0-ec1ae9336dfb.json |   9 +-
 ...-d5533ca1-d57e-4bbf-bf0c-d114e4b79078.json |  11 +-
 ...-d562ed4d-ac4d-476b-872e-9e228c580889.json |  20 +-
 ...-d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a.json |  20 +-
 ...-d59da983-c521-47b6-83ab-435f7d58611d.json |   9 +-
 ...-d621eba9-676f-47a4-8358-d68eeff2fb9a.json |  11 +-
 ...-d638565b-ca8e-459f-9c3b-1bd8828606f5.json |  20 +-
 ...-d63de13b-0253-42f4-b13d-34bccf76ad94.json |   9 +-
 ...-d63f27cf-95a3-42bb-86dd-dc18e22cb898.json |   9 +-
 ...-d64c4924-76f0-4b2e-858d-b0df733334d0.json |   9 +-
 ...-d663cb6f-9fc8-48a0-827f-29757b12ae71.json |  19 +-
 ...-d66a3e5f-700e-40d0-b16a-bbb3306256c7.json |   9 +-
 ...-d6be8665-afbb-4be5-a56a-493af01b120a.json |  19 +-
 ...-d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4.json |  20 +-
 ...-d6f78e9b-94d1-4d59-b00e-89fad2261c55.json |  20 +-
 ...-d7007bf2-fcd6-4327-9ffb-bdee5bdeb383.json |  19 +-
 ...-d700c625-d0b6-4570-a538-0ba57bd7bda5.json |   9 +-
 ...-d70aaf50-29b7-4687-98ea-ffaa3fa858c0.json |  20 +-
 ...-d716163d-2492-4088-9235-b2310312ba27.json |  19 +-
 ...-d71fab20-a56c-4404-a65d-aaa37056f16e.json |  25 ++-
 ...-d724bcf3-25d2-406a-b612-333fea5e2385.json |  25 ++-
 ...-d76d838b-bbc7-459a-884a-2da8c36a2ba2.json |  19 +-
 ...-d7aa436a-e66d-4217-be66-4414703dec07.json |  20 +-
 ...-d7ae7fb1-c363-4969-a4af-e2dd44a3c064.json |   9 +-
 ...-d7ca70d4-2006-4252-b243-e52be760e24d.json |  19 +-
 ...-d7d78682-c9ad-4880-ae6e-3fc79f3737f1.json |   9 +-
 ...-d8001cd5-3e71-44af-ae85-26f5f56e5cb8.json |  32 +++
 ...-d84604bc-2314-4340-b9c1-b1265c0f6c37.json |  16 +-
 ...-d87b468e-f610-4e95-8dfb-8cf029f0e891.json |  16 +-
 ...-d87b9e3a-9e6b-404d-8fc1-22262ff31157.json |  11 +-
 ...-d886f368-a38b-4cb3-906f-9b284f58b369.json |  20 +-
 ...-d8ca4ea5-5242-4f0f-b3b7-008673f561ab.json |  20 +-
 ...-d8d773ab-b0e3-484b-bdb8-c1a1ab48d218.json |  20 +-
 ...-d933bba1-61ab-4fea-b7db-7e2a4f4146e7.json |  20 +-
 ...-d956ffe6-9847-45f6-8ebe-479e93aa68d9.json |  11 +-
 ...-d995dfff-e4b2-4e07-8e76-b064354f591a.json |  19 +-
 ...-d9aab2e1-31e0-45b2-a40b-0cbe60677b4b.json |   9 +-
 ...-d9c63320-5855-42dc-8cd5-595755495259.json |  32 +++
 ...-da424f3f-8a93-4a66-858c-b33f587108e6.json |  20 +-
 ...-da4296d7-5fdb-45b6-9791-b023d634c08d.json |  20 +-
 ...-da55ec01-daf2-4fac-ba0b-243f759b73aa.json |  11 +-
 ...-dae02ffb-1db5-4b7d-80a9-2a8cbf1bc852.json |  11 +-
 ...-db1201f0-f925-4c3c-8673-7524a8c20886.json |  20 +-
 ...-db34a2c8-01e0-4cd3-a497-0f4bca36812a.json |   9 +-
 ...-db3fc82d-d353-438d-aa5e-9b5e7e60f0ac.json |  16 +-
 ...-dba7bd66-5f8e-41a8-ad67-ae04cfd1c8ff.json |  11 +-
 ...-dbdaa604-b94c-43d1-b8cc-e8e2bbc3fdce.json |  11 +-
 ...-dbef53a9-f9c4-4582-8e93-349ad488de12.json |   9 +-
 ...-dbeff88d-441f-47f9-8afc-60400ee3ab97.json |  11 +-
 ...-dc354395-cccf-471a-9335-8538ce20f1ec.json |  11 +-
 ...-dc6514a0-2e9c-4f29-8c15-99e6d382e357.json |   9 +-
 ...-dc70704a-54b3-4000-8c55-4919044de5c0.json |  15 +-
 ...-dc7ef843-a073-4e23-b717-c505d4863b02.json |   9 +-
 ...-dcae3b7c-27d2-4377-9dc6-59dae15ac962.json |   9 +-
 ...-dcf01e96-1498-4ebf-b46f-d4f4eb796f23.json |  11 +-
 ...-dd54e35c-d68b-4aa8-ad2a-acd4c76243c8.json |   9 +-
 ...-ddb5ba6d-0549-44bd-a669-972bd48e927b.json |  25 ++-
 ...-ddca1254-b404-4850-9566-0be35c6d7564.json |   9 +-
 ...-ddfc5d8c-750d-424a-88d9-acc99bc5f69e.json |  19 +-
 ...-de45db46-2251-4a29-b4d7-3fcf679e9484.json |   9 +-
 ...-de4ecfa3-fa91-4377-810c-5c567de9688b.json |   9 +-
 ...-de69fd86-aaef-4a1e-99e9-ee32c71997d6.json |  19 +-
 ...-de7e3a71-1152-481c-8e5c-88f53852cab6.json |  19 +-
 ...-dea15947-3a93-4ef6-94c4-ddd8b5bf4db5.json |  52 +++++
 ...-def81edd-4410-47b2-a80f-d47b3f353f54.json |   9 +-
 ...-df036f55-f749-4dad-9473-d69535e0f98d.json |  25 ++-
 ...-df07166f-917e-4bc4-899e-d689d1d3f785.json |   7 +-
 ...-df337ad4-c88e-425f-b869-ecac29674bf4.json |  20 +-
 ...-dfdf329f-8fc3-4dcb-89b4-c3f1095cd77a.json |  11 +-
 ...-dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b.json |  20 +-
 ...-dff2d0a7-7579-4091-9bf8-df682bc6506b.json |  11 +-
 ...-dff37d8a-b7ca-409b-b4eb-581ca3a74bb5.json |   9 +-
 ...-e0121f6c-0312-4fff-9d6c-0a8aea945bea.json |   9 +-
 ...-e012da15-7669-4764-ad9d-8a1d817bcca9.json |   9 +-
 ...-e03b0eb5-32c6-4867-9235-77fe32192983.json |  20 +-
 ...-e03b25b0-0779-48da-b5d7-28f1f6106363.json |  20 +-
 ...-e05b61a4-ba8a-4aa5-813b-ad76de5945a8.json |  16 +-
 ...-e0c3afc8-4b23-45fc-89cf-2cafbb51291e.json |  11 +-
 ...-e0ebf0cd-9244-4cef-9171-128a12b87b58.json |   9 +-
 ...-e0f58ab7-b246-4c41-9afc-89b582590809.json |  20 +-
 ...-e135cefa-f019-479d-86eb-438972df73e0.json |   9 +-
 ...-e14db7d0-4053-4e0a-8b43-b950133e6e36.json |   9 +-
 ...-e1fc106e-1671-4103-b767-47b52c9b0742.json |   9 +-
 ...-e245ad04-3fe9-4132-8bb4-77cdc4c3a1eb.json |   7 +-
 ...-e245e45a-71a8-408d-8f32-7b7337bffc26.json |  13 +-
 ...-e269e6a2-a709-4aa1-a260-f3f0d0284056.json |  20 +-
 ...-e29d91f0-ebee-481d-9344-702c90775109.json |  20 +-
 ...-e2ee6825-43c2-441f-ba96-404a330a9059.json |   9 +-
 ...-e3009db5-d1d8-4869-b1ca-d408a052bb4e.json |  11 +-
 ...-e33106e1-16ef-41b8-8d47-78c9f2b4dceb.json |  25 ++-
 ...-e34c8c23-be8f-4da9-b051-5246e5f16ba8.json |   9 +-
 ...-e35b013b-89e8-41b3-a518-7737234ab71b.json |  20 +-
 ...-e39ee008-74d1-4669-b515-4d2bb97968c1.json |  11 +-
 ...-e3a961ec-8184-4143-b8c2-c33ea0503678.json |  16 +-
 ...-e3beb58a-2603-451e-a907-1a3823a90197.json |  32 +++
 ...-e3d04885-95a5-47cb-a038-b58542cf787d.json |  13 +-
 ...-e4019493-bd52-4011-9355-8902be6ff3f3.json |   9 +-
 ...-e419e0c3-8c16-4e7b-99f5-ecd30c93493a.json |   9 +-
 ...-e4451543-136b-4fe2-a8e2-d005db705aa2.json |  47 +++++
 ...-e457921c-4a0b-4d6e-92e7-553929ddf943.json |   9 +-
 ...-e47ea9b6-8e05-4a54-ac6e-ba621dc3b717.json |  11 +-
 ...-e4beccfa-a9a5-447d-8164-d39a1b2c5532.json |  11 +-
 ...-e4f90a20-f1c6-4820-8c3e-751c79cc82e8.json |   9 +-
 ...-e50c605a-0cdf-4316-bb49-2deccc69143f.json |  11 +-
 ...-e5113d45-05bd-499f-a2e0-9edc6d7c03b6.json |  25 ++-
 ...-e515259a-63b1-4ac8-bbec-4b0103d0a79a.json |  37 ++++
 ...-e524f30e-11b5-4bd9-83f1-9694e6d8f030.json |  42 ++++
 ...-e5922453-d9b1-472b-b947-b1eaa426a32e.json |  11 +-
 ...-e5ccc5c7-11ee-4357-8dd4-bf23ce2111bb.json |   9 +-
 ...-e5e4567e-05a3-4d79-beab-191efc336473.json |  20 +-
 ...-e682fd05-a55e-447c-9de1-788cf061ba70.json |  42 ++++
 ...-e723d78f-b6c3-4ba5-8946-b44e651834e3.json |   9 +-
 ...-e767fc9e-5211-4e7c-b628-5dd03a24af39.json |   9 +-
 ...-e78b2cd9-ef73-45d9-9477-e2e95454e208.json |  20 +-
 ...-e7af5be1-721f-40c5-b647-659243a0a14b.json |   9 +-
 ...-e7b33eb5-6c2e-4743-ac8d-c27d5e7121ac.json |   9 +-
 ...-e7b7e813-4867-46fe-bf86-6f367553d765.json |  24 +--
 ...-e84ad4b0-9f7a-48a5-89ae-33804b11eb56.json |   9 +-
 ...-e8768455-4d0c-4e3c-a901-1fc871227745.json |  19 +-
 ...-e87aa0d6-241f-4f72-bdb6-54e8d5584ae2.json |   9 +-
 ...-e889782a-f66b-448e-a466-e55b1bce7b64.json |  11 +-
 ...-e8c77126-5279-4c39-ad84-87e4ab8ce37f.json |  13 +-
 ...-e8c833ee-4c7d-45a2-b29b-187fe3661c0d.json |   9 +-
 ...-e928c0ce-2b98-4af5-a990-f690f4306681.json |   9 +-
 ...-e95ac47c-8822-4ce5-bd65-f61ca873854b.json |  11 +-
 ...-e9607e4f-5743-4bbb-b7d4-5554d66c8be7.json |  20 +-
 ...-e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb.json |  20 +-
 ...-e9b262ba-1c32-40b3-8622-121b30d6df50.json |  22 ++-
 ...-e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e.json |  20 +-
 ...-e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7.json |  32 +--
 ...-e9d5992e-04ef-4835-87df-cf6434dcabbc.json |   9 +-
 ...-ea2ad242-4365-4868-8beb-4a634f3ba6b7.json |  20 +-
 ...-eb052029-e1c9-4f24-8594-299aaec7f1df.json |   9 +-
 ...-eb1eeb37-37a8-47b6-aff8-9703735a4d93.json |  20 +-
 ...-eb27258f-6bb9-49b5-928e-b66f37f8f16e.json |   9 +-
 ...-eb58117c-5803-4f72-a499-5fa888a9a7a5.json |  19 +-
 ...-eb69d3c1-aa16-429e-9b72-c1a993e584fa.json |  11 +-
 ...-eb6dbe2a-6f76-4bce-ab37-66ec67148041.json |  16 +-
 ...-eb784dcf-4188-47e2-9217-837b262acfb9.json |  19 +-
 ...-eba4b561-84c9-4d49-a8b8-1842c3ed94f3.json |   9 +-
 ...-ec30f169-9cf3-45c3-9a02-cda318107ba9.json |  47 +++++
 ...-ec6ec329-a758-4259-a5f8-789cfef78a53.json |  32 +++
 ...-ec734b52-a823-495c-9684-c4649269723e.json |  11 +-
 ...-ec74ab89-4a60-4ab2-a92f-4c5c3b7552a4.json |  25 +++
 ...-ec819008-396a-4ca3-b8d3-fda7f28128d0.json |  11 +-
 ...-eca02e5c-f8de-4436-a7dd-0f656c759a42.json |  20 +-
 ...-eca69d9c-7c27-4147-ad7a-a1c30317df1d.json |  20 +-
 ...-ece70dca-803c-4209-8792-7e56e9901288.json |   9 +-
 ...-eceeb39e-887c-4a9b-a93b-a6fd768e455a.json |  20 +-
 ...-ed3293cf-de4f-4a73-98af-24325e8187c9.json |   9 +-
 ...-ed48a86f-e55f-4abf-8f18-98591b756399.json |  11 +-
 ...-ed6ebdd2-0095-4241-b3fc-7fc22366ec0d.json |  15 +-
 ...-ed7e9368-004c-484f-9eed-03b158325564.json |   9 +-
 ...-ed9bf71f-4367-4106-9b80-07b126edd3f6.json |  25 +++
 ...-eda3c5c4-d062-48d3-a78e-051f0c9d62f6.json |  11 +-
 ...-ede5c314-5988-4151-bb30-b6a6983d02c0.json |  25 ++-
 ...-edfb68d0-5efd-4fb5-93f9-c432535686cb.json |   9 +-
 ...-ee095f20-eef5-4dcc-a537-70b387592c2c.json |   9 +-
 ...-ee92911e-e2a2-4b40-916d-ce01b6e897f9.json |   9 +-
 ...-ee9c1a8c-5f84-4571-8518-300a6412df0f.json |  20 +-
 ...-eee008fa-a46f-4542-93e3-8fe5f949130f.json |   9 +-
 ...-eef4ffb7-892d-4d3f-826c-0b78d1f22671.json |  25 ++-
 ...-eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f.json |  29 ++-
 ...-ef792cb5-cb1f-4871-a2ef-20e6150d4005.json |   7 +-
 ...-efd35b6f-7a61-4998-97ff-608547e40f66.json |  25 ++-
 ...-f012feab-5612-429f-81bd-ff75d6ffd04e.json |  19 +-
 ...-f051c943-998c-4db2-9dbc-d4755057bcf0.json |  19 +-
 ...-f062ebc5-bad0-4b19-8c97-bf3915d687bd.json |   9 +-
 ...-f0851531-e554-4658-920c-f2342632c19a.json |  16 +-
 ...-f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1.json |  20 +-
 ...-f0e39856-4d2d-45c5-bf16-f683ee993010.json |  19 +-
 ...-f1130c77-3d20-4c41-9e75-1953bf9b8abc.json |   9 +-
 ...-f1208f2a-f2e2-48bd-8fdc-d56b9442f185.json |  47 +++++
 ...-f157970b-4782-46d0-abdd-000ae6eea14b.json |  21 +-
 ...-f1c06c38-0f58-4789-9758-1e321394e03f.json |  47 +++++
 ...-f240e06c-3a5b-4a34-a69c-5fccb4c94150.json |  20 +-
 ...-f259b5a8-bf2f-48c9-ae1b-b20d53daf665.json |  11 +-
 ...-f28a2873-281f-405b-bad0-4a93dac8a5ee.json |  25 ++-
 ...-f2d05b16-3565-453e-9fbb-1c02146e17e1.json |  25 ++-
 ...-f2e75022-ff16-44a8-8fcc-18c785406fb5.json |  32 +++
 ...-f31490e8-ef81-40d5-bba9-24ca580d2ee6.json |   9 +-
 ...-f3599919-c4d1-4f2e-92d4-b34a04e33132.json |  19 +-
 ...-f372697e-b661-4995-9920-4ec0a9060ebb.json |   9 +-
 ...-f390ee16-a7c8-4ef2-b6f4-28940a8f0d81.json |   9 +-
 ...-f3ddf0be-ca7d-4984-b8e2-4e5958a2c83a.json |   9 +-
 ...-f3e902fe-7eea-4b85-9067-25d29fd01dc5.json |   9 +-
 ...-f458166e-7cf8-42ed-afe3-38cbd30d5607.json |  15 +-
 ...-f4aeacef-035c-4308-9e85-997703e27809.json |   9 +-
 ...-f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012.json |  20 +-
 ...-f4d5e619-7c83-4845-aecd-de62c33cc0a1.json |   9 +-
 ...-f4e4c3ae-4c4d-4eba-8330-022464cbf828.json |   9 +-
 ...-f4f4660c-6324-4da4-be2f-ac87fda85a45.json |  25 ++-
 ...-f517a7ce-dfdc-4f42-84c1-fef136e2ea19.json |   9 +-
 ...-f5196775-2c99-4dc5-b173-6a10af503c6e.json |  11 +-
 ...-f524f2d9-cdf7-403b-af0f-96c1c60b32a8.json |  32 +++
 ...-f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d.json |  20 +-
 ...-f56b8307-80e3-4d73-869f-1e8b9538dbc4.json |   9 +-
 ...-f58d3fc4-e0a2-4924-884d-85d7c8f00b8a.json |   9 +-
 ...-f5acd046-2943-48bf-836a-2109c4f1a5c4.json |  11 +-
 ...-f5d24a31-53d2-4e84-9110-2da0582132cb.json |  25 ++-
 ...-f5e9afdc-1aeb-472f-b267-46e7978f9d78.json |   9 +-
 ...-f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3.json |  16 +-
 ...-f6098dca-3a9e-4991-8d51-1310b12161b6.json |  25 ++-
 ...-f622a267-7a58-4082-a3f5-10e9bb549a5e.json |  19 +-
 ...-f62e0aaf-e52f-40b9-a059-001f298a0660.json |   9 +-
 ...-f632b0bb-69ce-4678-bc3c-9ddff5a38794.json |  24 +--
 ...-f6417788-0c6e-4172-9010-f20870ec2278.json |  11 +-
 ...-f65087b4-adf2-4292-a711-7ae829e91397.json |  20 +-
 ...-f6770c26-ae93-468d-acaa-ab4ffea0e047.json |  20 +-
 ...-f69ff81e-22e4-450c-b3dd-7f3f66610663.json |  11 +-
 ...-f6a451e8-2125-4bbe-be52-e682523cd169.json |  20 +-
 ...-f6f21954-c592-40d8-b7a0-75f332c42eaa.json |   9 +-
 ...-f7039142-dbdc-4ffc-a54f-136ad57a6ac1.json |  20 +-
 ...-f709a4a5-2d7f-4fa8-bad8-a536fd3cc7fc.json |  19 +-
 ...-f747ccb7-32c0-45fc-9842-bfb160a9db22.json |  11 +-
 ...-f776a4da-0fa6-414c-a705-e9e8b419e056.json |  24 +--
 ...-f781fd2c-209f-43f1-b55a-fb175187415f.json |   9 +-
 ...-f78e0c04-1946-4a0f-9ecb-324373f97e8a.json |  37 ++++
 ...-f7bebe78-2e21-466d-878b-f70be6c0e94a.json |   9 +-
 ...-f7c5c344-4310-4e2a-a5aa-133f3d132fff.json |  20 +-
 ...-f7c95641-a685-4d0b-8516-9f0c7498efc9.json |  37 ++++
 ...-f8151852-5a56-4c91-a691-1e50387a291d.json |  11 +-
 ...-f84355c2-b829-4324-821a-b5148734bb6b.json |  19 +-
 ...-f857935b-653a-4b9a-a2dc-59c042059a39.json |   9 +-
 ...-f87bb2d2-e7fd-44ce-b537-e7e01086731c.json |  20 +-
 ...-f88cbb0c-ca34-4a87-82fa-e0e567ee8d57.json |  20 +-
 ...-f92fe9dd-7296-42f6-904e-e245c438376e.json |   9 +-
 ...-f9456868-aa4c-4aa3-9465-c5a18cbcfd23.json |   9 +-
 ...-f947d845-4d70-41f3-ae3c-18ea8b44e667.json |   9 +-
 ...-f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f.json |  21 +-
 ...-f989562f-41a8-46d3-94ba-fca7269ae592.json |  20 +-
 ...-f9b3a640-fd24-45f0-845b-22a7bf3e0d2b.json |  11 +-
 ...-f9d0cfb5-aeda-4de4-9c72-7098297555ae.json |  25 ++-
 ...-f9de9819-b131-459e-948b-bdf3fe6f1ef0.json |  20 +-
 ...-fa13936f-9b9d-4b48-a33f-81044f6cdedb.json |   9 +-
 ...-fa1da6db-da32-45d2-98a8-6bbe153166da.json |  16 +-
 ...-fa222de8-ba3a-45c1-a7eb-d7502843cc2d.json |  20 +-
 ...-fa5f3aea-2131-4690-8833-dc428fae2b22.json |   9 +-
 ...-fada5ba5-7449-4878-b555-82f225473c8b.json |  19 +-
 ...-fadd27ec-56ac-4834-af40-76c9e8764eb9.json |  11 +-
 ...-faf3396c-3a53-478c-b15c-7ff44ef4a5f5.json |  11 +-
 ...-faff9f9c-9064-4b3a-bdf9-bbeced2447a6.json |   9 +-
 ...-fb2a14c1-bed9-4c3f-a60b-8df384c18b68.json |  20 +-
 ...-fb3b32a8-6422-4d44-91e3-27a58e569963.json |  22 ++-
 ...-fb51161a-ef2e-41a4-b5f9-bd1f64f95674.json |  20 +-
 ...-fb587f81-1300-438d-a33b-f8d08530788b.json |   9 +-
 ...-fb5c6c5e-53d4-4bb9-b9cf-74170058b19b.json |  20 +-
 ...-fb62afa9-d593-44f8-840d-bd5c595a1228.json |  19 +-
 ...-fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8.json |   9 +-
 ...-fbdbddd7-4980-4061-9192-24a887bc6bad.json |  20 +-
 ...-fbeef07b-7aa1-461c-884a-d3c4f730d5f7.json |  11 +-
 ...-fc22c1f0-6888-43c0-ac7e-ee3d21feafc4.json |  22 ++-
 ...-fc742401-a8cd-4a97-8c50-045807c47581.json |  32 +++
 ...-fc7639c8-0e52-4f6f-9cf3-7840be81ad55.json |  11 +-
 ...-fc816ddc-199d-47b0-93af-c81305d0919f.json |  20 +-
 ...-fcb3a139-f644-45c9-8123-dfea0455143a.json |  20 +-
 ...-fcc42341-ec3a-4e24-a374-46bed72d061f.json |  20 +-
 ...-fcda686d-0c3a-457a-a34d-6dcfb28f54bd.json |   9 +-
 ...-fcdc2f1f-9787-4faa-86bf-2ed73f15a576.json |  20 +-
 ...-fd50cda0-66d4-4ae1-864e-9345d8124ce2.json |  11 +-
 ...-fd5b3d4b-5d56-4d66-8b57-f858bc139901.json |  20 +-
 ...-fd6c7f4b-ce0f-4770-8487-786e41b63549.json |   9 +-
 ...-fd8a4b6d-0e7b-4105-ad7b-576836be6394.json |   9 +-
 ...-fda8fe32-6121-4b81-9aa0-4e9596db88b1.json |   9 +-
 ...-fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea.json |  19 +-
 ...-fe1e9775-0923-4b8f-87d9-976fd1d3910a.json |  37 ++++
 ...-fe794ba6-42be-4d42-a16f-a41473874331.json |  25 ++-
 ...-fed0de7b-509f-445d-90b9-4b507214298b.json |  32 +++
 ...-ff3aa49b-c054-44ec-89da-6c67d4995193.json |   9 +-
 ...-ff410bea-7b23-4b0c-9979-b7ae3050d938.json |  11 +-
 ...-ff55feec-669d-4199-a05c-e8dfaebaaf8f.json |   7 +-
 ...-ffc24804-42db-4be1-a418-7f5ab9de453c.json |  16 +-
 ...-ffc82546-f4da-4f47-88ec-b215edb1d695.json |  20 +-
 ...-ffddcabb-0f03-46ae-abd6-7ab94e91b055.json |  32 +--
 ...-fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9.json |   9 +-
 ...-1622fd3d-fcfc-4d02-ac49-f2d786f79b81.json |  74 +++----
 ...-da21929e-40c0-443d-bdf4-6b60d15448b4.json |  28 +--
 ...-181a9f8c-c780-4f1f-91a8-edb770e904ba.json |  23 ++-
 ...-3772e279-27d6-477a-9fe3-c6beb363594c.json |  27 ++-
 ...-3d20385b-24ef-40e1-9f56-f39750379077.json |  23 ++-
 ...-56c2b384-77f8-461f-a71a-76f7888ebfb6.json |  24 +--
 ...-5ae32c6a-2d12-4b8f-81ca-f862f2be0962.json |  24 +--
 ...-613788f2-ad72-43f5-b5f7-a93e2adc70fa.json |   2 +-
 ...-61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json |  27 ++-
 ...-685f917a-e95e-4ba0-ade1-c7d354dae6e0.json |  23 ++-
 ...-6c62144a-cd5c-401c-ada9-58c4c74cd9d2.json |  24 +--
 ...-764ee29e-48d6-4934-8e6b-7a606aaaafc0.json |  24 +--
 ...-85a533a4-5fa4-4dba-b45d-f0717bedd6e6.json |  22 ++-
 ...-9bde2f9d-a695-4344-bfac-f2dce13d121e.json |  30 +++
 ...-a7f22107-02e5-4982-9067-6625d4a1765a.json |  27 ++-
 ...-b1e0bb80-23d4-44f2-b919-7e9c54898f43.json |  24 +--
 ...-bf0ff551-a5a7-40e5-bff9-f9405011b1f4.json |  24 +--
 ...-e2f72131-14d1-411f-8e8c-aa3453dd5456.json |  24 +--
 ...-ee575f4a-2d4f-48f6-b18b-89067760adc1.json |  23 ++-
 ...-4523e7f3-8de2-4078-96f8-1227eb537159.json |  50 ++---
 ...-55ba7d30-887f-42c1-a24e-c4e90aff24b8.json |  38 ++--
 ...-73691708-ffb5-4e29-906d-f485f6fa7089.json |  60 +++---
 ...-c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json |  60 +++---
 ...-e156f007-c5bf-45cc-8dd5-d442ffb0d203.json |  38 ++--
 ...-e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json |  52 ++---
 ...-5104d5f0-16b7-4aec-8ae3-0a90cd5494fc.json |  47 ++---
 ...-a382db5e-d009-4135-b893-0e0ff021c95b.json |  47 ++---
 ...-0a93fd8e-4a83-4c15-8203-db290e5f2ac6.json |  26 +--
 ...-10fa8d8d-1b04-4176-917e-738724239981.json |  26 +--
 ...-363bbeff-bb2a-4734-ac74-d6d37202fe54.json |  26 +--
 ...-3e962de5-3280-43b7-bc10-334fbc1d6fa8.json |  26 +--
 ...-3f660805-fa2e-42e8-8851-57f9e9b653e3.json |  26 +--
 ...-4a800987-a3a8-4d56-a1bd-0d7171431756.json |  26 +--
 ...-6ebce653-294a-444a-bffb-14c04c8d137e.json |  26 +--
 ...-6fcb36b8-3776-483b-8699-42215714fb10.json |  26 +--
 ...-7a0d25d3-f0c0-40bf-bf90-c743871b19ba.json |  26 +--
 ...-7be441c2-0095-4b1e-8125-fa8ffda29b0f.json |  26 +--
 ...-987cda6d-eb77-406b-bf68-bcb5f3d2e1df.json |  26 +--
 ...-9eb4c21e-4fa8-44c9-b167-dbfc455f9210.json |  24 +--
 ...-d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1.json |  26 +--
 ...-e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17.json |  24 +--
 2148 files changed, 24342 insertions(+), 20299 deletions(-)
 create mode 100644 mobile-attack/attack-pattern/attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a.json
 create mode 100644 mobile-attack/campaign/campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3.json
 create mode 100644 mobile-attack/intrusion-set/intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7.json
 create mode 100644 mobile-attack/intrusion-set/intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7.json
 create mode 100644 mobile-attack/malware/malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f.json
 create mode 100644 mobile-attack/malware/malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927.json
 create mode 100644 mobile-attack/malware/malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807.json
 create mode 100644 mobile-attack/malware/malware--b0a243dd-8075-42f9-86f6-64989600ed20.json
 create mode 100644 mobile-attack/malware/malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4.json
 create mode 100644 mobile-attack/malware/malware--f082d7dd-20a9-4157-93c0-75e7aea09e42.json
 create mode 100644 mobile-attack/relationship/relationship--01563962-2ccb-4bbc-8ef7-512a950ea47c.json
 create mode 100644 mobile-attack/relationship/relationship--035bdf9a-dc4c-403a-b5c4-9b9b42675122.json
 create mode 100644 mobile-attack/relationship/relationship--06869cb8-7384-4d85-aa0a-78256133c88d.json
 create mode 100644 mobile-attack/relationship/relationship--082c3bd7-6088-4364-ae75-0eb45a635583.json
 create mode 100644 mobile-attack/relationship/relationship--094f56d7-1a7d-4937-ac1a-d2337626feaa.json
 create mode 100644 mobile-attack/relationship/relationship--0c077d44-1c79-473c-8623-d6267ab47f34.json
 create mode 100644 mobile-attack/relationship/relationship--0cd58f68-2c93-4ecc-a7fb-b4aad483d14a.json
 create mode 100644 mobile-attack/relationship/relationship--0d58e937-7e0f-4e1e-8c17-bab3906d7c43.json
 create mode 100644 mobile-attack/relationship/relationship--0df1f5d1-f2fd-441e-b3ce-bcd64f5f5f50.json
 create mode 100644 mobile-attack/relationship/relationship--11b20d60-6bec-4ce4-b02f-38ec276b3c9a.json
 create mode 100644 mobile-attack/relationship/relationship--11e30c59-c1bf-4354-9255-a6eb67d7a79e.json
 create mode 100644 mobile-attack/relationship/relationship--122ffed0-5f5a-4588-88a4-16924db24e9e.json
 create mode 100644 mobile-attack/relationship/relationship--12df8ac7-06a4-4389-8d86-d354c4536e28.json
 create mode 100644 mobile-attack/relationship/relationship--1508c120-06fa-4da2-8fcd-7fdc133228fa.json
 create mode 100644 mobile-attack/relationship/relationship--15706c6d-803b-4857-9fcb-ce9af2c9d73b.json
 create mode 100644 mobile-attack/relationship/relationship--15772932-8a5c-4616-9fea-b2bd1ecace4b.json
 create mode 100644 mobile-attack/relationship/relationship--1687c7a0-a453-4737-a10d-c57b94d5a458.json
 create mode 100644 mobile-attack/relationship/relationship--18186ee9-0ae4-405c-bf73-4d9ca1689744.json
 create mode 100644 mobile-attack/relationship/relationship--1b6d332b-0ced-4bf1-b212-f1fccc850bee.json
 create mode 100644 mobile-attack/relationship/relationship--20e8cf98-b5c1-4ad8-bdba-a9bad0344bef.json
 create mode 100644 mobile-attack/relationship/relationship--2167de58-8453-4ac3-977d-30a2b3526818.json
 create mode 100644 mobile-attack/relationship/relationship--22512e29-4524-45d3-88b7-d9ca764f7b3d.json
 create mode 100644 mobile-attack/relationship/relationship--2270d987-4698-4b59-9186-3d7637cf6599.json
 create mode 100644 mobile-attack/relationship/relationship--22e90a62-3f31-4190-98ee-eabede72eb07.json
 create mode 100644 mobile-attack/relationship/relationship--243bafe0-206c-4a17-94a6-4ff0492ebc7a.json
 create mode 100644 mobile-attack/relationship/relationship--268c2962-a557-4782-a40b-eef430c87740.json
 create mode 100644 mobile-attack/relationship/relationship--26c2626b-92a0-4798-b9f3-00abf12a817b.json
 create mode 100644 mobile-attack/relationship/relationship--2ac32eb8-ff7e-468a-8bbd-f5af82e0102a.json
 create mode 100644 mobile-attack/relationship/relationship--2f2ae4a3-1ed9-4c90-86dc-d12c3a860349.json
 create mode 100644 mobile-attack/relationship/relationship--3bcd5bc8-4998-4f71-85d6-27f0cb22e895.json
 create mode 100644 mobile-attack/relationship/relationship--3c4ea7a5-251c-4d10-a724-f4a247f44637.json
 create mode 100644 mobile-attack/relationship/relationship--3ee5c123-416f-4d02-920d-ce44be7f11a5.json
 create mode 100644 mobile-attack/relationship/relationship--41b7cdc1-0b0a-49da-b694-774c22e6cd27.json
 create mode 100644 mobile-attack/relationship/relationship--4667e169-d85a-4d0c-9da7-2fe22d1ba873.json
 create mode 100644 mobile-attack/relationship/relationship--494ece43-ebba-4519-86be-cd5c4d4dd337.json
 create mode 100644 mobile-attack/relationship/relationship--4d537065-9a82-42d5-923d-45194453cc25.json
 create mode 100644 mobile-attack/relationship/relationship--501c3f2a-1ae0-4832-9730-3fdf5f31df5c.json
 create mode 100644 mobile-attack/relationship/relationship--526099a3-132d-430f-9559-fc067e39b227.json
 create mode 100644 mobile-attack/relationship/relationship--5340f466-abf0-4bb9-a7e9-44694014561d.json
 create mode 100644 mobile-attack/relationship/relationship--54da16fe-c3af-4283-8e73-434beca633d4.json
 create mode 100644 mobile-attack/relationship/relationship--55f1c604-f3e1-4eef-8313-d136425be83d.json
 create mode 100644 mobile-attack/relationship/relationship--56816b86-3c80-429b-8360-7b4e77538c97.json
 create mode 100644 mobile-attack/relationship/relationship--5976af4f-2fd4-46a0-baab-a4ae69e98bc1.json
 create mode 100644 mobile-attack/relationship/relationship--59ccdf54-af53-45f2-9ada-549bbc9fb53f.json
 create mode 100644 mobile-attack/relationship/relationship--5a55b7a2-52ab-4cf8-abc1-8ec4e42102cb.json
 create mode 100644 mobile-attack/relationship/relationship--5a836ae1-c2a0-49b8-a0b4-851b7f3939fb.json
 create mode 100644 mobile-attack/relationship/relationship--5b4128cc-ae1b-4a1b-bc51-d4fdc507bc27.json
 create mode 100644 mobile-attack/relationship/relationship--5ceb24c4-f32d-4eca-ad91-aed9ef8d459b.json
 create mode 100644 mobile-attack/relationship/relationship--60da837d-a635-4533-b96a-db2689cc4771.json
 create mode 100644 mobile-attack/relationship/relationship--618ec7db-fb08-4693-905b-49e9e2a0ad95.json
 create mode 100644 mobile-attack/relationship/relationship--6701f90c-6fce-4f7b-a785-a585601d366a.json
 create mode 100644 mobile-attack/relationship/relationship--686a6bc8-d660-40ad-97bc-9c900195cd5b.json
 create mode 100644 mobile-attack/relationship/relationship--6945812f-959b-4f4c-9bf4-6dbdc6d9f7c8.json
 create mode 100644 mobile-attack/relationship/relationship--6a87a107-e607-460b-a08c-cc693b15268c.json
 create mode 100644 mobile-attack/relationship/relationship--6bac4ccd-d810-40f4-937e-3ac4bfa959ec.json
 create mode 100644 mobile-attack/relationship/relationship--6bdc24f1-36a7-4cf8-8a3e-f7f36840a7b2.json
 create mode 100644 mobile-attack/relationship/relationship--6d38782e-2c88-411b-8328-72347d4c6024.json
 create mode 100644 mobile-attack/relationship/relationship--6d8ffc4a-6496-423e-a44d-d5a973ee1acf.json
 create mode 100644 mobile-attack/relationship/relationship--6dada572-9e79-4835-9f8c-fcb6a94947af.json
 create mode 100644 mobile-attack/relationship/relationship--6e642c09-751c-43d8-9b99-aabb1703cad7.json
 create mode 100644 mobile-attack/relationship/relationship--76336d14-0dcb-4fc4-8423-9996dca9a9f2.json
 create mode 100644 mobile-attack/relationship/relationship--7c67e8eb-4967-4858-8bfe-bb68c3f30cfd.json
 create mode 100644 mobile-attack/relationship/relationship--81d4d8cf-3785-4847-9c9e-5ea27580f93a.json
 create mode 100644 mobile-attack/relationship/relationship--821db003-f7ad-4e28-b07d-2e3fc4f208a7.json
 create mode 100644 mobile-attack/relationship/relationship--841dcc87-1c22-4775-abe8-606aa6a48bf7.json
 create mode 100644 mobile-attack/relationship/relationship--85d9c54e-a434-4533-9755-aff1aeb9cc23.json
 create mode 100644 mobile-attack/relationship/relationship--8b3756f1-327a-4625-bde0-26b216ecb07a.json
 create mode 100644 mobile-attack/relationship/relationship--8dc4b237-e466-4a3d-9d28-896f1389996d.json
 create mode 100644 mobile-attack/relationship/relationship--90e76d57-90b2-4d5d-8928-f6e6f5414bd4.json
 create mode 100644 mobile-attack/relationship/relationship--91dd9ddf-185f-496d-a20f-88c66476cfdd.json
 create mode 100644 mobile-attack/relationship/relationship--91fa8232-f987-415b-8cb4-1ff3302a6c63.json
 create mode 100644 mobile-attack/relationship/relationship--92cc4942-453e-49af-bc04-18cb99493b73.json
 create mode 100644 mobile-attack/relationship/relationship--9557dc5c-272d-46ba-bd39-0ac2be35df19.json
 create mode 100644 mobile-attack/relationship/relationship--99fabe9d-0202-4d12-aa7c-34e2a15b2648.json
 create mode 100644 mobile-attack/relationship/relationship--9a90aacf-3b03-4100-a600-5c455d4e48de.json
 create mode 100644 mobile-attack/relationship/relationship--9c02b7a3-df00-4191-8249-ed53d9bb954d.json
 create mode 100644 mobile-attack/relationship/relationship--9c6b1915-24e2-48ac-909a-0af43053b053.json
 create mode 100644 mobile-attack/relationship/relationship--9caeaf97-ca4e-4417-8148-d9a38b141047.json
 create mode 100644 mobile-attack/relationship/relationship--a111958f-bb98-48c1-ad44-bf55fad232e9.json
 create mode 100644 mobile-attack/relationship/relationship--a153f40b-ba34-4419-9189-d61b5cd29802.json
 create mode 100644 mobile-attack/relationship/relationship--a26a09cd-1718-403f-99f3-fdb127ac3599.json
 create mode 100644 mobile-attack/relationship/relationship--a27b771e-430b-4044-aa04-7e755f74ae2f.json
 create mode 100644 mobile-attack/relationship/relationship--a394e5e5-1d98-4e08-ba29-866cf7ff9a62.json
 create mode 100644 mobile-attack/relationship/relationship--aa490344-f7e0-4e5a-abb1-af9209f15ce4.json
 create mode 100644 mobile-attack/relationship/relationship--aa65aa77-ce74-49fd-8295-c5b7395a703c.json
 create mode 100644 mobile-attack/relationship/relationship--aad084c4-97ea-4f4b-8d96-d18f57534e01.json
 create mode 100644 mobile-attack/relationship/relationship--adbacfe1-1d78-4652-b32c-4d31a0c33ef3.json
 create mode 100644 mobile-attack/relationship/relationship--b0f009b5-cf5e-4333-a969-03adbe4de3ee.json
 create mode 100644 mobile-attack/relationship/relationship--b336b44d-1810-4672-8e51-a63e91681907.json
 create mode 100644 mobile-attack/relationship/relationship--b8879a8a-84ff-4625-b487-7922d8a1b6a6.json
 create mode 100644 mobile-attack/relationship/relationship--b8afc5b9-3ffc-4b3c-b2d8-ee2888a7b6ad.json
 create mode 100644 mobile-attack/relationship/relationship--bb3bd38c-0b82-4c58-8e25-2fbab235a551.json
 create mode 100644 mobile-attack/relationship/relationship--bf02dea9-17cb-41f8-b362-c3081da81199.json
 create mode 100644 mobile-attack/relationship/relationship--c052da1e-4a1e-48bb-9b8d-b68839d4347e.json
 create mode 100644 mobile-attack/relationship/relationship--c6759fbe-ae7c-438e-9b30-dff3cc0b8e6c.json
 create mode 100644 mobile-attack/relationship/relationship--c773998e-a140-4498-827a-573df96e4331.json
 create mode 100644 mobile-attack/relationship/relationship--c877df57-0b8b-4286-aebb-6cca709638f3.json
 create mode 100644 mobile-attack/relationship/relationship--cd1ad516-d953-40cb-b0d5-b384ceb410f2.json
 create mode 100644 mobile-attack/relationship/relationship--cd440baa-9989-486e-b34b-d9469ffc79a5.json
 create mode 100644 mobile-attack/relationship/relationship--cd7f9e74-e134-408d-aeb2-1ce19d4dd4e3.json
 create mode 100644 mobile-attack/relationship/relationship--d2304825-cd71-4d74-ab9c-0f4ad510cad3.json
 create mode 100644 mobile-attack/relationship/relationship--d499cfc8-d5f8-4e05-ad82-a18d2823c558.json
 create mode 100644 mobile-attack/relationship/relationship--d8001cd5-3e71-44af-ae85-26f5f56e5cb8.json
 create mode 100644 mobile-attack/relationship/relationship--d9c63320-5855-42dc-8cd5-595755495259.json
 create mode 100644 mobile-attack/relationship/relationship--dea15947-3a93-4ef6-94c4-ddd8b5bf4db5.json
 create mode 100644 mobile-attack/relationship/relationship--e3beb58a-2603-451e-a907-1a3823a90197.json
 create mode 100644 mobile-attack/relationship/relationship--e4451543-136b-4fe2-a8e2-d005db705aa2.json
 create mode 100644 mobile-attack/relationship/relationship--e515259a-63b1-4ac8-bbec-4b0103d0a79a.json
 create mode 100644 mobile-attack/relationship/relationship--e524f30e-11b5-4bd9-83f1-9694e6d8f030.json
 create mode 100644 mobile-attack/relationship/relationship--e682fd05-a55e-447c-9de1-788cf061ba70.json
 create mode 100644 mobile-attack/relationship/relationship--ec30f169-9cf3-45c3-9a02-cda318107ba9.json
 create mode 100644 mobile-attack/relationship/relationship--ec6ec329-a758-4259-a5f8-789cfef78a53.json
 create mode 100644 mobile-attack/relationship/relationship--ec74ab89-4a60-4ab2-a92f-4c5c3b7552a4.json
 create mode 100644 mobile-attack/relationship/relationship--ed9bf71f-4367-4106-9b80-07b126edd3f6.json
 create mode 100644 mobile-attack/relationship/relationship--f1208f2a-f2e2-48bd-8fdc-d56b9442f185.json
 create mode 100644 mobile-attack/relationship/relationship--f1c06c38-0f58-4789-9758-1e321394e03f.json
 create mode 100644 mobile-attack/relationship/relationship--f2e75022-ff16-44a8-8fcc-18c785406fb5.json
 create mode 100644 mobile-attack/relationship/relationship--f524f2d9-cdf7-403b-af0f-96c1c60b32a8.json
 create mode 100644 mobile-attack/relationship/relationship--f78e0c04-1946-4a0f-9ecb-324373f97e8a.json
 create mode 100644 mobile-attack/relationship/relationship--f7c95641-a685-4d0b-8516-9f0c7498efc9.json
 create mode 100644 mobile-attack/relationship/relationship--fc742401-a8cd-4a97-8c50-045807c47581.json
 create mode 100644 mobile-attack/relationship/relationship--fe1e9775-0923-4b8f-87d9-976fd1d3910a.json
 create mode 100644 mobile-attack/relationship/relationship--fed0de7b-509f-445d-90b9-4b507214298b.json
 create mode 100644 mobile-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json

diff --git a/mobile-attack/attack-pattern/attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d.json b/mobile-attack/attack-pattern/attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d.json
index 85e7f61449..84ffb11442 100644
--- a/mobile-attack/attack-pattern/attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d.json
@@ -1,38 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--a9fecce8-8df0-4bd1-a475-5a5a3dbf94f7",
+    "id": "bundle--0d0f6000-33a2-43cd-8f60-af4993750de3",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Scheduled Task/Job",
-            "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.\n\nOn Android, the `WorkManager` API allows asynchronous tasks to be scheduled with the system. `WorkManager` was introduced to unify task scheduling on Android, using `JobScheduler`, `GcmNetworkManager`, and `AlarmManager` internally. `WorkManager` offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).(Citation: Android WorkManager)\n\nOn iOS, the `NSBackgroundActivityScheduler` API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.(Citation: Apple NSBackgroundActivityScheduler)",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "execution"
-                },
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "persistence"
-                }
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_detection": "Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_contributors": [
-                "Lorin Wu, Trend Micro"
-            ],
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d",
             "created": "2020-11-04T16:43:31.619Z",
@@ -57,7 +28,36 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "2.1.0",
+            "modified": "2025-04-16T21:21:43.650Z",
+            "name": "Scheduled Task/Job",
+            "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.\n\nOn Android, the `WorkManager` API allows asynchronous tasks to be scheduled with the system. `WorkManager` was introduced to unify task scheduling on Android, using `JobScheduler`, `GcmNetworkManager`, and `AlarmManager` internally. `WorkManager` offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).(Citation: Android WorkManager)\n\nOn iOS, the `NSBackgroundActivityScheduler` API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.(Citation: Apple NSBackgroundActivityScheduler)",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "execution"
+                },
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "persistence"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Lorin Wu, Trend Micro"
+            ],
+            "x_mitre_detection": "Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ],
             "x_mitre_is_subtechnique": false
         }
     ]
diff --git a/mobile-attack/attack-pattern/attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa.json b/mobile-attack/attack-pattern/attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa.json
index e19a61870c..0eee995f9e 100644
--- a/mobile-attack/attack-pattern/attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa.json
+++ b/mobile-attack/attack-pattern/attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa.json
@@ -1,52 +1,42 @@
 {
     "type": "bundle",
-    "id": "bundle--edfba12d-e639-452b-8227-10ee2adf1828",
+    "id": "bundle--9ca332c2-cd2f-4c3d-9bc3-677cf71eb866",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa",
+            "created": "2019-10-30T15:37:55.029Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1540",
+                    "external_id": "T1540"
+                },
+                {
+                    "source_name": "Fadeev Code Injection Aug 2018",
+                    "description": "Alexandr Fadeev. (2018, August 26). Shared Library Injection on Android 8.0. Retrieved October 30, 2019.",
+                    "url": "https://fadeevab.com/shared-library-injection-on-android-8/"
+                },
+                {
+                    "source_name": "Google Triada June 2019",
+                    "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.",
+                    "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"
+                },
+                {
+                    "source_name": "Shunix Code Injection Mar 2016",
+                    "description": "Shunix . (2016, March 22). Shared Library Injection in Android. Retrieved October 30, 2019.",
+                    "url": "https://shunix.com/shared-library-injection-in-android/"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa",
-            "created": "2019-10-30T15:37:55.029Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1540",
-                    "url": "https://attack.mitre.org/techniques/T1540"
-                },
-                {
-                    "source_name": "Fadeev Code Injection Aug 2018",
-                    "url": "https://fadeevab.com/shared-library-injection-on-android-8/",
-                    "description": "Alexandr Fadeev. (2018, August 26). Shared Library Injection on Android 8.0. Retrieved October 30, 2019."
-                },
-                {
-                    "source_name": "Google Triada June 2019",
-                    "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
-                    "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."
-                },
-                {
-                    "source_name": "Shunix Code Injection Mar 2016",
-                    "url": "https://shunix.com/shared-library-injection-in-android/",
-                    "description": "Shunix . (2016, March 22). Shared Library Injection in Android. Retrieved October 30, 2019."
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.\n\nWith root access, `ptrace` can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application\u2019s process.(Citation: Google Triada June 2019)\n",
-            "modified": "2022-03-30T19:14:20.369Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:35.582Z",
             "name": "Code Injection",
-            "x_mitre_detection": "Code injection can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "description": "Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.\n\nWith root access, `ptrace` can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application\u2019s process.(Citation: Google Triada June 2019)\n",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -61,12 +51,22 @@
                     "phase_name": "defense-evasion"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Code injection can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13.json b/mobile-attack/attack-pattern/attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13.json
index 4396de3adc..d03bbc5a01 100644
--- a/mobile-attack/attack-pattern/attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13.json
+++ b/mobile-attack/attack-pattern/attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--dec62881-328c-435b-9278-e0681c80f6e1",
+    "id": "bundle--a35e2ae9-c7fc-48ba-a149-90450f599242",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/attack-pattern/attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3.json b/mobile-attack/attack-pattern/attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3.json
index d0ecd8bc4d..a5c557b03a 100644
--- a/mobile-attack/attack-pattern/attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--575cc430-fa56-4f70-8b8e-c0482d9f127a",
+    "id": "bundle--319009de-ab53-4120-aa89-bf1ffa3ab203",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-15T16:23:59.281Z",
-            "name": "Abuse Elevation Control Mechanism",
-            "description": "Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "privilege-escalation"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "When an application requests administrator permission, users are presented with a popup and the option to grant or deny the request. Application vetting services can detect when an application requests administrator permission. Extra scrutiny could be applied to applications that do",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3",
             "created": "2022-04-01T15:54:05.633Z",
@@ -46,8 +24,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:43.814Z",
+            "name": "Abuse Elevation Control Mechanism",
+            "description": "Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "privilege-escalation"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "When an application requests administrator permission, users are presented with a popup and the option to grant or deny the request. Application vetting services can detect when an application requests administrator permission. Extra scrutiny could be applied to applications that do",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c.json b/mobile-attack/attack-pattern/attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c.json
index 73efd145a9..1df56bbaf8 100644
--- a/mobile-attack/attack-pattern/attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c.json
+++ b/mobile-attack/attack-pattern/attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c.json
@@ -1,32 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--9fa233eb-ba75-4031-8291-c8347932b79b",
+    "id": "bundle--24677a20-cd8d-4936-b717-9832ffdba5ce",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-09-25T19:53:07.406Z",
-            "name": "Remote Access Software",
-            "description": "Adversaries may use legitimate remote access software, such as `VNC`, `TeamViewer`, `AirDroid`, `AirMirror`, etc., to establish an interactive command and control channel to target mobile devices.  \n\nRemote access applications may be installed and used post-compromise as an alternate communication channel for redundant access or as a way to establish an interactive remote session with the target device. They may also be used as a component of malware to establish a reverse connection to an adversary-controlled system or service. Installation of remote access tools may also include persistence.  ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "command-and-control"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.0",
             "type": "attack-pattern",
             "id": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c",
             "created": "2023-09-25T19:53:07.406Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -38,9 +19,28 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:44.009Z",
+            "name": "Remote Access Software",
+            "description": "Adversaries may use legitimate remote access software, such as `VNC`, `TeamViewer`, `AirDroid`, `AirMirror`, etc., to establish an interactive command and control channel to target mobile devices.  \n\nRemote access applications may be installed and used post-compromise as an alternate communication channel for redundant access or as a way to establish an interactive remote session with the target device. They may also be used as a component of malware to establish a reverse connection to an adversary-controlled system or service. Installation of remote access tools may also include persistence.  ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d.json b/mobile-attack/attack-pattern/attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d.json
index 9e7c3904be..d90face68e 100644
--- a/mobile-attack/attack-pattern/attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d.json
@@ -1,17 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--fe796505-7cfe-4f37-9058-8726a0767cd2",
+    "id": "bundle--05defcc7-541a-457c-8b24-6fee602298a5",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
             "type": "attack-pattern",
+            "id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d",
             "created": "2017-10-25T14:48:08.155Z",
             "revoked": true,
             "external_references": [
@@ -21,7 +15,10 @@
                     "external_id": "T1454"
                 }
             ],
-            "modified": "2019-04-29T19:35:30.985Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:35.774Z",
             "name": "Malicious SMS Message",
             "description": "Test",
             "kill_chain_phases": [
@@ -30,6 +27,14 @@
                     "phase_name": "collection"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
             "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
diff --git a/mobile-attack/attack-pattern/attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d.json b/mobile-attack/attack-pattern/attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d.json
index a4f6e518a5..0d6ccf15a8 100644
--- a/mobile-attack/attack-pattern/attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d.json
@@ -1,69 +1,69 @@
 {
     "type": "bundle",
-    "id": "bundle--de83adcc-323f-4448-ba90-921fcce5a734",
+    "id": "bundle--eb3f274a-6bd1-4c9b-b20a-9f38b53a77c1",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d",
+            "created": "2017-10-25T14:48:18.237Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1470",
+                    "external_id": "T1470"
+                },
+                {
+                    "source_name": "Elcomsoft-EPPB",
+                    "description": "Elcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016.",
+                    "url": "https://www.elcomsoft.com/eppb.html"
+                },
+                {
+                    "source_name": "Elcomsoft-WhatsApp",
+                    "description": "Oleg Afonin. (2017, July 20). Extract and Decrypt WhatsApp Backups from iCloud. Retrieved July 6, 2018.",
+                    "url": "https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html",
+                    "external_id": "ECO-0"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html",
+                    "external_id": "ECO-1"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d",
-            "created": "2017-10-25T14:48:18.237Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1470",
-                    "url": "https://attack.mitre.org/techniques/T1470"
-                },
-                {
-                    "source_name": "Elcomsoft-EPPB",
-                    "url": "https://www.elcomsoft.com/eppb.html",
-                    "description": "Elcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016."
-                },
-                {
-                    "source_name": "Elcomsoft-WhatsApp",
-                    "url": "https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/",
-                    "description": "Oleg Afonin. (2017, July 20). Extract and Decrypt WhatsApp Backups from iCloud. Retrieved July 6, 2018."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "ECO-0"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "ECO-1"
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.",
-            "modified": "2022-04-06T15:54:11.189Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:35.994Z",
             "name": "Obtain Device Cloud Backups",
-            "x_mitre_detection": "Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.",
+            "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "remote-service-effects"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": true,
+            "x_mitre_detection": "Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Without Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3.json b/mobile-attack/attack-pattern/attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3.json
index b5b2d85225..02d4a30e8e 100644
--- a/mobile-attack/attack-pattern/attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--3eb0b430-7bf6-43ed-a8c7-15cb59349e3d",
+    "id": "bundle--0be577ec-668d-4129-a481-8180ac5620e1",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:43:03.218Z",
-            "name": "Uninstall Malicious Application",
-            "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: \n \n* Abusing device owner permissions to perform silent uninstallation using device owner API calls. \n* Abusing root permissions to delete files from the filesystem. \n* Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of the accessibility service or features that typically require root access.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
             "created": "2022-03-30T19:31:31.855Z",
@@ -46,8 +24,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:44.210Z",
+            "name": "Uninstall Malicious Application",
+            "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: \n \n* Abusing device owner permissions to perform silent uninstallation using device owner API calls. \n* Abusing root permissions to delete files from the filesystem. \n* Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of the accessibility service or features that typically require root access.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d.json b/mobile-attack/attack-pattern/attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d.json
index c50d3b4a1d..a5d63e8c9d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--bea5f928-4665-4c9f-939c-da426ac477cb",
+    "id": "bundle--aba87f82-0adc-4fa2-9c9c-41c1304e2f37",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:42:18.121Z",
-            "name": "Indicator Removal on Host",
-            "description": "Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "iOS",
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
             "created": "2022-03-30T19:28:25.541Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:44.391Z",
+            "name": "Indicator Removal on Host",
+            "description": "Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "iOS",
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json b/mobile-attack/attack-pattern/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json
index da6489be21..f5cb1ea272 100644
--- a/mobile-attack/attack-pattern/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json
+++ b/mobile-attack/attack-pattern/attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad.json
@@ -1,10 +1,10 @@
 {
     "type": "bundle",
-    "id": "bundle--76be1551-37c6-4a75-bdfa-511540e85803",
+    "id": "bundle--41cf81a6-1397-43c2-9d0b-e3a1b2a856d2",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:52:29.947Z",
+            "modified": "2024-11-17T13:32:52.029Z",
             "name": "Supply Chain Compromise",
             "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.  Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)",
             "kill_chain_phases": [
@@ -40,8 +40,8 @@
                 },
                 {
                     "source_name": "Grace-Advertisement",
-                    "description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.",
-                    "url": "https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf"
+                    "description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved November 17, 2024.",
+                    "url": "https://dl.acm.org/doi/10.1145/2185448.2185464"
                 },
                 {
                     "source_name": "NowSecure-RemoteCode",
@@ -167,7 +167,7 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
         }
     ]
diff --git a/mobile-attack/attack-pattern/attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7.json b/mobile-attack/attack-pattern/attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7.json
index 38330a2e71..6e1fe9a7a6 100644
--- a/mobile-attack/attack-pattern/attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7.json
+++ b/mobile-attack/attack-pattern/attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7.json
@@ -1,12 +1,12 @@
 {
     "type": "bundle",
-    "id": "bundle--714019cc-6b43-4474-a4fb-a910073b4ae4",
+    "id": "bundle--911a3021-1e24-4941-92f8-9a027bafb7e7",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-15T15:06:03.427Z",
+            "modified": "2025-01-21T16:22:43.947Z",
             "name": "Impersonate SS7 Nodes",
-            "description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim\u2019s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device\u2019s geographical cell area or nearest cell tower.(Citation: Engel-SS7)",
+            "description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim\u2019s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device\u2019s geographical cell area or nearest cell tower.(Citation: Engel-SS7)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -77,7 +77,7 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
         }
     ]
diff --git a/mobile-attack/attack-pattern/attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b.json b/mobile-attack/attack-pattern/attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b.json
index d0139c2dbf..7af8484974 100644
--- a/mobile-attack/attack-pattern/attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b.json
+++ b/mobile-attack/attack-pattern/attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b.json
@@ -1,33 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--4243ca02-328f-4853-8a53-a64fe1091383",
+    "id": "bundle--c0e78d56-417d-4296-86e9-3385fa826004",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-09-08T18:15:15.902Z",
-            "name": "Match Legitimate Name or Location",
-            "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`). \n\nAdversaries may also use the same icon of the file or application they are trying to mimic.\n",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_contributors": [
-                "Ford Qin, Trend Micro",
-                "Liran Ravich, CardinalOps"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.0",
             "type": "attack-pattern",
             "id": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "created": "2023-07-12T20:45:14.704Z",
@@ -53,8 +29,32 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:44.590Z",
+            "name": "Match Legitimate Name or Location",
+            "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`). \n\nAdversaries may also use the same icon of the file or application they are trying to mimic.\n",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Ford Qin, Trend Micro",
+                "Liran Ravich, CardinalOps"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799.json b/mobile-attack/attack-pattern/attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799.json
index 7d2ac5b863..f4715f989f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799.json
+++ b/mobile-attack/attack-pattern/attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--ec29c64e-51bd-47f3-bfdf-4734d4f7d33a",
+    "id": "bundle--d57376a9-1f73-4f95-b03a-1c867d52222e",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "id": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799",
             "type": "attack-pattern",
+            "id": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799",
             "created": "2017-10-25T14:48:30.462Z",
             "revoked": true,
             "external_references": [
@@ -18,8 +15,16 @@
                     "external_id": "T1425"
                 }
             ],
-            "modified": "2018-10-17T01:05:10.699Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:36.173Z",
             "name": "Insecure Third-Party Libraries",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_version": "1.0",
             "x_mitre_is_subtechnique": false
         }
diff --git a/mobile-attack/attack-pattern/attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e.json b/mobile-attack/attack-pattern/attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e.json
index 1fa1dfb6c4..3268bbbe20 100644
--- a/mobile-attack/attack-pattern/attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e.json
+++ b/mobile-attack/attack-pattern/attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--558b3cb1-ed58-4280-8303-6cd5925a63fe",
+    "id": "bundle--e9f462f7-7377-4315-ad67-685254b26252",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:56:20.270Z",
-            "name": "Protected User Data",
-            "description": "Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application\u2019s manifest. On iOS, they must be included in the application\u2019s `Info.plist` file.  \n\n \n\nIn almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user\u2019s knowledge or approval. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "collection"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Users can view permissions granted to an application in device settings. Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
             "created": "2022-04-01T12:36:41.507Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:44.829Z",
+            "name": "Protected User Data",
+            "description": "Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application\u2019s manifest. On iOS, they must be included in the application\u2019s `Info.plist` file.  \n\n \n\nIn almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user\u2019s knowledge or approval. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Users can view permissions granted to an application in device settings. Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8.json b/mobile-attack/attack-pattern/attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8.json
index bf394020b4..46b2413e95 100644
--- a/mobile-attack/attack-pattern/attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8.json
+++ b/mobile-attack/attack-pattern/attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8.json
@@ -1,48 +1,48 @@
 {
     "type": "bundle",
-    "id": "bundle--41430683-8361-41cf-8dca-d4c6cf1cba59",
+    "id": "bundle--246936b1-ca74-4558-8e63-27b602ab9ff3",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
+            "created": "2022-04-05T20:15:43.636Z",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1521/002",
+                    "external_id": "T1521.002"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
-            "created": "2022-04-05T20:15:43.636Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1521.002",
-                    "url": "https://attack.mitre.org/techniques/T1521/002"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver\u2019s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1521/002).",
-            "modified": "2022-04-05T20:16:21.324Z",
+            "modified": "2025-04-16T21:21:44.987Z",
             "name": "Asymmetric Cryptography",
-            "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+            "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver\u2019s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1521/002).",
             "kill_chain_phases": [
                 {
-                    "phase_name": "command-and-control",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2.json b/mobile-attack/attack-pattern/attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2.json
index 130d3356b3..1f909c70df 100644
--- a/mobile-attack/attack-pattern/attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--63978b0a-c231-4578-b908-5c6eeb9c4e7e",
+    "id": "bundle--80fe1b07-d6eb-457d-b3f6-6ea67bfddb7c",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:55:03.477Z",
-            "name": "Software Discovery",
-            "description": "Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. \n\n \n\nAdversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "discovery"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "2.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
             "created": "2017-10-25T14:48:28.067Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:45.152Z",
+            "name": "Software Discovery",
+            "description": "Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. \n\n \n\nAdversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "discovery"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19.json b/mobile-attack/attack-pattern/attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19.json
index e8b5bc3cca..f1a865fd68 100644
--- a/mobile-attack/attack-pattern/attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19.json
+++ b/mobile-attack/attack-pattern/attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--e8f54fe0-099b-4c2f-87aa-c79a6559d8c4",
+    "id": "bundle--6bc76949-78c9-4b35-afd8-d46f7f62e3a1",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:55:23.702Z",
-            "name": "Process Discovery",
-            "description": "Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. \n\n \n\nRecent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the `hidepid` mount feature. Prior to Android 7, applications could utilize the `ps` command or examine the `/proc` directory on the device.(Citation: Android-SELinuxChanges) \n\n \n\nIn iOS, applications have previously been able to use the `sysctl` command to obtain a list of running processes. This functionality has been removed in later iOS versions. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "discovery"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "2.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
             "created": "2017-10-25T14:48:33.926Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:45.337Z",
+            "name": "Process Discovery",
+            "description": "Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. \n\n \n\nRecent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the `hidepid` mount feature. Prior to Android 7, applications could utilize the `ps` command or examine the `/proc` directory on the device.(Citation: Android-SELinuxChanges) \n\n \n\nIn iOS, applications have previously been able to use the `sysctl` command to obtain a list of running processes. This functionality has been removed in later iOS versions. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "discovery"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d.json b/mobile-attack/attack-pattern/attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d.json
index a96fae871f..01a5b2869b 100644
--- a/mobile-attack/attack-pattern/attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--79851441-ac35-4fa2-8ec9-af7b73d955c2",
+    "id": "bundle--70300224-407f-4193-915a-beefc130f8fe",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-16T18:32:30.150Z",
-            "name": "Call Log",
-            "description": "Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user\u2019s knowledge or approval. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "collection"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it.  ",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
             "created": "2022-04-01T13:12:23.522Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:45.503Z",
+            "name": "Call Log",
+            "description": "Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user\u2019s knowledge or approval. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it.  ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e.json b/mobile-attack/attack-pattern/attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e.json
index 6f49800de7..e19173c000 100644
--- a/mobile-attack/attack-pattern/attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e.json
+++ b/mobile-attack/attack-pattern/attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--31b803f9-de3b-42f2-b9d8-b08c4fed553c",
+    "id": "bundle--7fd6027d-42e3-49fd-8841-e3faf52fc4da",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:55:33.642Z",
-            "name": "Security Software Discovery",
-            "description": "Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "discovery"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e",
             "created": "2022-03-31T19:50:45.752Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:45.687Z",
+            "name": "Security Software Discovery",
+            "description": "Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "discovery"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2.json b/mobile-attack/attack-pattern/attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2.json
index 2a2fa27fbe..f196f61ed9 100644
--- a/mobile-attack/attack-pattern/attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--056d1673-32a7-4996-a1d4-bb806f1f84ad",
+    "id": "bundle--19e51447-ec0c-4047-a382-a0fbb12e723a",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "id": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
             "type": "attack-pattern",
+            "id": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
             "created": "2017-10-25T14:48:10.699Z",
             "revoked": true,
             "external_references": [
@@ -18,8 +15,16 @@
                     "external_id": "T1434"
                 }
             ],
-            "modified": "2018-10-17T01:05:10.699Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:36.344Z",
             "name": "App Delivered via Email Attachment",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_version": "1.0",
             "x_mitre_is_subtechnique": false
         }
diff --git a/mobile-attack/attack-pattern/attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee.json b/mobile-attack/attack-pattern/attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee.json
index d246ad63e8..960f2e76fb 100644
--- a/mobile-attack/attack-pattern/attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee.json
+++ b/mobile-attack/attack-pattern/attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee.json
@@ -1,36 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--a43991ae-5843-4152-b2e8-864ce42c9478",
+    "id": "bundle--bc0d9753-bbb1-4b7d-b7df-dfac6dba77bf",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:57:40.571Z",
-            "name": "Ptrace System Calls",
-            "description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.  \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018)  \n\nPtrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject)  \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                },
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "privilege-escalation"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee",
             "created": "2022-03-30T19:05:17.048Z",
@@ -61,8 +34,35 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:45.841Z",
+            "name": "Ptrace System Calls",
+            "description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.  \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018)  \n\nPtrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject)  \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                },
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "privilege-escalation"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a.json b/mobile-attack/attack-pattern/attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a.json
index e37d1d34d2..ee41219c66 100644
--- a/mobile-attack/attack-pattern/attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--a7eca067-5bd2-43b7-8c94-95031e192e42",
+    "id": "bundle--fdb19e52-365c-480b-b983-4534e191a334",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:59:55.849Z",
-            "name": "Impair Defenses",
-            "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running. Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
             "created": "2022-04-01T18:42:22.117Z",
@@ -51,8 +29,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:45.996Z",
+            "name": "Impair Defenses",
+            "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running. Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a.json b/mobile-attack/attack-pattern/attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a.json
index a949c641e0..32f333504a 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a.json
@@ -1,48 +1,39 @@
 {
     "type": "bundle",
-    "id": "bundle--79347d18-c34b-4597-8ac1-396f67ced59a",
+    "id": "bundle--3468609f-1e41-4bed-97bb-8a11e90ff29e",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_contributors": [
-                "Luk\u00e1\u0161 \u0160tefanko, ESET"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
             "type": "attack-pattern",
+            "id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a",
             "created": "2017-10-25T14:48:08.613Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "mitre-mobile-attack",
-                    "external_id": "T1453",
-                    "url": "https://attack.mitre.org/techniques/T1453"
+                    "url": "https://attack.mitre.org/techniques/T1453",
+                    "external_id": "T1453"
                 },
                 {
-                    "url": "https://www.skycure.com/blog/accessibility-clickjacking/",
+                    "source_name": "Skycure-Accessibility",
                     "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.",
-                    "source_name": "Skycure-Accessibility"
+                    "url": "https://www.skycure.com/blog/accessibility-clickjacking/"
                 },
                 {
+                    "source_name": "android-trojan-steals-paypal-2fa",
                     "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.",
-                    "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/",
-                    "source_name": "android-trojan-steals-paypal-2fa"
+                    "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/"
                 },
                 {
                     "source_name": "banking-trojans-google-play",
-                    "url": "https://www.welivesecurity.com/2018/10/24/banking-trojans-continue-surface-google-play/",
-                    "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, October 24). Banking Trojans continue to surface on Google Play. Retrieved July 11, 2019."
+                    "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, October 24). Banking Trojans continue to surface on Google Play. Retrieved July 11, 2019.",
+                    "url": "https://www.welivesecurity.com/2018/10/24/banking-trojans-continue-surface-google-play/"
                 }
             ],
-            "modified": "2020-03-30T14:03:43.761Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:36.575Z",
             "name": "Abuse Accessibility Features",
             "description": "**This technique has been deprecated. Please use [Input Capture](https://attack.mitre.org/techniques/T1417), [Input Injection](https://attack.mitre.org/techniques/T1516), and [Input Prompt](https://attack.mitre.org/techniques/T1411) where appropriate.**\n\nA malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions.(Citation: Skycure-Accessibility)\n\nAdversaries may abuse accessibility features on Android to emulate a user's clicks, for example to steal money from a user's bank account.(Citation: android-trojan-steals-paypal-2fa)(Citation: banking-trojans-google-play)\n\nAdversaries may abuse accessibility features on Android devices to evade defenses by repeatedly clicking the \"Back\" button when a targeted app manager or mobile security app is launched, or when strings suggesting uninstallation are detected in the foreground. This effectively prevents the malicious application from being uninstalled.(Citation: android-trojan-steals-paypal-2fa)",
             "kill_chain_phases": [
@@ -63,9 +54,19 @@
                     "phase_name": "defense-evasion"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Luk\u00e1\u0161 \u0160tefanko, ESET"
+            ],
             "x_mitre_deprecated": true,
-            "x_mitre_version": "2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "2.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
             ],
diff --git a/mobile-attack/attack-pattern/attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d.json b/mobile-attack/attack-pattern/attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d.json
index ced01a529b..06c7f5f8cd 100644
--- a/mobile-attack/attack-pattern/attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--246015fc-23b6-4e9e-b7d1-37462d30008d",
+    "id": "bundle--da3675da-431c-4d03-8d2f-72106b6e3f29",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:51:07.651Z",
-            "name": "Exploitation of Remote Services",
-            "description": "Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device\u2019s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. \n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nDepending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "lateral-movement"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Detecting software exploitation initiated by a mobile device may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.\n\nNetwork traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. \n\nApplication vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network. ",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
             "created": "2017-10-25T14:48:13.259Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:46.157Z",
+            "name": "Exploitation of Remote Services",
+            "description": "Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device\u2019s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. \n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nDepending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "lateral-movement"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Detecting software exploitation initiated by a mobile device may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.\n\nNetwork traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. \n\nApplication vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network. ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add.json b/mobile-attack/attack-pattern/attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add.json
index 68461f1a6e..f2e224fb13 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add.json
@@ -1,54 +1,54 @@
 {
     "type": "bundle",
-    "id": "bundle--e73370ab-4b1e-4bf9-8346-5f8c9f15e50f",
+    "id": "bundle--41eedc82-38b8-4abf-9d7c-1ae9cb2e15b6",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "created": "2022-04-01T19:06:27.177Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1437/001",
+                    "external_id": "T1437.001"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html",
+                    "external_id": "APP-29"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
-            "created": "2022-04-01T19:06:27.177Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1437.001",
-                    "url": "https://attack.mitre.org/techniques/T1437/001"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-29"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. \n\nWeb protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device).  Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect. ",
-            "modified": "2022-04-06T13:07:45.661Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-16T21:21:46.363Z",
             "name": "Web Protocols",
-            "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. ",
+            "description": "Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. \n\nWeb protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device).  Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect. ",
             "kill_chain_phases": [
                 {
-                    "phase_name": "command-and-control",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce.json b/mobile-attack/attack-pattern/attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce.json
index e9899fc564..be157a84c9 100644
--- a/mobile-attack/attack-pattern/attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce.json
+++ b/mobile-attack/attack-pattern/attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--eefb9bea-b267-449b-a358-f0dc4cfc9229",
+    "id": "bundle--96db2d00-6c4e-45ac-acae-06ca05ae2f37",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/attack-pattern/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08.json b/mobile-attack/attack-pattern/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08.json
index 9714e521eb..e64438b554 100644
--- a/mobile-attack/attack-pattern/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08.json
+++ b/mobile-attack/attack-pattern/attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08.json
@@ -1,48 +1,48 @@
 {
     "type": "bundle",
-    "id": "bundle--418ecf89-84ce-4f94-ae9c-830b2c227c1b",
+    "id": "bundle--30cd5c77-bc01-4e5a-ac30-e80c9da25dd1",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08",
+            "created": "2022-04-11T20:05:56.069Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1628/002",
+                    "external_id": "T1628.002"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08",
-            "created": "2022-04-11T20:05:56.069Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1628.002",
-                    "url": "https://attack.mitre.org/techniques/T1628/002"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.",
-            "modified": "2022-04-11T20:05:56.069Z",
+            "modified": "2025-04-16T21:21:46.535Z",
             "name": "User Evasion",
-            "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.",
             "kill_chain_phases": [
                 {
-                    "phase_name": "defense-evasion",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f.json b/mobile-attack/attack-pattern/attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f.json
index d9edfd7243..702a13dfb2 100644
--- a/mobile-attack/attack-pattern/attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f.json
+++ b/mobile-attack/attack-pattern/attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--942e292c-8c5c-4b29-84ea-88ad6434ce2f",
+    "id": "bundle--fb9f5d9c-2779-4f15-92ad-67fac8a9b77c",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:37:57.884Z",
-            "name": "Virtualization/Sandbox Evasion",
-            "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors. \n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f",
             "created": "2022-03-30T17:51:29.550Z",
@@ -42,8 +19,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:46.725Z",
+            "name": "Virtualization/Sandbox Evasion",
+            "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors. \n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38.json b/mobile-attack/attack-pattern/attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38.json
index 7b460ba30d..69498facf2 100644
--- a/mobile-attack/attack-pattern/attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38.json
+++ b/mobile-attack/attack-pattern/attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38.json
@@ -1,63 +1,63 @@
 {
     "type": "bundle",
-    "id": "bundle--27d6cec7-6e0c-4784-a830-41ed1dac14f3",
+    "id": "bundle--ca8ec70c-19ea-4a0f-88ec-4b23f41838dc",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38",
+            "created": "2020-06-24T17:33:49.778Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1579",
+                    "external_id": "T1579"
+                },
+                {
+                    "source_name": "Apple Keychain Services",
+                    "description": "Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020.",
+                    "url": "https://developer.apple.com/documentation/security/keychain_services"
+                },
+                {
+                    "source_name": "Elcomsoft Decrypt Keychain",
+                    "description": "V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020.",
+                    "url": "https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html",
+                    "external_id": "AUT-11"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38",
-            "created": "2020-06-24T17:33:49.778Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1579",
-                    "url": "https://attack.mitre.org/techniques/T1579"
-                },
-                {
-                    "source_name": "Apple Keychain Services",
-                    "url": "https://developer.apple.com/documentation/security/keychain_services",
-                    "description": "Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020."
-                },
-                {
-                    "source_name": "Elcomsoft Decrypt Keychain",
-                    "url": "https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/",
-                    "description": "V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "AUT-11"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.\n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)",
-            "modified": "2022-04-01T15:02:43.470Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:36.750Z",
             "name": "Keychain",
-            "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices and perform further actions as necessary.",
+            "description": "Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.\n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "credential-access"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices and perform further actions as necessary.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258.json b/mobile-attack/attack-pattern/attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258.json
index a4c7c44036..1af2447beb 100644
--- a/mobile-attack/attack-pattern/attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258.json
+++ b/mobile-attack/attack-pattern/attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--337fd79a-c4a8-4951-a7a5-8616db901c31",
+    "id": "bundle--2981fdd6-aaf1-4fe8-8a8d-d1029a9f9abe",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/attack-pattern/attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3.json b/mobile-attack/attack-pattern/attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3.json
index 6738338b9c..6a622b92ad 100644
--- a/mobile-attack/attack-pattern/attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3.json
@@ -1,46 +1,37 @@
 {
     "type": "bundle",
-    "id": "bundle--f5b5022f-3fc1-4832-9c2b-10cc1b984616",
+    "id": "bundle--880dbb99-94fa-4a2c-878c-d50a00fda70d",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
+            "created": "2017-10-25T14:48:17.176Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1413",
+                    "external_id": "T1413"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html",
+                    "external_id": "APP-3"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
+                    "external_id": "APP-13"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3",
-            "created": "2017-10-25T14:48:17.176Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1413",
-                    "url": "https://attack.mitre.org/techniques/T1413"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-3"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-13"
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.",
-            "modified": "2022-04-06T15:37:34.463Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:36.939Z",
             "name": "Access Sensitive Data in Device Logs",
-            "x_mitre_detection": "",
+            "description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -51,12 +42,21 @@
                     "phase_name": "credential-access"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": true,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c.json b/mobile-attack/attack-pattern/attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c.json
index 418af70872..9821b21a58 100644
--- a/mobile-attack/attack-pattern/attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c.json
+++ b/mobile-attack/attack-pattern/attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--cab927de-5ce1-4def-b39d-b359400e67a4",
+    "id": "bundle--8cd7ccb9-2608-474d-a73a-58be2f5d4d10",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-07T22:15:34.693Z",
-            "name": "Command and Scripting Interpreter",
-            "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java\u2019s `Runtime` package.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "execution"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
             "created": "2022-03-30T13:40:37.259Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:46.879Z",
+            "name": "Command and Scripting Interpreter",
+            "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java\u2019s `Runtime` package.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "execution"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49.json b/mobile-attack/attack-pattern/attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49.json
index 1666e6ca00..7aafb28793 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--1d2b269c-52c7-47bd-844d-263be495cd8d",
+    "id": "bundle--11429b7c-ed98-4550-b890-9ebfe23bec19",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:40:12.912Z",
-            "name": "Disable or Modify Tools",
-            "description": "Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Users can view a list of active device administrators in the device settings.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
             "created": "2022-04-01T18:51:13.963Z",
@@ -41,8 +19,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:47.026Z",
+            "name": "Disable or Modify Tools",
+            "description": "Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Users can view a list of active device administrators in the device settings.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8.json b/mobile-attack/attack-pattern/attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8.json
index 060d7a26df..94693284af 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--5b535b5c-8c22-4d78-96d4-6aed1cd34541",
+    "id": "bundle--1c5ab43a-9f3b-4f5e-b8f6-323b3d30b173",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-14T16:21:05.728Z",
-            "name": "Ingress Tool Transfer",
-            "description": "Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel  or through alternate protocols with another tool such as FTP.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "command-and-control"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "2.2",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
             "created": "2020-01-21T15:27:30.182Z",
@@ -42,8 +19,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:47.175Z",
+            "name": "Ingress Tool Transfer",
+            "description": "Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel  or through alternate protocols with another tool such as FTP.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.2",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26.json b/mobile-attack/attack-pattern/attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26.json
index 23778f04ce..1313cc5da4 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--fa4548a3-5d43-49fd-8715-3848b247d70b",
+    "id": "bundle--a59160ce-1bad-4bcc-856a-0ee5b4821de8",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-14T16:19:34.225Z",
-            "name": "Dynamic Resolution",
-            "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "command-and-control"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different Domain Generation Algorithms (DGAs), constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names or rarely visited domains.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26",
             "created": "2022-04-05T19:57:15.734Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:47.329Z",
+            "name": "Dynamic Resolution",
+            "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different Domain Generation Algorithms (DGAs), constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names or rarely visited domains.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5.json b/mobile-attack/attack-pattern/attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5.json
index baf4bbc14e..4ffd74d408 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5.json
@@ -1,74 +1,74 @@
 {
     "type": "bundle",
-    "id": "bundle--a73062a4-72eb-4e51-ae07-be59e4fc0b38",
+    "id": "bundle--03b1cb59-63c1-4f50-8c8d-9e0ff07b4dc9",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5",
+            "created": "2018-10-17T00:14:20.652Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1477",
+                    "external_id": "T1477"
+                },
+                {
+                    "source_name": "Forbes-iPhoneSMS",
+                    "description": "Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016.",
+                    "url": "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html"
+                },
+                {
+                    "source_name": "Register-BaseStation",
+                    "description": "D. Pauli. (2015, November 12). Samsung S6 calls open to man-in-the-middle base station snooping. Retrieved December 23, 2016.",
+                    "url": "http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/"
+                },
+                {
+                    "source_name": "ProjectZero-BroadcomWiFi",
+                    "description": "Gal Beniamini. (2017, April 4). Over The Air: Exploiting Broadcom's Wi-Fi Stack. Retrieved November 8, 2018.",
+                    "url": "https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html"
+                },
+                {
+                    "source_name": "Weinmann-Baseband",
+                    "description": "R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016.",
+                    "url": "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf"
+                },
+                {
+                    "source_name": "SRLabs-SIMCard",
+                    "description": "SRLabs. (n.d.). SIM cards are prone to remote hacking. Retrieved December 23, 2016.",
+                    "url": "https://srlabs.de/bites/rooting-sim-cards/"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5",
-            "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1477",
-                    "url": "https://attack.mitre.org/techniques/T1477"
-                },
-                {
-                    "source_name": "Forbes-iPhoneSMS",
-                    "url": "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html",
-                    "description": "Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016."
-                },
-                {
-                    "source_name": "Register-BaseStation",
-                    "url": "http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/",
-                    "description": "D. Pauli. (2015, November 12). Samsung S6 calls open to man-in-the-middle base station snooping. Retrieved December 23, 2016."
-                },
-                {
-                    "source_name": "ProjectZero-BroadcomWiFi",
-                    "url": "https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html",
-                    "description": "Gal Beniamini. (2017, April 4). Over The Air: Exploiting Broadcom's Wi-Fi Stack. Retrieved November 8, 2018."
-                },
-                {
-                    "source_name": "Weinmann-Baseband",
-                    "url": "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf",
-                    "description": "R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016."
-                },
-                {
-                    "source_name": "SRLabs-SIMCard",
-                    "url": "https://srlabs.de/bites/rooting-sim-cards/",
-                    "description": "SRLabs. (n.d.). SIM cards are prone to remote hacking. Retrieved December 23, 2016."
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.\n\n### Baseband Vulnerability Exploitation\n\nA message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband).\n\n### Malicious SMS Message\n\nAn SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).",
-            "modified": "2022-04-06T15:42:13.444Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:37.121Z",
             "name": "Exploit via Radio Interfaces",
-            "x_mitre_detection": "",
+            "description": "The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.\n\n### Baseband Vulnerability Exploitation\n\nA message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband).\n\n### Malicious SMS Message\n\nAn SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "initial-access"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": true,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790.json b/mobile-attack/attack-pattern/attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790.json
index 94e894c08e..f27f10ba60 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790.json
@@ -1,49 +1,49 @@
 {
     "type": "bundle",
-    "id": "bundle--6b939408-1c76-41e1-829c-55a3ba83c149",
+    "id": "bundle--ba2a9c39-8cbb-41dc-af78-4f5e3a4e9dfa",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790",
+            "created": "2017-10-25T14:48:26.890Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1423",
+                    "external_id": "T1423"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790",
-            "created": "2017-10-25T14:48:26.890Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1423",
-                    "url": "https://attack.mitre.org/techniques/T1423"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).",
-            "modified": "2022-04-11T19:12:38.451Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-16T21:21:47.481Z",
             "name": "Network Service Scanning",
-            "x_mitre_detection": "Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).",
             "kill_chain_phases": [
                 {
-                    "phase_name": "discovery",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "discovery"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d.json b/mobile-attack/attack-pattern/attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d.json
index 9450283fc0..41e25cf2e6 100644
--- a/mobile-attack/attack-pattern/attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d.json
@@ -1,48 +1,48 @@
 {
     "type": "bundle",
-    "id": "bundle--03544fe9-6dda-4132-a2fc-086df5bfc24a",
+    "id": "bundle--2ac6cdfc-1fdb-4225-93be-07b302cfe51d",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d",
+            "created": "2021-09-30T18:18:52.285Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1618",
+                    "external_id": "T1618"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d",
-            "created": "2021-09-30T18:18:52.285Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1618",
-                    "url": "https://attack.mitre.org/techniques/T1618"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.",
-            "modified": "2022-04-11T20:06:56.032Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:37.306Z",
             "name": "User Evasion",
-            "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "defense-evasion"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc.json b/mobile-attack/attack-pattern/attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc.json
index 7429c151f9..1edbdbe21f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc.json
+++ b/mobile-attack/attack-pattern/attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--d850eb1e-6a8e-4ddf-b212-65b37c0de4d0",
+    "id": "bundle--32463bfc-b0ca-4ab6-892f-3421834e5e22",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-14T16:41:52.000Z",
-            "name": "Exfiltration Over C2 Channel",
-            "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "exfiltration"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
             "created": "2022-04-01T15:43:45.913Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:47.650Z",
+            "name": "Exfiltration Over C2 Channel",
+            "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "exfiltration"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172.json b/mobile-attack/attack-pattern/attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172.json
index 83d8437f79..04e6cdd387 100644
--- a/mobile-attack/attack-pattern/attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172.json
+++ b/mobile-attack/attack-pattern/attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--9c7a023f-f23a-4870-9d42-1176e7bb6ad7",
+    "id": "bundle--ff0749f3-8dcf-4c32-ab68-f4331c2a3d2e",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-09-08T19:20:13.836Z",
-            "name": "Exploitation for Privilege Escalation",
-            "description": "Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "privilege-escalation"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken.  Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "2.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
             "created": "2017-10-25T14:48:29.405Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:47.809Z",
+            "name": "Exploitation for Privilege Escalation",
+            "description": "Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "privilege-escalation"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken.  Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69.json b/mobile-attack/attack-pattern/attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69.json
index 0933659fd1..c585186177 100644
--- a/mobile-attack/attack-pattern/attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69.json
+++ b/mobile-attack/attack-pattern/attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69.json
@@ -1,42 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--ff8a62a0-1b86-46f2-b795-c5dee3863dbe",
+    "id": "bundle--ac194626-1d9b-489e-8182-9486c70e6ac4",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-10T21:57:52.009Z",
-            "name": "Call Control",
-            "description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "collection"
-                },
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "impact"
-                },
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "command-and-control"
-                }
-            ],
-            "x_mitre_contributors": [
-                "Gaetan van Diemen, ThreatFabric"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Users can view their default phone app in device settings. Users can review available call logs for irregularities, such as missing or unrecognized calls.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
             "created": "2021-09-20T13:42:20.824Z",
@@ -77,8 +44,41 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:47.962Z",
+            "name": "Call Control",
+            "description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
+                },
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "impact"
+                },
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Gaetan van Diemen, ThreatFabric"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Users can view their default phone app in device settings. Users can review available call logs for irregularities, such as missing or unrecognized calls.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--37047267-3e56-453c-833e-d92b68118120.json b/mobile-attack/attack-pattern/attack-pattern--37047267-3e56-453c-833e-d92b68118120.json
index aad0fb269f..1edf2ab4d8 100644
--- a/mobile-attack/attack-pattern/attack-pattern--37047267-3e56-453c-833e-d92b68118120.json
+++ b/mobile-attack/attack-pattern/attack-pattern--37047267-3e56-453c-833e-d92b68118120.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--b1b43a87-3595-4f97-bb8b-b07a3add15be",
+    "id": "bundle--58e157f5-0243-422e-ad88-fe4b12aab2b0",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-14T16:40:40.166Z",
-            "name": "Exfiltration Over Unencrypted Non-C2 Protocol",
-            "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "exfiltration"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--37047267-3e56-453c-833e-d92b68118120",
             "created": "2022-04-06T13:22:57.683Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:48.130Z",
+            "name": "Exfiltration Over Unencrypted Non-C2 Protocol",
+            "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "exfiltration"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9.json b/mobile-attack/attack-pattern/attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9.json
index 8e46f53156..1fa137fabb 100644
--- a/mobile-attack/attack-pattern/attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9.json
+++ b/mobile-attack/attack-pattern/attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9.json
@@ -1,34 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--30ef3597-4d79-4cc6-be7b-c49bd1443fe7",
+    "id": "bundle--6010290f-60c7-459d-b18d-f870ec1a7e87",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-16T18:27:42.752Z",
-            "name": "Broadcast Receivers",
-            "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAn intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. \n\nIn addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. \n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts) ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "persistence"
-                }
-            ],
-            "x_mitre_contributors": [
-                "Alex Hinchliffe, Palo Alto Networks"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
             "created": "2022-03-30T14:41:00.672Z",
@@ -49,8 +24,33 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:48.286Z",
+            "name": "Broadcast Receivers",
+            "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAn intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. \n\nIn addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. \n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts) ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "persistence"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Alex Hinchliffe, Palo Alto Networks"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad.json b/mobile-attack/attack-pattern/attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad.json
index 1bbc5a48a7..e021665bec 100644
--- a/mobile-attack/attack-pattern/attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad.json
+++ b/mobile-attack/attack-pattern/attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad.json
@@ -1,37 +1,27 @@
 {
     "type": "bundle",
-    "id": "bundle--a5cc54dc-5ff3-457a-92df-4c79168d7d05",
+    "id": "bundle--ff758a08-d30e-430a-8422-7cc1770279de",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad",
+            "created": "2017-10-25T14:48:16.650Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1436",
+                    "external_id": "T1436"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad",
-            "created": "2017-10-25T14:48:16.650Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1436",
-                    "url": "https://attack.mitre.org/techniques/T1436"
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. \n\nThey may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.",
-            "modified": "2022-04-06T15:40:47.556Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:37.510Z",
             "name": "Commonly Used Port",
-            "x_mitre_detection": "",
+            "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. \n\nThey may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -42,12 +32,22 @@
                     "phase_name": "exfiltration"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": true,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--393e8c12-a416-4575-ba90-19cc85656796.json b/mobile-attack/attack-pattern/attack-pattern--393e8c12-a416-4575-ba90-19cc85656796.json
index c77e4b2659..70879bbc7a 100644
--- a/mobile-attack/attack-pattern/attack-pattern--393e8c12-a416-4575-ba90-19cc85656796.json
+++ b/mobile-attack/attack-pattern/attack-pattern--393e8c12-a416-4575-ba90-19cc85656796.json
@@ -1,64 +1,64 @@
 {
     "type": "bundle",
-    "id": "bundle--20483e51-7229-4f80-bf94-16424c6fef98",
+    "id": "bundle--801ff31e-b7da-4c9c-95a6-d9662d301807",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796",
+            "created": "2017-10-25T14:48:26.104Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1439",
+                    "external_id": "T1439"
+                },
+                {
+                    "source_name": "mHealth",
+                    "description": "D. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016.",
+                    "url": "https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html",
+                    "external_id": "APP-0"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html",
+                    "external_id": "APP-1"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796",
-            "created": "2017-10-25T14:48:26.104Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1439",
-                    "url": "https://attack.mitre.org/techniques/T1439"
-                },
-                {
-                    "source_name": "mHealth",
-                    "url": "https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps",
-                    "description": "D. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-0"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-1"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)",
-            "modified": "2022-04-05T20:17:46.147Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:37.686Z",
             "name": "Eavesdrop on Insecure Network Communication",
-            "x_mitre_detection": "",
+            "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "network-effects"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Without Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2.json b/mobile-attack/attack-pattern/attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2.json
index 0a15d60914..7049e740d9 100644
--- a/mobile-attack/attack-pattern/attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2.json
@@ -1,35 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--363a94d7-a6e1-4e70-b532-4b7983bed511",
+    "id": "bundle--e34244d0-c9fd-4b50-979b-4e2b2cc47f5f",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-15T16:26:05.050Z",
-            "name": "Access Notifications",
-            "description": "Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass) ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "collection"
-                },
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "credential-access"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. Users can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). ",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
             "created": "2019-09-15T15:26:08.183Z",
@@ -50,8 +24,34 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:48.448Z",
+            "name": "Access Notifications",
+            "description": "Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass) ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
+                },
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "credential-access"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. Users can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9.json b/mobile-attack/attack-pattern/attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9.json
index 3a9cb7ae33..9c12825999 100644
--- a/mobile-attack/attack-pattern/attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9.json
+++ b/mobile-attack/attack-pattern/attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9.json
@@ -1,42 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--8be133fb-9a68-40f7-965a-cbb18fab35de",
+    "id": "bundle--bf5c9fd3-021f-45ef-af5e-fd80bbbc69b6",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
+            "created": "2017-10-25T14:48:14.982Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1410",
+                    "external_id": "T1410"
+                },
+                {
+                    "source_name": "Skycure-Profiles",
+                    "description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016.",
+                    "url": "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
-            "created": "2017-10-25T14:48:14.982Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1410",
-                    "url": "https://attack.mitre.org/techniques/T1410"
-                },
-                {
-                    "source_name": "Skycure-Profiles",
-                    "url": "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/",
-                    "description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016."
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.",
-            "modified": "2022-04-15T17:52:24.123Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:37.855Z",
             "name": "Network Traffic Capture or Redirection",
-            "x_mitre_detection": "On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.",
+            "description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -47,12 +37,22 @@
                     "phase_name": "credential-access"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2.json b/mobile-attack/attack-pattern/attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2.json
index 1112739c46..5fe91e4122 100644
--- a/mobile-attack/attack-pattern/attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2.json
@@ -1,114 +1,114 @@
 {
     "type": "bundle",
-    "id": "bundle--78040b0c-6fcf-4c85-bfa6-36402ffe48f8",
+    "id": "bundle--13220d8b-5014-47ba-8f2b-041fb24e69e1",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
+            "created": "2017-10-25T14:48:34.407Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1411",
+                    "external_id": "T1411"
+                },
+                {
+                    "source_name": "Felt-PhishingOnMobileDevices",
+                    "description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.",
+                    "url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf"
+                },
+                {
+                    "source_name": "Android Background",
+                    "description": "Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.",
+                    "url": "https://developer.android.com/guide/components/activities/background-starts"
+                },
+                {
+                    "source_name": "Android-getRunningTasks",
+                    "description": "Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017.",
+                    "url": "https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29"
+                },
+                {
+                    "source_name": "Cloak and Dagger",
+                    "description": "Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019.",
+                    "url": "http://cloak-and-dagger.org/"
+                },
+                {
+                    "source_name": "Group IB Gustuff Mar 2019",
+                    "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.",
+                    "url": "https://www.group-ib.com/blog/gustuff"
+                },
+                {
+                    "source_name": "eset-finance",
+                    "description": "Luk\u00e1\u0161 \u0160tefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.",
+                    "url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/"
+                },
+                {
+                    "source_name": "Hassell-ExploitingAndroid",
+                    "description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.",
+                    "url": "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf"
+                },
+                {
+                    "source_name": "XDA Bubbles",
+                    "description": "Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.",
+                    "url": "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/"
+                },
+                {
+                    "source_name": "NowSecure Android Overlay",
+                    "description": "Ramirez, T.. (2017, May 25). \u2018SAW\u2019-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.",
+                    "url": "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/"
+                },
+                {
+                    "source_name": "ThreatFabric Cerberus",
+                    "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.",
+                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
+                },
+                {
+                    "source_name": "StackOverflow-getRunningAppProcesses",
+                    "description": "Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017.",
+                    "url": "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag"
+                },
+                {
+                    "source_name": "Skycure-Accessibility",
+                    "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.",
+                    "url": "https://www.skycure.com/blog/accessibility-clickjacking/"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html",
+                    "external_id": "APP-31"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
-            "created": "2017-10-25T14:48:34.407Z",
-            "x_mitre_version": "2.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1411",
-                    "url": "https://attack.mitre.org/techniques/T1411"
-                },
-                {
-                    "source_name": "Felt-PhishingOnMobileDevices",
-                    "url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf",
-                    "description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016."
-                },
-                {
-                    "source_name": "Android Background",
-                    "url": "https://developer.android.com/guide/components/activities/background-starts",
-                    "description": "Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019."
-                },
-                {
-                    "source_name": "Android-getRunningTasks",
-                    "url": "https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29",
-                    "description": "Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017."
-                },
-                {
-                    "source_name": "Cloak and Dagger",
-                    "url": "http://cloak-and-dagger.org/",
-                    "description": "Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019."
-                },
-                {
-                    "source_name": "Group IB Gustuff Mar 2019",
-                    "url": "https://www.group-ib.com/blog/gustuff",
-                    "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019."
-                },
-                {
-                    "source_name": "eset-finance",
-                    "url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/",
-                    "description": "Luk\u00e1\u0161 \u0160tefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018."
-                },
-                {
-                    "source_name": "Hassell-ExploitingAndroid",
-                    "url": "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf",
-                    "description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019."
-                },
-                {
-                    "source_name": "XDA Bubbles",
-                    "url": "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/",
-                    "description": "Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019."
-                },
-                {
-                    "source_name": "NowSecure Android Overlay",
-                    "url": "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/",
-                    "description": "Ramirez, T.. (2017, May 25). \u2018SAW\u2019-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019."
-                },
-                {
-                    "source_name": "ThreatFabric Cerberus",
-                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
-                    "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019."
-                },
-                {
-                    "source_name": "StackOverflow-getRunningAppProcesses",
-                    "url": "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag",
-                    "description": "Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017."
-                },
-                {
-                    "source_name": "Skycure-Accessibility",
-                    "url": "https://www.skycure.com/blog/accessibility-clickjacking/",
-                    "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-31"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.\n\nCompared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nSpecific approaches to this technique include:\n\n### Impersonate the identity of a legitimate application\n\nA malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance)\n\n### Display a prompt on top of a running legitimate application\n\nA malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include:\n\n* A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)\n\n### Fake device notifications\n\nA malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)",
-            "modified": "2022-04-05T19:52:32.190Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:38.043Z",
             "name": "Input Prompt",
-            "x_mitre_detection": "The user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission to create overlay windows on top of other apps through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).",
+            "description": "The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.\n\nCompared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nSpecific approaches to this technique include:\n\n### Impersonate the identity of a legitimate application\n\nA malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance)\n\n### Display a prompt on top of a running legitimate application\n\nA malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include:\n\n* A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)\n\n### Fake device notifications\n\nA malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "credential-access"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "The user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission to create overlay windows on top of other apps through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d.json b/mobile-attack/attack-pattern/attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d.json
index e97432845e..95b7ee5854 100644
--- a/mobile-attack/attack-pattern/attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--3dc9a776-6421-4e2a-9093-b8844bd5f3cf",
+    "id": "bundle--edcf348b-2f3a-4963-8a55-68b1bd183f43",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-14T16:39:22.707Z",
-            "name": "Exfiltration Over Alternative Protocol",
-            "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "exfiltration"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d",
             "created": "2022-04-06T13:19:33.785Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:48.656Z",
+            "name": "Exfiltration Over Alternative Protocol",
+            "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "exfiltration"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d.json b/mobile-attack/attack-pattern/attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d.json
index f0d3c07111..45382abd86 100644
--- a/mobile-attack/attack-pattern/attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--74ac3069-ff49-4304-bf07-8e5aeb2017a2",
+    "id": "bundle--c60cf8a5-1355-4359-a400-42832b8637c3",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/attack-pattern/attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09.json b/mobile-attack/attack-pattern/attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09.json
index 729d297067..408280bd2b 100644
--- a/mobile-attack/attack-pattern/attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09.json
+++ b/mobile-attack/attack-pattern/attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--2bf77784-534b-4a06-87a1-bb703c1479f2",
+    "id": "bundle--4a0d048c-4452-4c6a-8c8a-a070f5e671e1",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "id": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09",
             "type": "attack-pattern",
+            "id": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09",
             "created": "2017-10-25T14:48:24.069Z",
             "revoked": true,
             "external_references": [
@@ -18,8 +15,16 @@
                     "external_id": "T1460"
                 }
             ],
-            "modified": "2018-10-17T01:05:10.703Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:38.220Z",
             "name": "Biometric Spoofing",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_version": "1.0",
             "x_mitre_is_subtechnique": false
         }
diff --git a/mobile-attack/attack-pattern/attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5.json b/mobile-attack/attack-pattern/attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5.json
index da22bc0abb..dfe88cba22 100644
--- a/mobile-attack/attack-pattern/attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--ee750ead-a721-4d5e-a716-0aa09064f4c9",
+    "id": "bundle--32156167-e9fd-48de-8656-47185541511c",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-16T18:26:46.043Z",
-            "name": "Boot or Logon Initialization Scripts",
-            "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "persistence"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "2.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
             "created": "2017-10-25T14:48:31.294Z",
@@ -57,8 +34,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:48.836Z",
+            "name": "Boot or Logon Initialization Scripts",
+            "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "persistence"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--498e7b81-238d-404c-aa5e-332904d63286.json b/mobile-attack/attack-pattern/attack-pattern--498e7b81-238d-404c-aa5e-332904d63286.json
index 975b03a351..f1dcda6bd3 100644
--- a/mobile-attack/attack-pattern/attack-pattern--498e7b81-238d-404c-aa5e-332904d63286.json
+++ b/mobile-attack/attack-pattern/attack-pattern--498e7b81-238d-404c-aa5e-332904d63286.json
@@ -1,10 +1,10 @@
 {
     "type": "bundle",
-    "id": "bundle--f68e75f8-b066-4104-a98f-8656fa660e64",
+    "id": "bundle--84c0a7fd-2a30-480c-837d-4f8c3cba910d",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:44:26.317Z",
+            "modified": "2024-11-17T18:31:54.804Z",
             "name": "Execution Guardrails",
             "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.",
             "kill_chain_phases": [
@@ -40,14 +40,14 @@
                 },
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
         }
     ]
diff --git a/mobile-attack/attack-pattern/attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512.json b/mobile-attack/attack-pattern/attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512.json
index 83ddc54a5e..54e9ac5a24 100644
--- a/mobile-attack/attack-pattern/attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512.json
+++ b/mobile-attack/attack-pattern/attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512.json
@@ -1,10 +1,10 @@
 {
     "type": "bundle",
-    "id": "bundle--02b56e6d-e625-4d81-8ad2-363c78cb4963",
+    "id": "bundle--3c8a808b-8df0-46ad-930b-2de90920d5f4",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2024-09-12T15:20:41.834Z",
+            "modified": "2024-11-17T18:58:58.592Z",
             "name": "GUI Input Capture",
             "description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)",
             "kill_chain_phases": [
@@ -89,8 +89,8 @@
                 },
                 {
                     "source_name": "Skycure-Accessibility",
-                    "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.",
-                    "url": "https://www.skycure.com/blog/accessibility-clickjacking/"
+                    "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/"
                 },
                 {
                     "source_name": "NIST Mobile Threat Catalogue",
diff --git a/mobile-attack/attack-pattern/attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce.json b/mobile-attack/attack-pattern/attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce.json
index e52c8a202a..7c6b2670dd 100644
--- a/mobile-attack/attack-pattern/attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce.json
+++ b/mobile-attack/attack-pattern/attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce.json
@@ -1,54 +1,54 @@
 {
     "type": "bundle",
-    "id": "bundle--99b34cc9-35a1-4cac-8c55-a5852e7a8730",
+    "id": "bundle--f568750c-1a30-40ce-9719-c33f0b4abf16",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
+            "created": "2017-10-25T14:48:11.535Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1432",
+                    "external_id": "T1432"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
+                    "external_id": "APP-13"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
-            "created": "2017-10-25T14:48:11.535Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1432",
-                    "url": "https://attack.mitre.org/techniques/T1432"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-13"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.",
-            "modified": "2022-04-01T13:19:41.180Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:38.397Z",
             "name": "Access Contact List",
-            "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.",
+            "description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.",
             "kill_chain_phases": [
                 {
-                    "phase_name": "collection",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf.json b/mobile-attack/attack-pattern/attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf.json
index 816271fcef..100387062d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf.json
+++ b/mobile-attack/attack-pattern/attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--8ac24f4f-9632-401e-9a33-97dbbbebd783",
+    "id": "bundle--322a381b-60fe-416c-806b-236c83aeb599",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T15:20:11.752Z",
-            "name": "Compromise Client Software Binary",
-            "description": "Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. \n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "persistence"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. Application vetting services could detect applications trying to modify files in protected parts of the operating system.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
             "created": "2022-03-30T19:53:27.791Z",
@@ -52,8 +29,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:49.029Z",
+            "name": "Compromise Client Software Binary",
+            "description": "Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. \n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "persistence"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. Application vetting services could detect applications trying to modify files in protected parts of the operating system.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--51636761-2e35-44bf-9e56-e337adf97174.json b/mobile-attack/attack-pattern/attack-pattern--51636761-2e35-44bf-9e56-e337adf97174.json
index 43e618a2e9..9526436133 100644
--- a/mobile-attack/attack-pattern/attack-pattern--51636761-2e35-44bf-9e56-e337adf97174.json
+++ b/mobile-attack/attack-pattern/attack-pattern--51636761-2e35-44bf-9e56-e337adf97174.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--72674b7c-d5e7-4747-bc0b-1c0cd36ea093",
+    "id": "bundle--d06eee4f-9803-4d9c-94b8-497feacfa8c9",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:54:40.501Z",
-            "name": "Software Packing",
-            "description": "Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. \n\nUtilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "iOS",
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174",
             "created": "2022-03-30T19:20:37.864Z",
@@ -42,8 +19,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:49.224Z",
+            "name": "Software Packing",
+            "description": "Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. \n\nUtilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "iOS",
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac.json b/mobile-attack/attack-pattern/attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac.json
index 8747878793..3ae2960f17 100644
--- a/mobile-attack/attack-pattern/attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac.json
+++ b/mobile-attack/attack-pattern/attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--3280175d-e59e-4982-adb6-e27c9705df8b",
+    "id": "bundle--23679af4-2b9b-4787-a4fd-0e8a4664793e",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "id": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
             "type": "attack-pattern",
+            "id": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
             "created": "2017-10-25T14:48:16.288Z",
             "revoked": true,
             "external_references": [
@@ -18,8 +15,16 @@
                     "external_id": "T1445"
                 }
             ],
-            "modified": "2018-10-17T01:05:10.701Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:38.597Z",
             "name": "Abuse of iOS Enterprise App Signing Key",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_version": "1.0",
             "x_mitre_is_subtechnique": false
         }
diff --git a/mobile-attack/attack-pattern/attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5.json b/mobile-attack/attack-pattern/attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5.json
index c60ed5cbf2..cbabb01f4a 100644
--- a/mobile-attack/attack-pattern/attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5.json
@@ -1,38 +1,29 @@
 {
     "type": "bundle",
-    "id": "bundle--ae106e72-77cd-49d8-885d-2b68442847e7",
+    "id": "bundle--1ccfe1d4-ac35-4831-9c1e-ef1ff0b85b9a",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5",
             "created": "2017-10-25T14:48:09.864Z",
-            "x_mitre_version": "1.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
             "external_references": [
                 {
                     "source_name": "mitre-attack",
-                    "external_id": "T1450",
-                    "url": "https://attack.mitre.org/techniques/T1450"
+                    "url": "https://attack.mitre.org/techniques/T1450",
+                    "external_id": "T1450"
                 },
                 {
                     "source_name": "3GPP-Security",
-                    "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf",
-                    "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016."
+                    "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.",
+                    "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf"
                 },
                 {
                     "source_name": "CSRIC5-WG10-FinalReport",
-                    "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf",
-                    "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017."
+                    "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
+                    "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
                 },
                 {
                     "source_name": "CSRIC-WG1-FinalReport",
@@ -40,44 +31,53 @@
                 },
                 {
                     "source_name": "Positive-SS7",
-                    "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf",
-                    "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016."
+                    "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.",
+                    "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf"
                 },
                 {
                     "source_name": "Engel-SS7-2008",
-                    "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI",
-                    "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016."
+                    "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.",
+                    "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI"
                 },
                 {
                     "source_name": "Engel-SS7",
-                    "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf",
-                    "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016."
+                    "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.",
+                    "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf"
                 },
                 {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html",
                     "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html",
                     "external_id": "CEL-38"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)",
-            "modified": "2022-04-05T19:54:12.657Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:38.781Z",
             "name": "Exploit SS7 to Track Device Location",
-            "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
+            "description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "network-effects"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Without Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb.json b/mobile-attack/attack-pattern/attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb.json
index 77dd0d0e42..64063972b7 100644
--- a/mobile-attack/attack-pattern/attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb.json
+++ b/mobile-attack/attack-pattern/attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb.json
@@ -1,46 +1,37 @@
 {
     "type": "bundle",
-    "id": "bundle--d98a2ca1-e1b9-4745-9aaa-045b33743484",
+    "id": "bundle--831d6ef3-5b36-4ee0-9ff2-ba56effc5d10",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
+            "created": "2020-04-28T14:35:37.309Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1575",
+                    "external_id": "T1575"
+                },
+                {
+                    "source_name": "Google NDK Getting Started",
+                    "description": "Google. (2019, December 27). Getting Started with the NDK. Retrieved April 28, 2020.",
+                    "url": "https://developer.android.com/ndk/guides"
+                },
+                {
+                    "source_name": "MITRE App Vetting Effectiveness",
+                    "description": "M. Peck, C. Northern. (2016, August 22). Analyzing the Effectiveness of App Vetting Tools in the Enterprise. Retrieved April 28, 2020.",
+                    "url": "https://www.mitre.org/sites/default/files/publications/pr-16-4772-analyzing-effectiveness-mobile-app-vetting-tools-report.pdf"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
-            "created": "2020-04-28T14:35:37.309Z",
-            "x_mitre_version": "2.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1575",
-                    "url": "https://attack.mitre.org/techniques/T1575"
-                },
-                {
-                    "source_name": "Google NDK Getting Started",
-                    "url": "https://developer.android.com/ndk/guides",
-                    "description": "Google. (2019, December 27). Getting Started with the NDK. Retrieved April 28, 2020."
-                },
-                {
-                    "source_name": "MITRE App Vetting Effectiveness",
-                    "url": "https://www.mitre.org/sites/default/files/publications/pr-16-4772-analyzing-effectiveness-mobile-app-vetting-tools-report.pdf",
-                    "description": "M. Peck, C. Northern. (2016, August 22). Analyzing the Effectiveness of App Vetting Tools in the Enterprise. Retrieved April 28, 2020."
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may use Android\u2019s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.\n\nThe NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)\n\nAdversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)",
-            "modified": "2022-04-08T15:46:24.495Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-16T21:21:49.389Z",
             "name": "Native API",
-            "x_mitre_detection": "This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.",
+            "description": "Adversaries may use Android\u2019s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.\n\nThe NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)\n\nAdversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -51,12 +42,21 @@
                     "phase_name": "execution"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "2.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7.json b/mobile-attack/attack-pattern/attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7.json
index 54bcfd0f49..ffc9f44742 100644
--- a/mobile-attack/attack-pattern/attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7.json
+++ b/mobile-attack/attack-pattern/attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7.json
@@ -1,84 +1,84 @@
 {
     "type": "bundle",
-    "id": "bundle--b25e279a-fcdf-4951-85d4-e4bff87238a0",
+    "id": "bundle--4b2cd5bb-97b0-48e7-acf6-4382ab2284b4",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
+            "created": "2018-10-17T00:14:20.652Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1476",
+                    "external_id": "T1476"
+                },
+                {
+                    "source_name": "IBTimes-ThirdParty",
+                    "description": "A Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018.",
+                    "url": "https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861"
+                },
+                {
+                    "source_name": "TrendMicro-RootingMalware",
+                    "description": "Jordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/"
+                },
+                {
+                    "source_name": "android-trojan-steals-paypal-2fa",
+                    "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.",
+                    "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/"
+                },
+                {
+                    "source_name": "TrendMicro-FlappyBird",
+                    "description": "Veo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html",
+                    "external_id": "AUT-9"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html",
+                    "external_id": "ECO-13"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html",
+                    "external_id": "ECO-21"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
-            "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.2",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1476",
-                    "url": "https://attack.mitre.org/techniques/T1476"
-                },
-                {
-                    "source_name": "IBTimes-ThirdParty",
-                    "url": "https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861",
-                    "description": "A Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018."
-                },
-                {
-                    "source_name": "TrendMicro-RootingMalware",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/",
-                    "description": "Jordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018."
-                },
-                {
-                    "source_name": "android-trojan-steals-paypal-2fa",
-                    "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/",
-                    "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019."
-                },
-                {
-                    "source_name": "TrendMicro-FlappyBird",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/",
-                    "description": "Veo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "AUT-9"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "ECO-13"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "ECO-21"
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nSome Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)",
-            "modified": "2022-04-06T15:41:16.863Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:39.001Z",
             "name": "Deliver Malicious App via Other Means",
-            "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution may be able to identify the presence of apps installed from sources other than an authorized app store. \n* An EMM/MDM or mobile threat defense solution may be able to identify Android devices configured to allow apps to be installed from \"Unknown Sources\".\n* Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.",
+            "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nSome Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "initial-access"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": true,
+            "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution may be able to identify the presence of apps installed from sources other than an authorized app store. \n* An EMM/MDM or mobile threat defense solution may be able to identify Android devices configured to allow apps to be installed from \"Unknown Sources\".\n* Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.2",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067.json b/mobile-attack/attack-pattern/attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067.json
index 376d6b48aa..480b90a926 100644
--- a/mobile-attack/attack-pattern/attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067.json
+++ b/mobile-attack/attack-pattern/attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067.json
@@ -1,64 +1,64 @@
 {
     "type": "bundle",
-    "id": "bundle--3477325b-4da1-4b13-82a0-07cdcceafce4",
+    "id": "bundle--e41425ab-bd82-4c29-8111-3b06c053d143",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067",
+            "created": "2017-10-25T14:48:07.827Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1469",
+                    "external_id": "T1469"
+                },
+                {
+                    "source_name": "Honan-Hacking",
+                    "description": "Mat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016.",
+                    "url": "https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html",
+                    "external_id": "ECO-5"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html",
+                    "external_id": "EMM-7"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067",
-            "created": "2017-10-25T14:48:07.827Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1469",
-                    "url": "https://attack.mitre.org/techniques/T1469"
-                },
-                {
-                    "source_name": "Honan-Hacking",
-                    "url": "https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/",
-                    "description": "Mat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "ECO-5"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "EMM-7"
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).",
-            "modified": "2022-04-06T15:54:28.187Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:39.181Z",
             "name": "Remotely Wipe Data Without Authorization",
-            "x_mitre_detection": "Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.",
+            "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "remote-service-effects"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": true,
+            "x_mitre_detection": "Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Without Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b.json b/mobile-attack/attack-pattern/attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b.json
index 6b0a6523da..a807c60167 100644
--- a/mobile-attack/attack-pattern/attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b.json
+++ b/mobile-attack/attack-pattern/attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7d6bccf5-edcf-4791-9084-477905a7f68c",
+    "id": "bundle--5f8bfdf2-2ebe-4453-b74e-3ca49aa1c654",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/attack-pattern/attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a.json b/mobile-attack/attack-pattern/attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a.json
index 4f795f2b21..3dcc34e1bd 100644
--- a/mobile-attack/attack-pattern/attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--7b6dc3ce-0baf-4b5b-9637-6c7b25994d42",
+    "id": "bundle--16a609e2-ded6-4c0f-8a93-2ec27b302175",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:57:14.285Z",
-            "name": "Proxy Through Victim",
-            "description": "Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary\u2019s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.(Citation: Threat Fabric Exobot)\n\nThe most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the `Proxy` API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a",
             "created": "2020-11-30T14:26:07.728Z",
@@ -46,8 +24,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:49.548Z",
+            "name": "Proxy Through Victim",
+            "description": "Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary\u2019s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.(Citation: Threat Fabric Exobot)\n\nThe most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the `Proxy` API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de.json b/mobile-attack/attack-pattern/attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de.json
index d1dea28646..31619b802a 100644
--- a/mobile-attack/attack-pattern/attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de.json
+++ b/mobile-attack/attack-pattern/attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de.json
@@ -1,59 +1,59 @@
 {
     "type": "bundle",
-    "id": "bundle--27bc25a9-4948-462c-98fd-d69385f40e43",
+    "id": "bundle--5088bebd-23aa-41e3-be87-aef1eb6c0427",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de",
+            "created": "2019-09-23T13:11:43.694Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1520",
+                    "external_id": "T1520"
+                },
+                {
+                    "source_name": "Data Driven Security DGA",
+                    "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.",
+                    "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"
+                },
+                {
+                    "source_name": "securelist rotexy 2018",
+                    "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
+                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de",
-            "created": "2019-09-23T13:11:43.694Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1520",
-                    "url": "https://attack.mitre.org/techniques/T1520"
-                },
-                {
-                    "source_name": "Data Driven Security DGA",
-                    "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/",
-                    "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019."
-                },
-                {
-                    "source_name": "securelist rotexy 2018",
-                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
-                    "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019."
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.",
-            "modified": "2022-04-05T20:03:46.788Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:39.358Z",
             "name": "Domain Generation Algorithms",
-            "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.",
+            "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "command-and-control"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--62adb627-f647-498e-b4cc-41499361bacb.json b/mobile-attack/attack-pattern/attack-pattern--62adb627-f647-498e-b4cc-41499361bacb.json
index 373ccd8a36..a5fa410b74 100644
--- a/mobile-attack/attack-pattern/attack-pattern--62adb627-f647-498e-b4cc-41499361bacb.json
+++ b/mobile-attack/attack-pattern/attack-pattern--62adb627-f647-498e-b4cc-41499361bacb.json
@@ -1,54 +1,54 @@
 {
     "type": "bundle",
-    "id": "bundle--58e0d118-b844-412b-afb8-225bf083ef5d",
+    "id": "bundle--5ca121a0-aec7-42e9-b7f1-7587a176fb33",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
+            "created": "2017-10-25T14:48:20.727Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1435",
+                    "external_id": "T1435"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
+                    "external_id": "APP-13"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
-            "created": "2017-10-25T14:48:20.727Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1435",
-                    "url": "https://attack.mitre.org/techniques/T1435"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-13"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.",
-            "modified": "2022-04-01T12:50:48.453Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:39.545Z",
             "name": "Access Calendar Entries",
-            "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.",
+            "description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.",
             "kill_chain_phases": [
                 {
-                    "phase_name": "collection",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3.json b/mobile-attack/attack-pattern/attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3.json
index 180a37308b..3f4a7f69a5 100644
--- a/mobile-attack/attack-pattern/attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3.json
@@ -1,64 +1,64 @@
 {
     "type": "bundle",
-    "id": "bundle--f878b806-55a2-4dce-a4d0-ba96e2e77ac4",
+    "id": "bundle--2c26cd51-864f-4197-add4-e996f6531869",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3",
+            "created": "2017-10-25T14:48:21.354Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1465",
+                    "external_id": "T1465"
+                },
+                {
+                    "source_name": "Kaspersky-DarkHotel",
+                    "description": "Alex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016.",
+                    "url": "https://blog.kaspersky.com/darkhotel-apt/6613/"
+                },
+                {
+                    "source_name": "NIST-SP800153",
+                    "description": "M. Souppaya and K. Scarfone. (2012, February). NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs). Retrieved December 24, 2016.",
+                    "url": "http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html",
+                    "external_id": "LPN-0"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3",
-            "created": "2017-10-25T14:48:21.354Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1465",
-                    "url": "https://attack.mitre.org/techniques/T1465"
-                },
-                {
-                    "source_name": "Kaspersky-DarkHotel",
-                    "url": "https://blog.kaspersky.com/darkhotel-apt/6613/",
-                    "description": "Alex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016."
-                },
-                {
-                    "source_name": "NIST-SP800153",
-                    "url": "http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf",
-                    "description": "M. Souppaya and K. Scarfone. (2012, February). NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs). Retrieved December 24, 2016."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "LPN-0"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).",
-            "modified": "2022-04-06T15:51:11.938Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:39.717Z",
             "name": "Rogue Wi-Fi Access Points",
-            "x_mitre_detection": "",
+            "description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "network-effects"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Without Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e.json b/mobile-attack/attack-pattern/attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e.json
index 61bcc6101e..b942231717 100644
--- a/mobile-attack/attack-pattern/attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e.json
+++ b/mobile-attack/attack-pattern/attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e.json
@@ -1,38 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--8ee9fb74-d4a4-49f1-90eb-157131b5493e",
+    "id": "bundle--f9f6d501-8135-46a9-8192-ea45747fa227",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:54:25.564Z",
-            "name": "Foreground Persistence",
-            "description": "Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android\u2019s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)\n\nMalicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device\u2019s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)\n\nMalicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                },
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "persistence"
-                }
-            ],
-            "x_mitre_contributors": [
-                "Lorin Wu, Trend Micro"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Users can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong. Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "2.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
             "created": "2019-11-19T17:32:20.373Z",
@@ -73,8 +44,37 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:49.743Z",
+            "name": "Foreground Persistence",
+            "description": "Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android\u2019s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)\n\nMalicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device\u2019s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)\n\nMalicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                },
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "persistence"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Lorin Wu, Trend Micro"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Users can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong. Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "2.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d.json b/mobile-attack/attack-pattern/attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d.json
index d66e68878d..15a6cfc7b1 100644
--- a/mobile-attack/attack-pattern/attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d.json
@@ -1,10 +1,10 @@
 {
     "type": "bundle",
-    "id": "bundle--652ca216-5bc8-43f8-b09c-7bb283e42d98",
+    "id": "bundle--7150540d-2e6e-49c4-966a-0dc198108223",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-07T17:13:04.396Z",
+            "modified": "2024-11-17T13:26:29.167Z",
             "name": "Replication Through Removable Media",
             "description": "Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include: \n \n* Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB) \n* Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal) \n* Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking) ",
             "kill_chain_phases": [
@@ -59,8 +59,8 @@
                 },
                 {
                     "source_name": "Computerworld-iPhoneCracking",
-                    "description": "Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology \u2013 and police are buying. Retrieved September 21, 2018.",
-                    "url": "https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html"
+                    "description": "Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology \u2013 and police are buying. Retrieved November 17, 2024.",
+                    "url": "https://www.techcentral.ie/two-vendors-now-sell-iphone-cracking-technology-police-buying/"
                 },
                 {
                     "source_name": "IBM-NexusUSB",
@@ -86,7 +86,7 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
         }
     ]
diff --git a/mobile-attack/attack-pattern/attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760.json b/mobile-attack/attack-pattern/attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760.json
index 951bb9c986..2a4bf8019c 100644
--- a/mobile-attack/attack-pattern/attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760.json
+++ b/mobile-attack/attack-pattern/attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--d10af575-d342-44a7-b8bb-0b7403b91c1e",
+    "id": "bundle--b14e2bfb-4f92-42ce-b316-02b7600cda0e",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-16T13:31:29.924Z",
-            "name": "Audio Capture",
-            "description": "Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. \n\n \n\nAndroid and iOS, by default, require that applications request device microphone access from the user.  \n\n \n\nOn Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) \n\n \n\nOn iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "collection"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)\n \n\nAndroid applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized. \n\n \n\nIn both Android (6.0 and up) and iOS, users can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "3.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
             "created": "2017-10-25T14:48:12.913Z",
@@ -72,8 +49,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:49.937Z",
+            "name": "Audio Capture",
+            "description": "Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. \n\n \n\nAndroid and iOS, by default, require that applications request device microphone access from the user.  \n\n \n\nOn Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) \n\n \n\nOn iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)\n \n\nAndroid applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized. \n\n \n\nIn both Android (6.0 and up) and iOS, users can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "3.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd.json b/mobile-attack/attack-pattern/attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd.json
index f9a125d6cd..61c925fc59 100644
--- a/mobile-attack/attack-pattern/attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd.json
+++ b/mobile-attack/attack-pattern/attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--94f24b30-82e8-4ade-9a78-0f3da1b45196",
+    "id": "bundle--53486e99-b39f-4633-b59e-453ff20467ab",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:59:46.686Z",
-            "name": "Hijack Execution Flow",
-            "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. \n\nThere are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "persistence"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd",
             "created": "2022-03-30T14:49:18.650Z",
@@ -46,8 +24,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:50.121Z",
+            "name": "Hijack Execution Flow",
+            "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. \n\nThere are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "persistence"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1.json b/mobile-attack/attack-pattern/attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1.json
index 8824dd4c86..be7c1b390f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1.json
+++ b/mobile-attack/attack-pattern/attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--f1956cc2-2bf8-48cb-9727-30240842662e",
+    "id": "bundle--59515f24-6a8a-42a6-a7fc-7269e340bc1c",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-07T22:48:30.418Z",
-            "name": "Unix Shell",
-            "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. \n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. \n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. \n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.  ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "execution"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
             "created": "2022-03-30T13:59:50.479Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:50.314Z",
+            "name": "Unix Shell",
+            "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. \n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. \n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. \n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.  ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "execution"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673.json b/mobile-attack/attack-pattern/attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673.json
index dab284a34f..7a9298ae6b 100644
--- a/mobile-attack/attack-pattern/attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673.json
+++ b/mobile-attack/attack-pattern/attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673.json
@@ -1,54 +1,54 @@
 {
     "type": "bundle",
-    "id": "bundle--8eaefc3a-ac0d-4287-a4a8-3fe98dda198a",
+    "id": "bundle--3c54eb13-1b92-4c0b-aed1-cb26e4215d4a",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
+            "created": "2017-10-25T14:48:33.158Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1437",
+                    "external_id": "T1437"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html",
+                    "external_id": "APP-29"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
-            "created": "2017-10-25T14:48:33.158Z",
-            "x_mitre_version": "1.2",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1437",
-                    "url": "https://attack.mitre.org/techniques/T1437"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-29"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.",
-            "modified": "2022-04-19T20:03:51.831Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-16T21:21:50.479Z",
             "name": "Application Layer Protocol",
-            "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.",
             "kill_chain_phases": [
                 {
-                    "phase_name": "command-and-control",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.2",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2.json b/mobile-attack/attack-pattern/attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2.json
index 733474ad45..18837c2c54 100644
--- a/mobile-attack/attack-pattern/attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--d1008178-0162-4a17-b267-1f38cf421143",
+    "id": "bundle--548e0c3d-9e22-4ae9-95c1-7f4959e4cfcf",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "id": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
             "type": "attack-pattern",
+            "id": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
             "created": "2017-10-25T14:48:11.861Z",
             "revoked": true,
             "external_references": [
@@ -18,8 +15,16 @@
                     "external_id": "T1431"
                 }
             ],
-            "modified": "2018-10-17T01:05:10.699Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:39.890Z",
             "name": "App Delivered via Web Download",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_version": "1.0",
             "x_mitre_is_subtechnique": false
         }
diff --git a/mobile-attack/attack-pattern/attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6.json b/mobile-attack/attack-pattern/attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6.json
index 16f962f747..70b16e0ea6 100644
--- a/mobile-attack/attack-pattern/attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6.json
+++ b/mobile-attack/attack-pattern/attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--2d9af78d-60fb-4df0-a85d-b95d6fb6d328",
+    "id": "bundle--d973d752-e7fa-488a-8568-85589b530442",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-08T16:23:41.271Z",
-            "name": "Download New Code at Runtime",
-            "description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView\u2019s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Existing network infrastructure may detect network calls to known malicious domains or the transfer of malicious payloads over the network. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques. These techniques are often used without malicious intent, and  applications may employ other techniques to hide their use of these techniques.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.5",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
             "created": "2017-10-25T14:48:14.460Z",
@@ -52,8 +29,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:50.660Z",
+            "name": "Download New Code at Runtime",
+            "description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView\u2019s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Existing network infrastructure may detect network calls to known malicious domains or the transfer of malicious payloads over the network. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques. These techniques are often used without malicious intent, and  applications may employ other techniques to hide their use of these techniques.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.5",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe.json b/mobile-attack/attack-pattern/attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe.json
index 38e23260ca..a4ef8b5bde 100644
--- a/mobile-attack/attack-pattern/attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe.json
+++ b/mobile-attack/attack-pattern/attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe.json
@@ -1,12 +1,12 @@
 {
     "type": "bundle",
-    "id": "bundle--d054baee-bba5-4b67-b7c0-3e2a0c9e42c7",
+    "id": "bundle--9a216a7e-ccfb-4b3f-bd94-befa3a97cbed",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-12-05T22:14:54.813Z",
+            "modified": "2025-02-27T22:56:19.681Z",
             "name": "Exploitation for Initial Access",
-            "description": "Adversaries may exploit software vulnerabilities to gain initial access to a mobile device. \n\nThis can be accomplished in a variety of ways. Vulnerabilities may be present in applications, services, the underlying operating system, or in the kernel itself. Several well-known mobile device exploits exist, including FORCEDENTRY, StageFright, and BlueBorne. Further, some exploits may be possible to exploit without any user interaction (zero-click), making them particularly dangerous. Mobile operating system vendors are typically very quick to patch such critical bugs, ensuring only a small window where they can be exploited. ",
+            "description": "Adversaries may exploit software vulnerabilities to gain initial access to a mobile device. \n\nThis can be accomplished in a variety of ways. Vulnerabilities may be present in the applications, the services, the underlying operating system, or the kernel itself. Several well-known mobile device exploits exist, including FORCEDENTRY, StageFright, and BlueBorne. Furthermore, some exploits may be possible to exploit without any user interaction (i.e. zero-click exploits, see [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1658)), making them particularly dangerous. Mobile operating system vendors are typically very quick to patch such critical bugs, ensuring only a small window where they can be exploited. ",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -23,10 +23,11 @@
                 "Android",
                 "iOS"
             ],
-            "x_mitre_version": "1.0",
+            "x_mitre_version": "1.1",
             "type": "attack-pattern",
             "id": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe",
             "created": "2023-12-05T22:14:54.813Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -39,7 +40,6 @@
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
             "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
         }
     ]
diff --git a/mobile-attack/attack-pattern/attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a.json b/mobile-attack/attack-pattern/attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a.json
index ce8b562d0e..f6b2e04094 100644
--- a/mobile-attack/attack-pattern/attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a.json
@@ -1,64 +1,64 @@
 {
     "type": "bundle",
-    "id": "bundle--621782d9-4ff9-4cd6-907e-fbb34e7123f1",
+    "id": "bundle--b4a4099a-eebc-4676-94fa-111834f123f0",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a",
+            "created": "2017-10-25T14:48:21.023Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1468",
+                    "external_id": "T1468"
+                },
+                {
+                    "source_name": "Krebs-Location",
+                    "description": "Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018.",
+                    "url": "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html",
+                    "external_id": "ECO-5"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html",
+                    "external_id": "EMM-7"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a",
-            "created": "2017-10-25T14:48:21.023Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1468",
-                    "url": "https://attack.mitre.org/techniques/T1468"
-                },
-                {
-                    "source_name": "Krebs-Location",
-                    "url": "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/",
-                    "description": "Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "ECO-5"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "EMM-7"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)",
-            "modified": "2022-04-05T19:40:25.068Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:40.105Z",
             "name": "Remotely Track Device Without Authorization",
-            "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.",
+            "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "remote-service-effects"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Without Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad.json b/mobile-attack/attack-pattern/attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad.json
index 9b532193aa..02f28bc047 100644
--- a/mobile-attack/attack-pattern/attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad.json
+++ b/mobile-attack/attack-pattern/attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--772b1717-d4c6-4a30-84b2-1e02f3ee66f6",
+    "id": "bundle--b7b250f1-78ed-475d-9528-3b04a853b6c2",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:51:04.432Z",
-            "name": "System Checks",
-            "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nHardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
             "created": "2022-03-30T17:53:35.582Z",
@@ -42,8 +19,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:50.837Z",
+            "name": "System Checks",
+            "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nHardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160.json b/mobile-attack/attack-pattern/attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160.json
index 90ba97dd60..8ea2be7a2f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160.json
+++ b/mobile-attack/attack-pattern/attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160.json
@@ -1,10 +1,10 @@
 {
     "type": "bundle",
-    "id": "bundle--02050c1c-b07b-4d17-8cd1-4fc5738375f7",
+    "id": "bundle--f4b79e24-701d-4a0d-99a1-f56072d91e1e",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:53:16.029Z",
+            "modified": "2024-11-17T18:31:54.805Z",
             "name": "Stored Application Data",
             "description": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ",
             "kill_chain_phases": [
@@ -40,8 +40,8 @@
                 },
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 },
                 {
                     "source_name": "NIST Mobile Threat Catalogue",
@@ -52,7 +52,7 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
         }
     ]
diff --git a/mobile-attack/attack-pattern/attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e.json b/mobile-attack/attack-pattern/attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e.json
index 6af3f5018e..44195579c1 100644
--- a/mobile-attack/attack-pattern/attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e.json
+++ b/mobile-attack/attack-pattern/attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--f3d04115-9d93-4ff6-af67-117af7be0cd1",
+    "id": "bundle--7ff01197-d22e-4d03-a9d8-09e0b5299e36",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:57:43.022Z",
-            "name": "Screen Capture",
-            "description": "Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "collection"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "The user can view a list of apps with accessibility service privileges in the device settings. Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.3",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
             "created": "2019-08-08T18:34:14.178Z",
@@ -71,8 +49,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:50.988Z",
+            "name": "Screen Capture",
+            "description": "Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "The user can view a list of apps with accessibility service privileges in the device settings. Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.3",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6.json b/mobile-attack/attack-pattern/attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6.json
index 378b4a7e3e..16a9c5c0e4 100644
--- a/mobile-attack/attack-pattern/attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6.json
+++ b/mobile-attack/attack-pattern/attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--b8ff983b-4ec3-48b3-b6d4-6366b89c50e4",
+    "id": "bundle--78180956-bfa1-4e35-93b8-4bf999a3105d",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:44:26.748Z",
-            "name": "Transmitted Data Manipulation",
-            "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.\n\nOne method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.\n\nAdversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "impact"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6",
             "created": "2022-04-06T13:39:39.779Z",
@@ -46,8 +24,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:51.156Z",
+            "name": "Transmitted Data Manipulation",
+            "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.\n\nOne method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.\n\nAdversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "impact"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69.json b/mobile-attack/attack-pattern/attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69.json
index 0146035f22..40fbdabfc9 100644
--- a/mobile-attack/attack-pattern/attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69.json
+++ b/mobile-attack/attack-pattern/attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69.json
@@ -1,49 +1,49 @@
 {
     "type": "bundle",
-    "id": "bundle--72b7e36d-43e8-49c7-9d20-e923d83bda4e",
+    "id": "bundle--c487eb0a-2235-43a1-9a1b-3dcd269c876a",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
+            "created": "2017-10-25T14:48:07.460Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1452",
+                    "external_id": "T1452"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
-            "created": "2017-10-25T14:48:07.460Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1452",
-                    "url": "https://attack.mitre.org/techniques/T1452"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).",
-            "modified": "2022-04-06T13:57:24.726Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:40.278Z",
             "name": "Manipulate App Store Rankings or Ratings",
-            "x_mitre_detection": "",
+            "description": "An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "impact"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58.json b/mobile-attack/attack-pattern/attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58.json
index 5078cd3584..cdc6ebf226 100644
--- a/mobile-attack/attack-pattern/attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58.json
+++ b/mobile-attack/attack-pattern/attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58.json
@@ -1,59 +1,59 @@
 {
     "type": "bundle",
-    "id": "bundle--8c5131b4-92ba-4344-ac2f-493f8aa68fca",
+    "id": "bundle--af0abec5-49cb-477e-8223-d24347efe826",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
+            "created": "2017-10-25T14:48:32.008Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1416",
+                    "external_id": "T1416"
+                },
+                {
+                    "source_name": "Trend Micro iOS URL Hijacking",
+                    "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12).  iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
+                },
+                {
+                    "source_name": "IETF-PKCE",
+                    "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.",
+                    "url": "https://tools.ietf.org/html/rfc7636"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
-            "created": "2017-10-25T14:48:32.008Z",
-            "x_mitre_version": "2.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1416",
-                    "url": "https://attack.mitre.org/techniques/T1416"
-                },
-                {
-                    "source_name": "Trend Micro iOS URL Hijacking",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/",
-                    "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12).  iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020."
-                },
-                {
-                    "source_name": "IETF-PKCE",
-                    "url": "https://tools.ietf.org/html/rfc7636",
-                    "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016."
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)",
-            "modified": "2022-04-01T15:17:21.508Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:40.453Z",
             "name": "URI Hijacking",
-            "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.",
+            "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "credential-access"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3.json b/mobile-attack/attack-pattern/attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3.json
index cd31aceb93..26355a147f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3.json
@@ -1,10 +1,10 @@
 {
     "type": "bundle",
-    "id": "bundle--1ac6a59c-f9f9-4c43-bcde-df3c2f1beff0",
+    "id": "bundle--971d75f8-c31a-478a-8a13-7c9bc2080daf",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T15:28:54.940Z",
+            "modified": "2024-11-17T13:32:52.030Z",
             "name": "Compromise Software Dependencies and Development Tools",
             "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)",
             "kill_chain_phases": [
@@ -40,8 +40,8 @@
                 },
                 {
                     "source_name": "Grace-Advertisement",
-                    "description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.",
-                    "url": "https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf"
+                    "description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved November 17, 2024.",
+                    "url": "https://dl.acm.org/doi/10.1145/2185448.2185464"
                 },
                 {
                     "source_name": "NIST Mobile Threat Catalogue",
@@ -77,7 +77,7 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
         }
     ]
diff --git a/mobile-attack/attack-pattern/attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b.json b/mobile-attack/attack-pattern/attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b.json
index ec04abae38..d48cfacd46 100644
--- a/mobile-attack/attack-pattern/attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b.json
+++ b/mobile-attack/attack-pattern/attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b.json
@@ -1,67 +1,57 @@
 {
     "type": "bundle",
-    "id": "bundle--de0e8ffc-d57b-443b-80ba-1a080ef062cc",
+    "id": "bundle--22f7a97b-3c73-44b4-b17d-fc60d367b5e5",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b",
+            "created": "2019-10-02T14:46:43.632Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1523",
+                    "external_id": "T1523"
+                },
+                {
+                    "source_name": "Sophos Anti-emulation",
+                    "description": "Chen Yu et al. . (2017, April 13). Android malware anti-emulation techniques. Retrieved October 2, 2019.",
+                    "url": "https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/"
+                },
+                {
+                    "source_name": "Xiao-ZergHelper",
+                    "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.",
+                    "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
+                },
+                {
+                    "source_name": "Cyberscoop Evade Analysis January 2019",
+                    "description": "Jeff Stone. (2019, January 18). Sneaky motion-detection feature found on Android malware. Retrieved October 2, 2019.",
+                    "url": "https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/"
+                },
+                {
+                    "source_name": "ThreatFabric Cerberus",
+                    "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.",
+                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
+                },
+                {
+                    "source_name": "Github Anti-emulator",
+                    "description": "Tim Strazzere. (n.d.). Android Anti-Emulator. Retrieved October 2, 2019.",
+                    "url": "https://github.com/strazzere/anti-emulator"
+                },
+                {
+                    "source_name": "Talos Gustuff Apr 2019",
+                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
+                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b",
-            "created": "2019-10-02T14:46:43.632Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1523",
-                    "url": "https://attack.mitre.org/techniques/T1523"
-                },
-                {
-                    "source_name": "Sophos Anti-emulation",
-                    "url": "https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/",
-                    "description": "Chen Yu et al. . (2017, April 13). Android malware anti-emulation techniques. Retrieved October 2, 2019."
-                },
-                {
-                    "source_name": "Xiao-ZergHelper",
-                    "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/",
-                    "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016."
-                },
-                {
-                    "source_name": "Cyberscoop Evade Analysis January 2019",
-                    "url": "https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/",
-                    "description": "Jeff Stone. (2019, January 18). Sneaky motion-detection feature found on Android malware. Retrieved October 2, 2019."
-                },
-                {
-                    "source_name": "ThreatFabric Cerberus",
-                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
-                    "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019."
-                },
-                {
-                    "source_name": "Github Anti-emulator",
-                    "url": "https://github.com/strazzere/anti-emulator",
-                    "description": "Tim Strazzere. (n.d.). Android Anti-Emulator. Retrieved October 2, 2019."
-                },
-                {
-                    "source_name": "Talos Gustuff Apr 2019",
-                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
-                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. \nAdversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)\n",
-            "modified": "2022-03-30T17:54:56.590Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:40.634Z",
             "name": "Evade Analysis Environment",
-            "x_mitre_detection": "Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "description": "Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. \nAdversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)\n",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -72,12 +62,22 @@
                     "phase_name": "discovery"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5.json b/mobile-attack/attack-pattern/attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5.json
index 183c75b5b9..acd2d49eee 100644
--- a/mobile-attack/attack-pattern/attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5.json
@@ -1,36 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--33aa9490-c88d-42f8-bbff-42d0dd385698",
+    "id": "bundle--500561f6-ebf9-4202-8976-15e0957a1ad9",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:43:49.443Z",
-            "name": "URI Hijacking",
-            "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. \n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE) ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "credential-access"
-                }
-            ],
-            "x_mitre_contributors": [
-                "Leo Zhang, Trend Micro",
-                "Steven Du, Trend Micro"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
             "created": "2022-04-01T15:15:35.640Z",
@@ -66,8 +39,35 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:51.304Z",
+            "name": "URI Hijacking",
+            "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. \n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE) ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "credential-access"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Leo Zhang, Trend Micro",
+                "Steven Du, Trend Micro"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1.json b/mobile-attack/attack-pattern/attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1.json
index 107a8f48ea..699fff0b8c 100644
--- a/mobile-attack/attack-pattern/attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1.json
+++ b/mobile-attack/attack-pattern/attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--d1ee061d-603a-4f51-9174-01b47318da6d",
+    "id": "bundle--325c0ff5-2473-4de8-abeb-865c627cae6d",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:52:52.097Z",
-            "name": "Subvert Trust Controls",
-            "description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1",
             "created": "2022-03-30T18:05:46.795Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:51.458Z",
+            "name": "Subvert Trust Controls",
+            "description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44.json b/mobile-attack/attack-pattern/attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44.json
index aadff5930e..30cf27ebb5 100644
--- a/mobile-attack/attack-pattern/attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44.json
+++ b/mobile-attack/attack-pattern/attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44.json
@@ -1,54 +1,54 @@
 {
     "type": "bundle",
-    "id": "bundle--cff25b92-79a3-4222-b4c2-850738947b37",
+    "id": "bundle--04ecab8d-7222-42cd-95ed-9ea9c747b184",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
+            "created": "2017-10-25T14:48:11.116Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1433",
+                    "external_id": "T1433"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
+                    "external_id": "APP-13"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
-            "created": "2017-10-25T14:48:11.116Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1433",
-                    "url": "https://attack.mitre.org/techniques/T1433"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-13"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.",
-            "modified": "2022-04-01T13:14:43.174Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:40.824Z",
             "name": "Access Call Log",
-            "x_mitre_detection": "On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.",
+            "description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "collection"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31.json b/mobile-attack/attack-pattern/attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31.json
index d2f9f7c443..2b587213d0 100644
--- a/mobile-attack/attack-pattern/attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31.json
+++ b/mobile-attack/attack-pattern/attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31.json
@@ -1,64 +1,64 @@
 {
     "type": "bundle",
-    "id": "bundle--c68118ee-b171-4589-85c2-c25ae212eb66",
+    "id": "bundle--7273618d-a2e2-4834-9e9b-066b2539b671",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31",
+            "created": "2020-09-11T15:04:14.532Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1581",
+                    "external_id": "T1581"
+                },
+                {
+                    "source_name": "Lookout eSurv",
+                    "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/esurv-research"
+                },
+                {
+                    "source_name": "Apple Location Services",
+                    "description": "Apple. (n.d.). Requesting Authorization for Location Services. Retrieved September 11, 2020.",
+                    "url": "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services"
+                },
+                {
+                    "source_name": "Android Geofencing API",
+                    "description": "Google. (n.d.). Create and monitor geofences. Retrieved September 11, 2020.",
+                    "url": "https://developer.android.com/training/location/geofencing"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31",
-            "created": "2020-09-11T15:04:14.532Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1581",
-                    "url": "https://attack.mitre.org/techniques/T1581"
-                },
-                {
-                    "source_name": "Lookout eSurv",
-                    "url": "https://blog.lookout.com/esurv-research",
-                    "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
-                },
-                {
-                    "source_name": "Apple Location Services",
-                    "url": "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services",
-                    "description": "Apple. (n.d.). Requesting Authorization for Location Services. Retrieved September 11, 2020."
-                },
-                {
-                    "source_name": "Android Geofencing API",
-                    "url": "https://developer.android.com/training/location/geofencing",
-                    "description": "Google. (n.d.). Create and monitor geofences. Retrieved September 11, 2020."
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.\n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \u201cAllow only while using the app\u201d, which will effectively prohibit background location collection.(Citation: Android Geofencing API)\n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.",
-            "modified": "2022-03-30T20:43:31.244Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:41.041Z",
             "name": "Geofencing",
-            "x_mitre_detection": "Users can review which applications have location permissions in the operating system\u2019s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.",
+            "description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.\n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \u201cAllow only while using the app\u201d, which will effectively prohibit background location collection.(Citation: Android Geofencing API)\n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "defense-evasion"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Users can review which applications have location permissions in the operating system\u2019s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483.json b/mobile-attack/attack-pattern/attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483.json
index 0e070aaf98..6fbeb7f490 100644
--- a/mobile-attack/attack-pattern/attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483.json
+++ b/mobile-attack/attack-pattern/attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483.json
@@ -1,58 +1,58 @@
 {
     "type": "bundle",
-    "id": "bundle--b09ec4b0-7756-496b-9fac-ce48430146dd",
+    "id": "bundle--53eab7ee-29a7-4bfd-b476-8afd8efdc339",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
+            "created": "2017-10-25T14:48:29.774Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1401",
+                    "external_id": "T1401"
+                },
+                {
+                    "source_name": "Android DeviceAdminInfo",
+                    "description": "Google. (n.d.). DeviceAdminInfo. Retrieved November 20, 2020.",
+                    "url": "https://developer.android.com/reference/android/app/admin/DeviceAdminInfo"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html",
+                    "external_id": "APP-22"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
-            "created": "2017-10-25T14:48:29.774Z",
-            "x_mitre_version": "2.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1401",
-                    "url": "https://attack.mitre.org/techniques/T1401"
-                },
-                {
-                    "source_name": "Android DeviceAdminInfo",
-                    "url": "https://developer.android.com/reference/android/app/admin/DeviceAdminInfo",
-                    "description": "Google. (n.d.). DeviceAdminInfo. Retrieved November 20, 2020."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-22"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "Adversaries may request device administrator permissions to perform malicious actions.\n\nBy abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device\u2019s password for [Device Lockout](https://attack.mitre.org/techniques/T1446), factory resetting the device to [Delete Device Data](https://attack.mitre.org/techniques/T1447) and any traces of the malware, disabling all of the device\u2019s cameras, or make it more difficult to uninstall the app.(Citation: Android DeviceAdminInfo)\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.",
-            "modified": "2022-04-01T16:52:36.965Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:41.218Z",
             "name": "Device Administrator Permissions",
-            "x_mitre_detection": "Users can see when an app requests device administrator permissions. Users can also view which apps have device administrator permissions in the settings menu.",
+            "description": "Adversaries may request device administrator permissions to perform malicious actions.\n\nBy abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device\u2019s password for [Device Lockout](https://attack.mitre.org/techniques/T1446), factory resetting the device to [Delete Device Data](https://attack.mitre.org/techniques/T1447) and any traces of the malware, disabling all of the device\u2019s cameras, or make it more difficult to uninstall the app.(Citation: Android DeviceAdminInfo)\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "privilege-escalation"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Users can see when an app requests device administrator permissions. Users can also view which apps have device administrator permissions in the settings menu.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "2.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16.json b/mobile-attack/attack-pattern/attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16.json
index 63efe34636..159327f4b1 100644
--- a/mobile-attack/attack-pattern/attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16.json
+++ b/mobile-attack/attack-pattern/attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--4da86e74-2795-44d3-ba35-2dc1a50f3a1f",
+    "id": "bundle--0f6bd01b-554b-4fd0-870d-67f153458be5",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "id": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16",
             "type": "attack-pattern",
+            "id": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16",
             "created": "2017-10-25T14:48:34.830Z",
             "revoked": true,
             "external_references": [
@@ -18,8 +15,16 @@
                     "external_id": "T1443"
                 }
             ],
-            "modified": "2018-10-17T01:05:10.701Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:41.398Z",
             "name": "Remotely Install Application",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_version": "1.0",
             "x_mitre_is_subtechnique": false
         }
diff --git a/mobile-attack/attack-pattern/attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66.json b/mobile-attack/attack-pattern/attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66.json
index 8b04ee8c3c..b11cb2aaf3 100644
--- a/mobile-attack/attack-pattern/attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66.json
+++ b/mobile-attack/attack-pattern/attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--dcf29508-23bf-425a-a977-cbc9f5d3afcb",
+    "id": "bundle--af976b4d-7055-4c61-9fbe-8d469acdb89a",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:45:39.362Z",
-            "name": "Keychain",
-            "description": "Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. \n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain) ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "credential-access"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
             "created": "2022-04-01T15:01:32.169Z",
@@ -56,8 +34,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:51.670Z",
+            "name": "Keychain",
+            "description": "Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. \n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain) ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "credential-access"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6.json b/mobile-attack/attack-pattern/attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6.json
index 502e6d8de8..1798025cbb 100644
--- a/mobile-attack/attack-pattern/attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6.json
+++ b/mobile-attack/attack-pattern/attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6.json
@@ -1,53 +1,53 @@
 {
     "type": "bundle",
-    "id": "bundle--2d27a478-eab6-4a80-800f-4af2c05702b2",
+    "id": "bundle--938a2ae5-b3c8-4f8d-aba5-d20f470524ba",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
+            "created": "2017-10-25T14:48:29.092Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1403",
+                    "external_id": "T1403"
+                },
+                {
+                    "source_name": "Sabanal-ART",
+                    "description": "Paul Sabanal. (2015). Hiding Behind ART. Retrieved December 21, 2016.",
+                    "url": "https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6",
-            "created": "2017-10-25T14:48:29.092Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1403",
-                    "url": "https://attack.mitre.org/techniques/T1403"
-                },
-                {
-                    "source_name": "Sabanal-ART",
-                    "url": "https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf",
-                    "description": "Paul Sabanal. (2015). Hiding Behind ART. Retrieved December 21, 2016."
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)",
-            "modified": "2022-04-06T15:46:29.338Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:41.585Z",
             "name": "Modify Cached Executable Code",
-            "x_mitre_detection": "Modifications to cached executable code can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.",
+            "description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "persistence"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": true,
+            "x_mitre_detection": "Modifications to cached executable code can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05.json b/mobile-attack/attack-pattern/attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05.json
index 9d5e1633fa..a5ab7c2bf3 100644
--- a/mobile-attack/attack-pattern/attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05.json
+++ b/mobile-attack/attack-pattern/attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05.json
@@ -1,46 +1,47 @@
 {
     "type": "bundle",
-    "id": "bundle--4a4a355d-a91a-4262-a169-fc382345fee6",
+    "id": "bundle--f0e31577-1d56-4347-8d5a-3e9a0e0a73ef",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
             "type": "attack-pattern",
+            "id": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05",
             "created": "2017-10-25T14:48:28.456Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": true,
             "external_references": [
                 {
-                    "external_id": "T1419",
+                    "source_name": "mitre-mobile-attack",
                     "url": "https://attack.mitre.org/techniques/T1419",
-                    "source_name": "mitre-mobile-attack"
+                    "external_id": "T1419"
                 },
                 {
-                    "url": "https://developer.android.com/reference/android/os/Build",
+                    "source_name": "Android-Build",
                     "description": "Android. (n.d.). Build. Retrieved December 21, 2016.",
-                    "source_name": "Android-Build"
+                    "url": "https://developer.android.com/reference/android/os/Build"
                 }
             ],
-            "modified": "2019-10-16T13:24:48.936Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:41.755Z",
             "name": "Device Type Discovery",
             "description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.",
             "kill_chain_phases": [
                 {
-                    "phase_name": "discovery",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "discovery"
                 }
             ],
-            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
             ],
diff --git a/mobile-attack/attack-pattern/attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5.json b/mobile-attack/attack-pattern/attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5.json
index 7d1b72c431..ce1a305184 100644
--- a/mobile-attack/attack-pattern/attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5.json
@@ -1,53 +1,53 @@
 {
     "type": "bundle",
-    "id": "bundle--1a345c3c-5b0f-4163-8951-b251dc0e46e5",
+    "id": "bundle--e5fbfdb8-300f-4a35-ac00-a3accadfc5ab",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5",
+            "created": "2020-05-04T13:49:34.706Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1576",
+                    "external_id": "T1576"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html",
+                    "external_id": "APP-43"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5",
-            "created": "2020-05-04T13:49:34.706Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1576",
-                    "url": "https://attack.mitre.org/techniques/T1576"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-43"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:\n\n* Abusing device owner permissions to perform silent uninstallation using device owner API calls.\n* Abusing root permissions to delete files from the filesystem.\n* Abusing the accessibility service. This requires an intent be sent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.",
-            "modified": "2022-03-30T19:34:09.371Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:41.929Z",
             "name": "Uninstall Malicious Application",
-            "x_mitre_detection": "",
+            "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:\n\n* Abusing device owner permissions to perform silent uninstallation using device owner API calls.\n* Abusing root permissions to delete files from the filesystem.\n* Abusing the accessibility service. This requires an intent be sent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "defense-evasion"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a.json b/mobile-attack/attack-pattern/attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a.json
new file mode 100644
index 0000000000..ff6b02eb6f
--- /dev/null
+++ b/mobile-attack/attack-pattern/attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a.json
@@ -0,0 +1,58 @@
+{
+    "type": "bundle",
+    "id": "bundle--531b0c5b-e691-465d-b95e-cab08ad0190f",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "modified": "2025-03-14T17:56:26.095Z",
+            "name": "Virtualization Solution",
+            "description": "Adversaries may carry out malicious operations using virtualization solutions to escape from Android sandboxes and to avoid detection. Android uses sandboxes to separate resources and code execution between applications and the operating system.(Citation: Android Application Sandbox) There are a few virtualization solutions available on Android, such as the Android Virtualization Framework (AVF).(Citation: Android AVF Overview)  \n\n \n\nThrough virtualization solutions, adversaries may execute malicious operations without user knowledge. For example, adversaries may mimic a legitimate banking application\u2019s functionalities in a virtual environment, thanks to the virtualization solution, while malicious code captures credentials.  ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_contributors": [
+                "Liran Ravich, CardinalOps"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.0",
+            "type": "attack-pattern",
+            "id": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a",
+            "created": "2025-03-14T17:56:26.095Z",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1670",
+                    "external_id": "T1670"
+                },
+                {
+                    "source_name": "Android AVF Overview",
+                    "description": "Android Open Source Project. (n.d.). Android Virtualization Framework (AVF) overview. Retrieved February 26, 2025.",
+                    "url": "https://source.android.com/docs/core/virtualization"
+                },
+                {
+                    "source_name": "Android Application Sandbox",
+                    "description": "Android Open Source Project. (n.d.). Application Sandbox. Retrieved February 26, 2025.",
+                    "url": "https://source.android.com/docs/security/app-sandbox"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json b/mobile-attack/attack-pattern/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json
index 9aa7eb7e63..a08010ee92 100644
--- a/mobile-attack/attack-pattern/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json
+++ b/mobile-attack/attack-pattern/attack-pattern--8e27551a-5080-4148-a584-c64348212e4f.json
@@ -1,41 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--193008ed-2852-4ac0-b1ee-505f9716591b",
+    "id": "bundle--8df88027-42c8-4525-99a6-daa3580b6884",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
+            "created": "2017-10-25T14:48:31.694Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1447",
+                    "external_id": "T1447"
+                },
+                {
+                    "source_name": "Android DevicePolicyManager 2019",
+                    "description": "Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019.",
+                    "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
-            "created": "2017-10-25T14:48:31.694Z",
-            "x_mitre_version": "2.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1447",
-                    "url": "https://attack.mitre.org/techniques/T1447"
-                },
-                {
-                    "source_name": "Android DevicePolicyManager 2019",
-                    "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html",
-                    "description": "Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019."
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.",
-            "modified": "2022-03-30T19:50:37.727Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:42.129Z",
             "name": "Delete Device Data",
-            "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.",
+            "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -46,12 +37,21 @@
                     "phase_name": "defense-evasion"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "2.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274.json b/mobile-attack/attack-pattern/attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274.json
index dda7d2f12f..8d0d81721a 100644
--- a/mobile-attack/attack-pattern/attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274.json
+++ b/mobile-attack/attack-pattern/attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274.json
@@ -1,58 +1,58 @@
 {
     "type": "bundle",
-    "id": "bundle--02388e99-998a-44ff-9a4e-c4196f179749",
+    "id": "bundle--7c8965b2-ef66-446c-8fe2-cf7a462d2b0b",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
+            "created": "2017-10-25T14:48:09.082Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1448",
+                    "external_id": "T1448"
+                },
+                {
+                    "source_name": "Google Bread",
+                    "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.",
+                    "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"
+                },
+                {
+                    "source_name": "AndroidSecurity2014",
+                    "description": "Google. (2014). Android Security 2014 Year in Review. Retrieved December 12, 2016.",
+                    "url": "https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
-            "created": "2017-10-25T14:48:09.082Z",
-            "x_mitre_version": "2.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1448",
-                    "url": "https://attack.mitre.org/techniques/T1448"
-                },
-                {
-                    "source_name": "Google Bread",
-                    "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
-                    "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
-                },
-                {
-                    "source_name": "AndroidSecurity2014",
-                    "url": "https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf",
-                    "description": "Google. (2014). Android Security 2014 Year in Review. Retrieved December 12, 2016."
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "A malicious app may trigger fraudulent charges on a victim\u2019s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.\n\nPerforming SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.(Citation: Google Bread)\n\nMalicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.(Citation: Google Bread)\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the `SEND_SMS` permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).",
-            "modified": "2022-04-06T13:57:38.841Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:42.305Z",
             "name": "Carrier Billing Fraud",
-            "x_mitre_detection": "Starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.(Citation: AndroidSecurity2014)\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.",
+            "description": "A malicious app may trigger fraudulent charges on a victim\u2019s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.\n\nPerforming SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.(Citation: Google Bread)\n\nMalicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.(Citation: Google Bread)\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the `SEND_SMS` permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "impact"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.(Citation: AndroidSecurity2014)\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "2.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json b/mobile-attack/attack-pattern/attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json
index 74e5482da8..a124feaef8 100644
--- a/mobile-attack/attack-pattern/attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json
+++ b/mobile-attack/attack-pattern/attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e.json
@@ -1,20 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--f9529114-8769-4635-a959-fa38ef0c87dc",
+    "id": "bundle--a699e18d-56f2-4d44-bf18-17683a0e7c76",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
             "type": "attack-pattern",
+            "id": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e",
             "created": "2017-10-25T14:48:17.533Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": true,
@@ -25,8 +16,8 @@
                     "external_id": "T1415"
                 },
                 {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html",
                     "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html",
                     "external_id": "AUT-10"
                 },
                 {
@@ -50,7 +41,10 @@
                     "url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures"
                 }
             ],
-            "modified": "2020-10-23T15:05:40.674Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:42.505Z",
             "name": "URL Scheme Hijacking",
             "description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).",
             "kill_chain_phases": [
@@ -59,8 +53,15 @@
                     "phase_name": "credential-access"
                 }
             ],
-            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
             ],
diff --git a/mobile-attack/attack-pattern/attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee.json b/mobile-attack/attack-pattern/attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee.json
index e8c646a528..a556f6bbe6 100644
--- a/mobile-attack/attack-pattern/attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee.json
+++ b/mobile-attack/attack-pattern/attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--e302d176-ada5-4145-9293-104408187d29",
+    "id": "bundle--cf376e14-a309-4a98-b75a-bace4aa924f7",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-14T16:34:55.968Z",
-            "name": "Bidirectional Communication",
-            "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "command-and-control"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee",
             "created": "2022-04-06T15:47:06.071Z",
@@ -42,8 +19,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:51.825Z",
+            "name": "Bidirectional Communication",
+            "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5.json b/mobile-attack/attack-pattern/attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5.json
index f0700341e0..e289dbf718 100644
--- a/mobile-attack/attack-pattern/attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--fee531dd-01b1-4cd0-a750-2899d86a414c",
+    "id": "bundle--3c84cbd4-0a87-4c79-a2a9-c1fc9354f4be",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-09-08T19:21:40.736Z",
-            "name": "Non-Standard Port",
-            "description": "Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "command-and-control"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "2.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
             "created": "2019-08-01T13:44:09.368Z",
@@ -42,8 +19,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:51.980Z",
+            "name": "Non-Standard Port",
+            "description": "Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc.json b/mobile-attack/attack-pattern/attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc.json
index 1a49000c43..6e6c43a9a4 100644
--- a/mobile-attack/attack-pattern/attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc.json
+++ b/mobile-attack/attack-pattern/attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--9bbf5d50-922a-4109-a35f-5aea5cf1a23b",
+    "id": "bundle--dd654b47-f2b9-4a8a-9ae6-2efc3700eb38",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T15:32:37.109Z",
-            "name": "Compromise Software Supply Chain",
-            "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "initial-access"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services can detect malicious code in applications. System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
             "created": "2022-03-28T19:25:17.596Z",
@@ -67,8 +44,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:52.139Z",
+            "name": "Compromise Software Supply Chain",
+            "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "initial-access"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services can detect malicious code in applications. System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5.json b/mobile-attack/attack-pattern/attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5.json
index 96ecdccddd..451e5dd291 100644
--- a/mobile-attack/attack-pattern/attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--502d4b68-231a-4f0b-801f-832a93bdc55a",
+    "id": "bundle--20c1e35a-e087-4239-8ed5-229e14bcf1a3",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-14T16:33:56.861Z",
-            "name": "Dead Drop Resolver",
-            "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "command-and-control"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5",
             "created": "2022-04-06T15:41:03.914Z",
@@ -42,8 +19,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:52.296Z",
+            "name": "Dead Drop Resolver",
+            "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4.json b/mobile-attack/attack-pattern/attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4.json
index 679ceeeba8..b0ec978a29 100644
--- a/mobile-attack/attack-pattern/attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4.json
+++ b/mobile-attack/attack-pattern/attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4.json
@@ -1,36 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--8ce8a7c1-ef6c-441d-9f8a-1a87c884ef96",
+    "id": "bundle--55269a94-b8b2-421a-ace2-89a1c63077b8",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:50:21.363Z",
-            "name": "Location Tracking",
-            "description": "Adversaries may track a device\u2019s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. \n\n \n\nOn Android, applications holding the `ACCESS_COAURSE_LOCATION` or `ACCESS_FINE_LOCATION` permissions provide access to the device\u2019s physical location. On Android 10 and up, declaration of the `ACCESS_BACKGROUND_LOCATION` permission in an application\u2019s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox) \n\n \n\nOn iOS, applications must include the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call `requestWhenInUseAuthorization()` to request access to location information when the application is in use or `requestAlwaysAuthorization()` to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the `com.apple.locationd.preauthorized` entitlement key.(Citation: Google Project Zero Insomnia)",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "collection"
-                },
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "discovery"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. \n\n \n\nIn both Android (6.0 and up) and iOS, users can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary.  ",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
             "created": "2017-10-25T14:48:12.267Z",
@@ -76,8 +49,35 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:52.460Z",
+            "name": "Location Tracking",
+            "description": "Adversaries may track a device\u2019s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. \n\n \n\nOn Android, applications holding the `ACCESS_COAURSE_LOCATION` or `ACCESS_FINE_LOCATION` permissions provide access to the device\u2019s physical location. On Android 10 and up, declaration of the `ACCESS_BACKGROUND_LOCATION` permission in an application\u2019s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox) \n\n \n\nOn iOS, applications must include the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call `requestWhenInUseAuthorization()` to request access to location information when the application is in use or `requestAlwaysAuthorization()` to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the `com.apple.locationd.preauthorized` entitlement key.(Citation: Google Project Zero Insomnia)",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
+                },
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "discovery"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. \n\n \n\nIn both Android (6.0 and up) and iOS, users can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary.  ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc.json b/mobile-attack/attack-pattern/attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc.json
index 68a9bb12bd..c9ab90ba2e 100644
--- a/mobile-attack/attack-pattern/attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc.json
+++ b/mobile-attack/attack-pattern/attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--24e8bc01-6106-4c5e-b356-868099722b84",
+    "id": "bundle--51d02009-ba40-41a7-a099-b0607f477075",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T15:56:34.537Z",
-            "name": "Device Administrator Permissions",
-            "description": "Adversaries may abuse Android\u2019s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device\u2019s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device\u2019s cameras, or to make it more difficult to uninstall the app.\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "privilege-escalation"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Users are prompted for approval when an application requests device administrator permissions. Users can see which applications are registered as device administrators in the device settings. Application vetting services can check for the string `BIND_DEVICE_ADMIN` in the application\u2019s manifest. This indicates it can prompt the user for device administrator permissions.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
             "created": "2022-04-01T15:59:05.830Z",
@@ -46,8 +24,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:52.648Z",
+            "name": "Device Administrator Permissions",
+            "description": "Adversaries may abuse Android\u2019s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device\u2019s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device\u2019s cameras, or to make it more difficult to uninstall the app.\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "privilege-escalation"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Users are prompted for approval when an application requests device administrator permissions. Users can see which applications are registered as device administrators in the device settings. Application vetting services can check for the string `BIND_DEVICE_ADMIN` in the application\u2019s manifest. This indicates it can prompt the user for device administrator permissions.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1.json b/mobile-attack/attack-pattern/attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1.json
index 78127f3efc..b89ac925e0 100644
--- a/mobile-attack/attack-pattern/attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1.json
+++ b/mobile-attack/attack-pattern/attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1.json
@@ -1,52 +1,42 @@
 {
     "type": "bundle",
-    "id": "bundle--9a3f157f-0dcc-4024-9da5-cec36e2e579d",
+    "id": "bundle--3da19c15-45f4-408a-9019-10c602d680ec",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
+            "created": "2017-10-25T14:48:17.886Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1446",
+                    "external_id": "T1446"
+                },
+                {
+                    "source_name": "Xiao-KeyRaider",
+                    "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.",
+                    "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
+                },
+                {
+                    "source_name": "Android resetPassword",
+                    "description": "Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019.",
+                    "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html",
+                    "external_id": "APP-28"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
-            "created": "2017-10-25T14:48:17.886Z",
-            "x_mitre_version": "2.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1446",
-                    "url": "https://attack.mitre.org/techniques/T1446"
-                },
-                {
-                    "source_name": "Xiao-KeyRaider",
-                    "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/",
-                    "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016."
-                },
-                {
-                    "source_name": "Android resetPassword",
-                    "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)",
-                    "description": "Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-28"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device\u2019s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)",
-            "modified": "2022-04-01T18:49:51.039Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:42.681Z",
             "name": "Device Lockout",
-            "x_mitre_detection": "On Android, users can review which applications have device administrator access in the device settings, and revoke permission where appropriate.",
+            "description": "An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device\u2019s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -57,12 +47,22 @@
                     "phase_name": "defense-evasion"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On Android, users can review which applications have device administrator access in the device settings, and revoke permission where appropriate.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f.json b/mobile-attack/attack-pattern/attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f.json
index fdda238702..9b26547ba9 100644
--- a/mobile-attack/attack-pattern/attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f.json
+++ b/mobile-attack/attack-pattern/attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f.json
@@ -1,36 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--2f8cac04-5023-440d-a343-4eed185103de",
+    "id": "bundle--4f54a506-2184-443b-9af6-a1f93446d4e1",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:58:20.113Z",
-            "name": "Remote Device Management Services",
-            "description": "An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location) ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "collection"
-                },
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "discovery"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f",
             "created": "2022-04-05T19:37:15.984Z",
@@ -61,8 +34,35 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:52.807Z",
+            "name": "Remote Device Management Services",
+            "description": "An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location) ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
+                },
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "discovery"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242.json b/mobile-attack/attack-pattern/attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242.json
index a4519ee9b6..d853ce3e81 100644
--- a/mobile-attack/attack-pattern/attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242.json
+++ b/mobile-attack/attack-pattern/attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7c04d2fc-52ad-4c3a-b55c-c913359dcff0",
+    "id": "bundle--90157e26-929f-46c3-bdd6-e68d71a9e2a4",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/attack-pattern/attack-pattern--a0464539-e1b7-4455-a355-12495987c300.json b/mobile-attack/attack-pattern/attack-pattern--a0464539-e1b7-4455-a355-12495987c300.json
index 8ea8ab9623..286f615fd1 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a0464539-e1b7-4455-a355-12495987c300.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a0464539-e1b7-4455-a355-12495987c300.json
@@ -1,63 +1,63 @@
 {
     "type": "bundle",
-    "id": "bundle--66501035-cb72-44ea-95f7-600abd9aced9",
+    "id": "bundle--c3d245d4-1952-4817-ac50-dd3810c736ad",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
+            "created": "2017-10-25T14:48:13.625Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1427",
+                    "external_id": "T1427"
+                },
+                {
+                    "source_name": "ArsTechnica-PoisonTap",
+                    "description": "Dan Goodin. (2016, November 16). Meet PoisonTap, the $5 tool that ransacks password-protected computers. Retrieved December 22, 2016.",
+                    "url": "http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/"
+                },
+                {
+                    "source_name": "Wang-ExploitingUSB",
+                    "description": "Z. Wang and A. Stavrou. (2010, December 6-10). Exploiting smart-phone USB connectivity for fun and profit. Retrieved December 22, 2016.",
+                    "url": "http://dl.acm.org/citation.cfm?id=1920314"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html",
+                    "external_id": "PHY-2"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300",
-            "created": "2017-10-25T14:48:13.625Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1427",
-                    "url": "https://attack.mitre.org/techniques/T1427"
-                },
-                {
-                    "source_name": "ArsTechnica-PoisonTap",
-                    "url": "http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/",
-                    "description": "Dan Goodin. (2016, November 16). Meet PoisonTap, the $5 tool that ransacks password-protected computers. Retrieved December 22, 2016."
-                },
-                {
-                    "source_name": "Wang-ExploitingUSB",
-                    "url": "http://dl.acm.org/citation.cfm?id=1920314",
-                    "description": "Z. Wang and A. Stavrou. (2010, December 6-10). Exploiting smart-phone USB connectivity for fun and profit. Retrieved December 22, 2016."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "PHY-2"
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.",
-            "modified": "2022-04-06T15:39:14.695Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:42.856Z",
             "name": "Attack PC via USB Connection",
-            "x_mitre_detection": "",
+            "description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "lateral-movement"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": true,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881.json b/mobile-attack/attack-pattern/attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881.json
index f79db1b460..b3f67510ee 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--fa386def-c980-4f7a-a6b2-4af91753d66c",
+    "id": "bundle--b5b2d6fd-0be8-4ac1-9742-9826bf9bb113",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "id": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881",
             "type": "attack-pattern",
+            "id": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881",
             "created": "2017-10-25T14:48:05.928Z",
             "revoked": true,
             "external_references": [
@@ -18,8 +15,16 @@
                     "external_id": "T1441"
                 }
             ],
-            "modified": "2018-10-17T01:05:10.700Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:43.039Z",
             "name": "Stolen Developer Credentials or Signing Keys",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_version": "1.0",
             "x_mitre_is_subtechnique": false
         }
diff --git a/mobile-attack/attack-pattern/attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed.json b/mobile-attack/attack-pattern/attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed.json
index 471c5c6569..08c8c5c490 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed.json
@@ -1,59 +1,59 @@
 {
     "type": "bundle",
-    "id": "bundle--3e720357-e068-4a86-801a-06f2ae0ac98c",
+    "id": "bundle--94a1b129-835d-47dd-a2b1-1072ef6101d1",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed",
+            "created": "2017-10-25T14:48:22.296Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1467",
+                    "external_id": "T1467"
+                },
+                {
+                    "source_name": "Computerworld-Femtocell",
+                    "description": "Jaikumar Vijayan. (2013, August 1). Researchers exploit cellular tech flaws to intercept phone calls. Retrieved December 24, 2016.",
+                    "url": "http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html",
+                    "external_id": "CEL-7"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed",
-            "created": "2017-10-25T14:48:22.296Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1467",
-                    "url": "https://attack.mitre.org/techniques/T1467"
-                },
-                {
-                    "source_name": "Computerworld-Femtocell",
-                    "url": "http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html",
-                    "description": "Jaikumar Vijayan. (2013, August 1). Researchers exploit cellular tech flaws to intercept phone calls. Retrieved December 24, 2016."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "CEL-7"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).",
-            "modified": "2022-04-06T15:52:41.578Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:43.216Z",
             "name": "Rogue Cellular Base Station",
-            "x_mitre_detection": "",
+            "description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "network-effects"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Without Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5.json b/mobile-attack/attack-pattern/attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5.json
index 8bce53214c..8544b12b5f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5.json
@@ -1,91 +1,67 @@
 {
     "type": "bundle",
-    "id": "bundle--d2e31db9-9f30-4063-b4bb-ce947ce2d057",
+    "id": "bundle--837c55f5-d6d4-45aa-9a91-9918af9a0aac",
     "spec_version": "2.0",
     "objects": [
         {
+            "modified": "2025-02-12T16:26:38.632Z",
+            "name": "SIM Card Swap",
+            "description": "Adversaries may gain access to mobile devices through transfers or swaps from victims\u2019 phone numbers to adversary-controlled SIM cards and mobile devices.(Citation: ATT SIM Swap Scams)(Citation: Verizon SIM Swapping) \n\nThe typical process is as follows:  \n\n1. Adversaries will first gather information about victims through [Phishing](https://attack.mitre.org/techniques/T1660), social engineering, data breaches, or other avenues. \n2. Adversaries will then impersonate victims as they contact mobile carriers to request for the SIM swaps. For example, adversaries would provide victims\u2019 name and address to mobile carriers; once authenticated, adversaries would request for victims\u2019 phone numbers to be transferred to adversary-controlled SIM cards.  \n3. Once completed, victims will lose mobile data, such as text messages and phone calls, on their mobile devices. In turn, adversaries will receive mobile data that was intended for the victims.  \n\nAdversaries may use the intercepted SMS messages to log into online accounts that use SMS-based authentication. Specifically, adversaries may use SMS-based authentication to log into banking and/or cryptocurrency accounts, then transfer funds to adversary-controlled wallets. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "initial-access"
+                }
+            ],
+            "x_mitre_contributors": [
+                "Karim Hasanen, @_karimhasanen",
+                "Jennifer Kim Roman"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
             "x_mitre_platforms": [
                 "Android",
                 "iOS"
             ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_contributors": [
-                "Karim Hasanen, @_karimhasanen"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            "x_mitre_version": "2.0",
+            "x_mitre_tactic_type": [
+                "Without Adversary Device Access"
             ],
             "type": "attack-pattern",
             "id": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
             "created": "2017-10-25T14:48:20.329Z",
-            "x_mitre_version": "1.2",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "mitre-attack",
-                    "external_id": "T1451",
-                    "url": "https://attack.mitre.org/techniques/T1451"
+                    "url": "https://attack.mitre.org/techniques/T1451",
+                    "external_id": "T1451"
                 },
                 {
-                    "source_name": "Betanews-Simswap",
-                    "url": "http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/",
-                    "description": "Alex Cambell. (2016, February 12). Everything you need to know about SIM swap scams. Retrieved December 12, 2016."
+                    "source_name": "ATT SIM Swap Scams",
+                    "description": "AT&T. (n.d.). UPDATE: Secure Your Number to Reduce SIM Swap Scams. Retrieved January 27, 2025.",
+                    "url": "https://www.research.att.com/sites/cyberaware/ni/blog/sim_swap.html"
                 },
                 {
-                    "source_name": "Krebs-SimSwap",
-                    "url": "https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/",
-                    "description": "Brian Krebs. (2018, May 18). T-Mobile Employee Made Unauthorized \u2018SIM Swap\u2019 to Steal Instagram Account. Retrieved November 8, 2018."
+                    "source_name": "Verizon SIM Swapping",
+                    "description": "Verizon. (n.d.). SIM Swapping. Retrieved January 27, 2025.",
+                    "url": "https://www.verizon.com/about/account-security/sim-swapping"
                 },
                 {
-                    "source_name": "TechCrunch-SimSwap",
-                    "url": "https://techcrunch.com/2017/08/23/i-was-hacked/",
-                    "description": "John Biggs. (2017, August 23). I was hacked. Retrieved November 8, 2018."
-                },
-                {
-                    "source_name": "Motherboard-Simswap2",
-                    "url": "https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam",
-                    "description": "Lorenzo Franceschi-Bicchierai. (2018, August 3). How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards. Retrieved August 11, 2018."
-                },
-                {
-                    "source_name": "Motherboard-Simswap1",
-                    "url": "https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin",
-                    "description": "Lorenzo Franceschi-Bicchierai. (2018, July 17). The SIM Hijackers. Retrieved August 11, 2018."
-                },
-                {
-                    "source_name": "Guardian-Simswap",
-                    "url": "https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters",
-                    "description": "Miles Brignall. (2016, April 16). Sim-swap fraud claims another mobile banking victim. Retrieved December 12, 2016."
-                },
-                {
-                    "source_name": "NYGov-Simswap",
-                    "url": "http://www.dos.ny.gov/consumerprotection/scams/att-sim.html",
-                    "description": "New York Department of State. (2016, February 12). AT&T SIM-Card Switch Scam. Retrieved August 23, 2016."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html",
                     "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html",
                     "external_id": "STA-22"
                 }
             ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account.(Citation: NYGov-Simswap)(Citation: Motherboard-Simswap2) The adversary could then obtain SMS messages or hijack phone calls intended for someone else.(Citation: Betanews-Simswap)\n\nOne use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account.(Citation: Guardian-Simswap)(Citation: Motherboard-Simswap1)(Citation: Krebs-SimSwap)(Citation: TechCrunch-SimSwap)",
-            "modified": "2022-04-06T15:53:54.872Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "name": "SIM Card Swap",
-            "x_mitre_detection": "",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "network-effects"
-                }
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_tactic_type": [
-                "Without Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
         }
     ]
diff --git a/mobile-attack/attack-pattern/attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad.json b/mobile-attack/attack-pattern/attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad.json
index 63e4a7a42c..ebba4b6076 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad.json
@@ -1,36 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--bb416f06-dc18-4733-8a6b-92c848ba69d8",
+    "id": "bundle--ea461f81-fc63-4de7-ab6c-e375df622a79",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:44:36.145Z",
-            "name": "Input Capture",
-            "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)).",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "collection"
-                },
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "credential-access"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. Users can view and manage installed third-party keyboards.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "2.3",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
             "created": "2017-10-25T14:48:27.660Z",
@@ -56,8 +29,35 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:52.964Z",
+            "name": "Input Capture",
+            "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)).",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
+                },
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "credential-access"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. Users can view and manage installed third-party keyboards.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.3",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467.json b/mobile-attack/attack-pattern/attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467.json
index 1ae1935e12..6f7f1a2067 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--46e2309a-2a4c-41ef-99b9-0208839c0717",
+    "id": "bundle--beb63b77-d179-4e74-8e8c-ae6700785203",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:57:17.144Z",
-            "name": "Generate Traffic from Victim",
-            "description": "Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.\n\nIf done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "impact"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "On Android, users can review which applications can use premium SMS features in the \u201cSpecial access\u201d page within application settings. Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
             "created": "2022-04-06T13:55:14.390Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:53.113Z",
+            "name": "Generate Traffic from Victim",
+            "description": "Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.\n\nIf done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "impact"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On Android, users can review which applications can use premium SMS features in the \u201cSpecial access\u201d page within application settings. Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9.json b/mobile-attack/attack-pattern/attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9.json
index 0d22a27955..eb92d75d60 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--71f1596a-8818-4d24-8462-83658840a609",
+    "id": "bundle--98fd53e2-b58b-47f3-9839-8294244046bd",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:18:29.556Z",
-            "name": "Disguise Root/Jailbreak Indicators",
-            "description": "An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Mobile security products can use attestation to detect compromised devices.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9",
             "created": "2022-04-08T16:29:30.087Z",
@@ -62,8 +39,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:53.262Z",
+            "name": "Disguise Root/Jailbreak Indicators",
+            "description": "An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Mobile security products can use attestation to detect compromised devices.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f.json b/mobile-attack/attack-pattern/attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f.json
index 7a7cf0ee71..8b52c671cf 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f.json
@@ -1,60 +1,47 @@
 {
     "type": "bundle",
-    "id": "bundle--8ed67e70-ce03-48f1-b44c-c0dbc66c47f2",
+    "id": "bundle--51f476af-0ade-437c-99f1-47e60c14964a",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_contributors": [
-                "Alex Hinchliffe, Palo Alto Networks"
+            "type": "attack-pattern",
+            "id": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
+            "created": "2017-10-25T14:48:35.247Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1444",
+                    "external_id": "T1444"
+                },
+                {
+                    "source_name": "Palo Alto HenBox",
+                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.",
+                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
+                },
+                {
+                    "source_name": "Zhou",
+                    "description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.",
+                    "url": "http://ieeexplore.ieee.org/document/6234407"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html",
+                    "external_id": "APP-31"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html",
+                    "external_id": "APP-14"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f",
-            "created": "2017-10-25T14:48:35.247Z",
-            "x_mitre_version": "2.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1444",
-                    "url": "https://attack.mitre.org/techniques/T1444"
-                },
-                {
-                    "source_name": "Palo Alto HenBox",
-                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/",
-                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."
-                },
-                {
-                    "source_name": "Zhou",
-                    "url": "http://ieeexplore.ieee.org/document/6234407",
-                    "description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-31"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-14"
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.\n\nEmbedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.(Citation: Zhou) The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method.\n\nPretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.(Citation: Palo Alto HenBox)\n\nMalicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.",
-            "modified": "2022-04-06T15:45:52.558Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:43.392Z",
             "name": "Masquerade as Legitimate Application",
-            "x_mitre_detection": "Users can detect malicious applications by watching for nuances that could indicate the application is not the intended one when it is being installed.",
+            "description": "An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.\n\nEmbedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.(Citation: Zhou) The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method.\n\nPretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.(Citation: Palo Alto HenBox)\n\nMalicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -65,12 +52,25 @@
                     "phase_name": "defense-evasion"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Alex Hinchliffe, Palo Alto Networks"
+            ],
+            "x_mitre_deprecated": true,
+            "x_mitre_detection": "Users can detect malicious applications by watching for nuances that could indicate the application is not the intended one when it is being installed.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431.json b/mobile-attack/attack-pattern/attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431.json
index 42fad662f2..cad8be6f59 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--9b0770a8-3b56-4183-baae-f98c84be56ea",
+    "id": "bundle--2572b09c-6a73-4583-8688-e319954a67a6",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "id": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
             "type": "attack-pattern",
+            "id": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
             "created": "2017-10-25T14:48:19.682Z",
             "revoked": true,
             "external_references": [
@@ -18,8 +15,16 @@
                     "external_id": "T1457"
                 }
             ],
-            "modified": "2018-10-17T01:05:10.703Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:43.584Z",
             "name": "Malicious Media Content",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_version": "1.0",
             "x_mitre_is_subtechnique": false
         }
diff --git a/mobile-attack/attack-pattern/attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922.json b/mobile-attack/attack-pattern/attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922.json
index 11aa2fb0c0..56958fbc1f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922.json
+++ b/mobile-attack/attack-pattern/attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922.json
@@ -1,29 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--28c6d1bd-acb9-4f4c-946a-020cd4540ce2",
+    "id": "bundle--70bb9ff8-7427-41a2-8269-2f9922ecc624",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-16T18:28:28.234Z",
-            "name": "Calendar Entries",
-            "description": "Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user\u2019s knowledge or approval. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "collection"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. ",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
             "type": "attack-pattern",
             "id": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
             "created": "2022-04-01T12:48:27.021Z",
@@ -44,8 +24,28 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:53.420Z",
+            "name": "Calendar Entries",
+            "description": "Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user\u2019s knowledge or approval. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63.json b/mobile-attack/attack-pattern/attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63.json
index c5cffd1cbc..0069826464 100644
--- a/mobile-attack/attack-pattern/attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63.json
+++ b/mobile-attack/attack-pattern/attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--6c6b65f5-6497-4527-8ead-cca60dd4170b",
+    "id": "bundle--6857bb0b-6123-4f1c-8f91-f8a924751925",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:52:24.758Z",
-            "name": "File Deletion",
-            "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019) \n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Application vetting services could be extra scrutinous of applications that request device administrator permissions.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
             "created": "2022-03-30T19:36:09.691Z",
@@ -46,8 +24,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:53.593Z",
+            "name": "File Deletion",
+            "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019) \n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Application vetting services could be extra scrutinous of applications that request device administrator permissions.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591.json b/mobile-attack/attack-pattern/attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591.json
index 0807c5ad16..c6fe9e6019 100644
--- a/mobile-attack/attack-pattern/attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591.json
+++ b/mobile-attack/attack-pattern/attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--9dfcd94b-1730-4184-9ac2-2b58d419bf86",
+    "id": "bundle--78ce0ad7-7711-4308-81bf-65360d1ca94f",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:39:10.201Z",
-            "name": "Device Lockout",
-            "description": "An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted \u201ccall\u201d notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018)\n\nPrior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device\u2019s passcode.(Citation: Android resetPassword)",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Users can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591",
             "created": "2022-04-01T18:49:03.892Z",
@@ -66,8 +44,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:53.782Z",
+            "name": "Device Lockout",
+            "description": "An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted \u201ccall\u201d notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018)\n\nPrior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device\u2019s passcode.(Citation: Android resetPassword)",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Users can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47.json b/mobile-attack/attack-pattern/attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47.json
index 7bef893999..1f8f106f2a 100644
--- a/mobile-attack/attack-pattern/attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47.json
+++ b/mobile-attack/attack-pattern/attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47.json
@@ -1,36 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--be82096b-9427-4459-b50a-86e1b125549b",
+    "id": "bundle--410e8809-beda-49a9-977f-c5f53e07ebe0",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:48:39.936Z",
-            "name": "Keylogging",
-            "description": "Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.\n\nSome methods of keylogging include:\n\n* Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n* Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. \n*Additional methods of keylogging may be possible if root access is available. \n",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "collection"
-                },
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "credential-access"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "On Android, users can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, users can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. \n\nApplication vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, users can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
             "created": "2022-04-05T19:45:03.000Z",
@@ -56,8 +29,35 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:53.936Z",
+            "name": "Keylogging",
+            "description": "Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.\n\nSome methods of keylogging include:\n\n* Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n* Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. \n*Additional methods of keylogging may be possible if root access is available. \n",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
+                },
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "credential-access"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On Android, users can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, users can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. \n\nApplication vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, users can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b.json b/mobile-attack/attack-pattern/attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b.json
index 2361cf682b..065b403819 100644
--- a/mobile-attack/attack-pattern/attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b.json
+++ b/mobile-attack/attack-pattern/attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--e3301916-f8bf-4f39-b2d6-6e58307e2dfb",
+    "id": "bundle--58e1d56a-1863-4f16-96a9-97d6cec6361f",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:58:57.001Z",
-            "name": "SMS Control",
-            "description": "Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.\n\nThis can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "impact"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Users can view the default SMS handler in system settings.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
             "created": "2020-09-11T15:14:33.730Z",
@@ -61,8 +39,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:54.090Z",
+            "name": "SMS Control",
+            "description": "Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.\n\nThis can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "impact"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Users can view the default SMS handler in system settings.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6.json b/mobile-attack/attack-pattern/attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6.json
index 2c62760d38..0bef012a84 100644
--- a/mobile-attack/attack-pattern/attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6.json
+++ b/mobile-attack/attack-pattern/attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6.json
@@ -1,69 +1,69 @@
 {
     "type": "bundle",
-    "id": "bundle--d1b2cd32-7483-4e91-8b92-a3a50dde7bf6",
+    "id": "bundle--b4299b5c-b762-4664-a801-3fc4917db678",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6",
+            "created": "2017-10-25T14:48:14.003Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1408",
+                    "external_id": "T1408"
+                },
+                {
+                    "source_name": "Brodie",
+                    "description": "Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016.",
+                    "url": "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf"
+                },
+                {
+                    "source_name": "Rastogi",
+                    "description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.",
+                    "url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf"
+                },
+                {
+                    "source_name": "Tan",
+                    "description": "Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017.",
+                    "url": "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html",
+                    "external_id": "EMM-5"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6",
-            "created": "2017-10-25T14:48:14.003Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1408",
-                    "url": "https://attack.mitre.org/techniques/T1408"
-                },
-                {
-                    "source_name": "Brodie",
-                    "url": "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf",
-                    "description": "Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016."
-                },
-                {
-                    "source_name": "Rastogi",
-                    "url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf",
-                    "description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016."
-                },
-                {
-                    "source_name": "Tan",
-                    "url": "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions",
-                    "description": "Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "EMM-5"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).",
-            "modified": "2022-04-08T16:29:55.321Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:43.756Z",
             "name": "Disguise Root/Jailbreak Indicators",
-            "x_mitre_detection": "",
+            "description": "An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "defense-evasion"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a.json b/mobile-attack/attack-pattern/attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a.json
index fbe9ab5088..059183198e 100644
--- a/mobile-attack/attack-pattern/attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a.json
@@ -1,54 +1,54 @@
 {
     "type": "bundle",
-    "id": "bundle--cecaca72-276f-4f92-8796-6f7cd7ac790d",
+    "id": "bundle--6842b503-3fb3-4836-8466-c3deac6ca7f3",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
+            "created": "2017-10-25T14:48:27.307Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1438",
+                    "external_id": "T1438"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html",
+                    "external_id": "APP-30"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
-            "created": "2017-10-25T14:48:27.307Z",
-            "x_mitre_version": "2.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1438",
-                    "url": "https://attack.mitre.org/techniques/T1438"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-30"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel. \n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. ",
-            "modified": "2022-04-18T19:46:02.529Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:43.920Z",
             "name": "Exfiltration Over Other Network Medium",
-            "x_mitre_detection": "Exfiltration over other network mediums can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel. \n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. ",
             "kill_chain_phases": [
                 {
-                    "phase_name": "command-and-control",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Exfiltration over other network mediums can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b.json b/mobile-attack/attack-pattern/attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b.json
index 2e6d14f17e..8779013b4f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b.json
+++ b/mobile-attack/attack-pattern/attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--a324abf8-f647-46be-a8e4-bc6e1e0d1051",
+    "id": "bundle--7c0b77fb-3548-4aa6-85ee-cd5228162fe6",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "id": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
             "type": "attack-pattern",
+            "id": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
             "created": "2017-10-25T14:48:26.473Z",
             "revoked": true,
             "external_references": [
@@ -18,8 +15,16 @@
                     "external_id": "T1440"
                 }
             ],
-            "modified": "2018-10-17T01:05:10.700Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:44.130Z",
             "name": "Detect App Analysis Environment",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_version": "1.0",
             "x_mitre_is_subtechnique": false
         }
diff --git a/mobile-attack/attack-pattern/attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff.json b/mobile-attack/attack-pattern/attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff.json
index 4cfc0bc339..38e06fd7b2 100644
--- a/mobile-attack/attack-pattern/attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff.json
+++ b/mobile-attack/attack-pattern/attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff.json
@@ -1,36 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--91543121-8424-4d41-a191-6799876b65d9",
+    "id": "bundle--30e451e7-0e89-49c8-9d36-32d2100823d4",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:55:54.442Z",
-            "name": "Process Injection",
-            "description": "Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nBoth Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                },
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "privilege-escalation"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff",
             "created": "2022-03-30T18:50:43.393Z",
@@ -46,8 +19,35 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:54.246Z",
+            "name": "Process Injection",
+            "description": "Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nBoth Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                },
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "privilege-escalation"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc.json b/mobile-attack/attack-pattern/attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc.json
index fa86e3443c..dac098723d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc.json
+++ b/mobile-attack/attack-pattern/attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--ac5531d5-9777-4c50-a7c6-2eafc30e968d",
+    "id": "bundle--4915947e-927d-4a9e-b5b7-361776057e68",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "id": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
             "type": "attack-pattern",
+            "id": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
             "created": "2017-10-25T14:48:24.905Z",
             "revoked": true,
             "external_references": [
@@ -18,8 +15,16 @@
                     "external_id": "T1462"
                 }
             ],
-            "modified": "2018-10-17T01:05:10.704Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:44.301Z",
             "name": "Malicious Software Development Tools",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_version": "1.0",
             "x_mitre_is_subtechnique": false
         }
diff --git a/mobile-attack/attack-pattern/attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303.json b/mobile-attack/attack-pattern/attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303.json
index ced4613341..9b4eae13de 100644
--- a/mobile-attack/attack-pattern/attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303.json
+++ b/mobile-attack/attack-pattern/attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303.json
@@ -1,49 +1,49 @@
 {
     "type": "bundle",
-    "id": "bundle--640ab92c-251b-4282-9767-a5ce7b812d1e",
+    "id": "bundle--7cb88e50-14fd-44c0-9254-d90811ebf68c",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303",
+            "created": "2022-04-05T20:14:17.310Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1521/001",
+                    "external_id": "T1521.001"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303",
-            "created": "2022-04-05T20:14:17.310Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1521.001",
-                    "url": "https://attack.mitre.org/techniques/T1521/001"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.",
-            "modified": "2022-04-05T20:14:17.310Z",
+            "modified": "2025-04-16T21:21:54.401Z",
             "name": "Symmetric Cryptography",
-            "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+            "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.",
             "kill_chain_phases": [
                 {
-                    "phase_name": "command-and-control",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69.json b/mobile-attack/attack-pattern/attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69.json
index ab82e4b7f6..b1185428d5 100644
--- a/mobile-attack/attack-pattern/attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69.json
+++ b/mobile-attack/attack-pattern/attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69.json
@@ -1,41 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--9930685f-ca96-4bfc-8357-cdb6cfe2af22",
+    "id": "bundle--dd78711b-7bfc-48ea-ab52-842cd7330eec",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
+            "created": "2017-10-25T14:48:30.127Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1402",
+                    "external_id": "T1402"
+                },
+                {
+                    "source_name": "Android Changes to System Broadcasts",
+                    "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.",
+                    "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
-            "created": "2017-10-25T14:48:30.127Z",
-            "x_mitre_version": "2.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1402",
-                    "url": "https://attack.mitre.org/techniques/T1402"
-                },
-                {
-                    "source_name": "Android Changes to System Broadcasts",
-                    "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts",
-                    "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020."
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.\n\nFurther, malicious applications can register for intents broadcasted by other applications in addition to the Android system itself. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications.\n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)",
-            "modified": "2022-03-30T14:43:46.019Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:44.489Z",
             "name": "Broadcast Receivers",
-            "x_mitre_detection": "Broadcast intent receivers are part of standard OS-level APIs and are therefore typically undetectable to the end user.",
+            "description": "An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.\n\nFurther, malicious applications can register for intents broadcasted by other applications in addition to the Android system itself. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications.\n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -46,12 +37,21 @@
                     "phase_name": "execution"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Broadcast intent receivers are part of standard OS-level APIs and are therefore typically undetectable to the end user.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "2.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80.json b/mobile-attack/attack-pattern/attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80.json
index d55dfa7639..dfe23c95c6 100644
--- a/mobile-attack/attack-pattern/attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80.json
+++ b/mobile-attack/attack-pattern/attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6594949b-5df5-4629-9310-60d0ec8c4bd3",
+    "id": "bundle--113bc8fa-fc53-4fd1-9be1-6fcfa929d317",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/attack-pattern/attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da.json b/mobile-attack/attack-pattern/attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da.json
index ce8cbbe002..31b00db22b 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--9d5e46ca-38ba-4b0f-a95b-cddc9a742a7c",
+    "id": "bundle--16bc8095-5f09-4d1b-b51a-bec58d2bbe48",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T15:21:12.603Z",
-            "name": "Compromise Hardware Supply Chain",
-            "description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "initial-access"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Integrity checking mechanisms can potentially detect unauthorized hardware modifications.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da",
             "created": "2022-03-28T19:30:15.556Z",
@@ -97,8 +74,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:54.553Z",
+            "name": "Compromise Hardware Supply Chain",
+            "description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "initial-access"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Integrity checking mechanisms can potentially detect unauthorized hardware modifications.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692.json b/mobile-attack/attack-pattern/attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692.json
index 3f68d34200..379ce12126 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--9d2ec332-9c1f-4318-9f8a-a3a1c2218709",
+    "id": "bundle--a58c51f9-ff2d-44f5-ae58-1942284e45a9",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/attack-pattern/attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0.json b/mobile-attack/attack-pattern/attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0.json
index a6beb89ad4..da0e2c6745 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0.json
@@ -1,52 +1,42 @@
 {
     "type": "bundle",
-    "id": "bundle--c0a76e0a-6f93-44d1-9c94-baf23292ecfe",
+    "id": "bundle--186293d7-4e83-4a5b-a900-ba76f6581a31",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
+            "created": "2017-10-25T14:48:30.890Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1400",
+                    "external_id": "T1400"
+                },
+                {
+                    "source_name": "Android-VerifiedBoot",
+                    "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
+                    "url": "https://source.android.com/security/verifiedboot/"
+                },
+                {
+                    "source_name": "Apple-iOSSecurityGuide",
+                    "description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.",
+                    "url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
+                    "external_id": "APP-27"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
-            "created": "2017-10-25T14:48:30.890Z",
-            "x_mitre_version": "1.2",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1400",
-                    "url": "https://attack.mitre.org/techniques/T1400"
-                },
-                {
-                    "source_name": "Android-VerifiedBoot",
-                    "url": "https://source.android.com/security/verifiedboot/",
-                    "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016."
-                },
-                {
-                    "source_name": "Apple-iOSSecurityGuide",
-                    "url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf",
-                    "description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-27"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.",
-            "modified": "2022-03-30T15:18:21.242Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:44.671Z",
             "name": "Modify System Partition",
-            "x_mitre_detection": "Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\niOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.(Citation: Apple-iOSSecurityGuide)",
+            "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -61,12 +51,22 @@
                     "phase_name": "impact"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\niOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.(Citation: Apple-iOSSecurityGuide)",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.2",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36.json b/mobile-attack/attack-pattern/attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36.json
index cb3e39d262..e90467b58d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--3d5703d3-81b6-4ca0-a8c5-12252e9fd986",
+    "id": "bundle--d310e00f-aec4-4b00-af05-3b0178b0a0e2",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T15:55:32.497Z",
-            "name": "Data Manipulation",
-            "description": "Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application, process, and the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "impact"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36",
             "created": "2022-04-06T13:34:46.021Z",
@@ -41,8 +19,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:54.742Z",
+            "name": "Data Manipulation",
+            "description": "Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application, process, and the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "impact"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--c6421411-ae61-42bb-9098-73fddb315002.json b/mobile-attack/attack-pattern/attack-pattern--c6421411-ae61-42bb-9098-73fddb315002.json
index e52f109727..0c69185cf2 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c6421411-ae61-42bb-9098-73fddb315002.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c6421411-ae61-42bb-9098-73fddb315002.json
@@ -1,29 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--e0618f14-4150-4cb4-8154-bb805cb08c40",
+    "id": "bundle--f1927fdb-68db-4858-8af6-5d28ed369c2c",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:58:33.873Z",
-            "name": "SMS Messages",
-            "description": "Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user\u2019s knowledge or approval. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "collection"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. ",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
             "type": "attack-pattern",
             "id": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
             "created": "2022-04-01T13:25:30.923Z",
@@ -44,8 +24,28 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:54.890Z",
+            "name": "SMS Messages",
+            "description": "Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user\u2019s knowledge or approval. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380.json b/mobile-attack/attack-pattern/attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380.json
index 37c8ffe00b..b36c9cedfc 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--52f2f9a2-7f16-40e0-a85f-f5407976e3e4",
+    "id": "bundle--b3cd22a4-5397-44fe-820f-2d8204c565e7",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-14T16:31:37.317Z",
-            "name": "Web Service",
-            "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). \n\n ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "command-and-control"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.3",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
             "created": "2019-02-01T17:29:43.503Z",
@@ -42,8 +19,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:55.035Z",
+            "name": "Web Service",
+            "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). \n\n ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.3",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831.json b/mobile-attack/attack-pattern/attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831.json
index de8e534e26..8c028af2af 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--b15ff607-2903-4cb9-9b68-d617b19f93a4",
+    "id": "bundle--c3e41dee-ddb9-4e4c-a036-a1277e532b29",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-09-08T19:20:51.220Z",
-            "name": "System Runtime API Hijacking",
-            "description": "Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \n\n\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary\u2019s code will be executed every time the overwritten API function is called by an app on the infected device.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "persistence"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831",
             "created": "2022-03-30T15:07:51.646Z",
@@ -46,8 +24,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:55.191Z",
+            "name": "System Runtime API Hijacking",
+            "description": "Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \n\n\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary\u2019s code will be executed every time the overwritten API function is called by an app on the infected device.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "persistence"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f.json b/mobile-attack/attack-pattern/attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f.json
index 82c76b192a..05538f2d47 100644
--- a/mobile-attack/attack-pattern/attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f.json
+++ b/mobile-attack/attack-pattern/attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--69743f03-2b67-4b03-9595-024af98eec20",
+    "id": "bundle--699072df-ae2e-4e0e-a985-2a81bb08f89d",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "id": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
             "type": "attack-pattern",
+            "id": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
             "created": "2017-10-25T14:48:07.149Z",
             "revoked": true,
             "external_references": [
@@ -18,8 +15,16 @@
                     "external_id": "T1455"
                 }
             ],
-            "modified": "2018-10-17T01:05:10.702Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:44.847Z",
             "name": "Exploit Baseband Vulnerability",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_version": "1.0",
             "x_mitre_is_subtechnique": false
         }
diff --git a/mobile-attack/attack-pattern/attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3.json b/mobile-attack/attack-pattern/attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3.json
index 60eddb0616..646a311160 100644
--- a/mobile-attack/attack-pattern/attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--5b66305a-983e-4dbb-9545-db722100f2f1",
+    "id": "bundle--75203db5-ac59-4987-8a8d-2c6f8d41f102",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-09-08T19:19:37.927Z",
-            "name": "Credentials from Password Store",
-            "description": "Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "credential-access"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3",
             "created": "2022-04-01T14:55:10.494Z",
@@ -46,8 +24,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:55.358Z",
+            "name": "Credentials from Password Store",
+            "description": "Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "credential-access"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea.json b/mobile-attack/attack-pattern/attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea.json
index c1d2d06ea2..05e56dba6c 100644
--- a/mobile-attack/attack-pattern/attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea.json
+++ b/mobile-attack/attack-pattern/attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea.json
@@ -1,33 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--b46e48c7-579e-492b-8112-69ec492c9b60",
+    "id": "bundle--92eaa80b-6f92-494f-9a2f-1945b40d6679",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Hooking",
-            "description": "Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_detection": "Hooking can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_contributors": [
-                "J\u00f6rg Abraham, EclecticIQ"
-            ],
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea",
             "created": "2021-09-24T14:47:34.182Z",
@@ -42,7 +18,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "2.1.0",
+            "modified": "2025-04-16T21:21:55.543Z",
+            "name": "Hooking",
+            "description": "Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "J\u00f6rg Abraham, EclecticIQ"
+            ],
+            "x_mitre_detection": "Hooking can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ],
             "x_mitre_is_subtechnique": false
         }
     ]
diff --git a/mobile-attack/attack-pattern/attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2.json b/mobile-attack/attack-pattern/attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2.json
index 65538b7e34..6594d33993 100644
--- a/mobile-attack/attack-pattern/attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2.json
@@ -1,68 +1,68 @@
 {
     "type": "bundle",
-    "id": "bundle--9d693461-5795-4d47-9788-3d9c7dfdafcd",
+    "id": "bundle--c925c8d4-efda-421f-8591-36e331706461",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
+            "created": "2018-10-17T00:14:20.652Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1478",
+                    "external_id": "T1478"
+                },
+                {
+                    "source_name": "Talos-MDM",
+                    "description": "Warren Mercer, Paul Rascagneres, Andrew Williams. (2018, July 12). Advanced Mobile Malware Campaign in India uses Malicious MDM. Retrieved September 24, 2018.",
+                    "url": "https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html"
+                },
+                {
+                    "source_name": "Symantec-iOSProfile",
+                    "description": "Yair Amit. (2013, March 12). Malicious Profiles \u2013 The Sleeping Giant of iOS Security. Retrieved September 24, 2018.",
+                    "url": "https://www.symantec.com/connect/blogs/malicious-profiles-sleeping-giant-ios-security"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html",
+                    "external_id": "STA-7"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
-            "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1478",
-                    "url": "https://attack.mitre.org/techniques/T1478"
-                },
-                {
-                    "source_name": "Talos-MDM",
-                    "url": "https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html",
-                    "description": "Warren Mercer, Paul Rascagneres, Andrew Williams. (2018, July 12). Advanced Mobile Malware Campaign in India uses Malicious MDM. Retrieved September 24, 2018."
-                },
-                {
-                    "source_name": "Symantec-iOSProfile",
-                    "url": "https://www.symantec.com/connect/blogs/malicious-profiles-sleeping-giant-ios-security",
-                    "description": "Yair Amit. (2013, March 12). Malicious Profiles \u2013 The Sleeping Giant of iOS Security. Retrieved September 24, 2018."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "STA-7"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile).\n\nFor example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to adversary-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)).\n\nOn iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).",
-            "modified": "2022-03-30T18:18:15.903Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:45.045Z",
             "name": "Install Insecure or Malicious Configuration",
-            "x_mitre_detection": "On Android, the user can view trusted CA certificates through the device settings and look for unexpected certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies.\n\nOn iOS, the user can view installed Configuration Profiles through the device settings and look for unexpected profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+            "description": "An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile).\n\nFor example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to adversary-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)).\n\nOn iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).",
             "kill_chain_phases": [
                 {
-                    "phase_name": "defense-evasion",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
                 },
                 {
-                    "phase_name": "initial-access",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "initial-access"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On Android, the user can view trusted CA certificates through the device settings and look for unexpected certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies.\n\nOn iOS, the user can view installed Configuration Profiles through the device settings and look for unexpected profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848.json b/mobile-attack/attack-pattern/attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848.json
index a5e623101b..19885ad55b 100644
--- a/mobile-attack/attack-pattern/attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848.json
+++ b/mobile-attack/attack-pattern/attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--735bb1ae-1083-41ff-b1cf-56ea58f4ce91",
+    "id": "bundle--21da1944-9497-4ec8-ac17-caa109f41280",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:53:35.087Z",
-            "name": "File and Directory Discovery",
-            "description": "Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. \n\nOn Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) without use of escalated privileges. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "discovery"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "On Android, users are presented with a permissions popup when an application requests access to external device storage.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
             "created": "2017-10-25T14:48:21.965Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:55.729Z",
+            "name": "File and Directory Discovery",
+            "description": "Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. \n\nOn Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) without use of escalated privileges. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "discovery"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On Android, users are presented with a permissions popup when an application requests access to external device storage.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a.json b/mobile-attack/attack-pattern/attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a.json
index cb830e61a1..08a00e157e 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--6e8899d7-10e6-421b-b9e5-db706f796aff",
+    "id": "bundle--3cfd129c-7d61-41a0-a2f5-4c047f39bde6",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-09T14:38:34.859Z",
-            "name": "Obfuscated Files or Information",
-            "description": "Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n \nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB) ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "3.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
             "created": "2017-10-25T14:48:32.328Z",
@@ -52,8 +29,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:55.894Z",
+            "name": "Obfuscated Files or Information",
+            "description": "Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n \nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB) ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "3.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62.json b/mobile-attack/attack-pattern/attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62.json
index e9c33b1368..90dd3a511d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62.json
@@ -1,38 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--a54694ea-d325-479d-bad9-95cb50737df8",
+    "id": "bundle--3077b0a1-67a6-4ff4-9ddf-d8661d6be12b",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-08T22:50:32.775Z",
-            "name": "Input Injection",
-            "description": "A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.\n\n[Input Injection](https://attack.mitre.org/techniques/T1516) can be achieved using any of the following methods:\n\n* Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.(Citation: android-trojan-steals-paypal-2fa)\n* Injecting global actions, such as `GLOBAL_ACTION_BACK` (programatically mimicking a physical back button press), to trigger actions on behalf of the user.(Citation: Talos Gustuff Apr 2019)\n* Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.(Citation: bitwarden autofill logins)",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                },
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "impact"
-                }
-            ],
-            "x_mitre_contributors": [
-                "Luk\u00e1\u0161 \u0160tefanko, ESET"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Users can view applications that have registered accessibility services in the accessibility menu within the device settings.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
             "created": "2019-09-15T15:26:22.356Z",
@@ -63,8 +34,37 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:56.042Z",
+            "name": "Input Injection",
+            "description": "A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.\n\n[Input Injection](https://attack.mitre.org/techniques/T1516) can be achieved using any of the following methods:\n\n* Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.(Citation: android-trojan-steals-paypal-2fa)\n* Injecting global actions, such as `GLOBAL_ACTION_BACK` (programatically mimicking a physical back button press), to trigger actions on behalf of the user.(Citation: Talos Gustuff Apr 2019)\n* Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.(Citation: bitwarden autofill logins)",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                },
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "impact"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Luk\u00e1\u0161 \u0160tefanko, ESET"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Users can view applications that have registered accessibility services in the accessibility menu within the device settings.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d.json b/mobile-attack/attack-pattern/attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d.json
index 8aa243764f..a2e425dd6d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--ea08b765-4e88-4021-8221-e4e2e3f0c3f6",
+    "id": "bundle--66e1075e-fef2-49c0-b775-3a4e25a4357c",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:51:23.109Z",
-            "name": "Network Denial of Service",
-            "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices. \n\nA Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer\u2019s operational range.(Citation: NIST-SP800187) \n\nUsage of cellular jamming has been documented in several arrests reported in the news.(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "impact"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Unexpected loss of radio signal could indicate that a device is being actively jammed.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.3",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d",
             "created": "2017-10-25T14:48:25.740Z",
@@ -87,8 +64,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:56.195Z",
+            "name": "Network Denial of Service",
+            "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices. \n\nA Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer\u2019s operational range.(Citation: NIST-SP800187) \n\nUsage of cellular jamming has been documented in several arrests reported in the news.(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "impact"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Unexpected loss of radio signal could indicate that a device is being actively jammed.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.3",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c.json b/mobile-attack/attack-pattern/attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c.json
index a0f26cf997..328055de84 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c.json
@@ -1,30 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--1a847bd3-8e55-4fff-b22a-1ac6e1d2a1c3",
+    "id": "bundle--c211454f-3473-4bd0-af76-c73d907cd4c3",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Compromise Application Executable",
-            "description": "Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.\n\nThere are multiple ways an adversary can inject malicious code into applications. One method is by taking advantages of device vulnerabilities, the most well-known being Janus, an Android vulnerability that allows adversaries to add extra bytes to APK (application) and DEX (executable) files without affecting the file's signature. By being able to add arbitrary bytes to valid applications, attackers can seamlessly inject code into genuine executables without the user's knowledge.(Citation: Guardsquare Janus)\n\nAdversaries may also rebuild applications to include malicious modifications. This can be achieved by decompiling the genuine application, merging it with the malicious code, and recompiling it.(Citation: CheckPoint Agent Smith)\n\nAdversaries may also take action to conceal modifications to application executables and bypass user consent. These actions include altering modifications to appear as an update or exploiting vulnerabilities that allow activities of the malicious application to run inside a system application.(Citation: CheckPoint Agent Smith)",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "persistence"
-                }
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_detection": "This behavior is seamless to the user and is typically undetectable.",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
             "created": "2020-05-07T15:24:49.068Z",
@@ -49,7 +28,28 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "2.1.0",
+            "modified": "2025-04-16T21:21:56.351Z",
+            "name": "Compromise Application Executable",
+            "description": "Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.\n\nThere are multiple ways an adversary can inject malicious code into applications. One method is by taking advantages of device vulnerabilities, the most well-known being Janus, an Android vulnerability that allows adversaries to add extra bytes to APK (application) and DEX (executable) files without affecting the file's signature. By being able to add arbitrary bytes to valid applications, attackers can seamlessly inject code into genuine executables without the user's knowledge.(Citation: Guardsquare Janus)\n\nAdversaries may also rebuild applications to include malicious modifications. This can be achieved by decompiling the genuine application, merging it with the malicious code, and recompiling it.(Citation: CheckPoint Agent Smith)\n\nAdversaries may also take action to conceal modifications to application executables and bypass user consent. These actions include altering modifications to appear as an update or exploiting vulnerabilities that allow activities of the malicious application to run inside a system application.(Citation: CheckPoint Agent Smith)",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "persistence"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_detection": "This behavior is seamless to the user and is typically undetectable.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ],
             "x_mitre_is_subtechnique": false
         }
     ]
diff --git a/mobile-attack/attack-pattern/attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14.json b/mobile-attack/attack-pattern/attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14.json
index 5ef315715d..a7b12b6ceb 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--e17b3c0a-e8cf-40ee-ae80-b1ea9ce5aa52",
+    "id": "bundle--72c8510e-b620-4ad6-a424-edbabc0eb488",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:43:46.177Z",
-            "name": "Event Triggered Execution",
-            "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim\u2019s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "persistence"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14",
             "created": "2022-03-30T14:25:41.721Z",
@@ -41,8 +19,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:56.521Z",
+            "name": "Event Triggered Execution",
+            "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim\u2019s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "persistence"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd.json b/mobile-attack/attack-pattern/attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd.json
index 654736de9d..32a5b9c56e 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5833997a-ff64-4ecb-9cda-e1cfea2207cd",
+    "id": "bundle--de78d122-01bb-4700-9f4b-da13dc9a07f6",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/attack-pattern/attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63.json b/mobile-attack/attack-pattern/attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63.json
index 6c70d7ca35..0c3dfd00b4 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63.json
@@ -1,59 +1,59 @@
 {
     "type": "bundle",
-    "id": "bundle--29950e33-547d-4906-994c-44cee5215e66",
+    "id": "bundle--1da1c67e-780f-46b1-9618-9f787c7de0e3",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63",
+            "created": "2017-10-25T14:48:25.322Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1463",
+                    "external_id": "T1463"
+                },
+                {
+                    "source_name": "FireEye-SSL",
+                    "description": "Adrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016.",
+                    "url": "https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html",
+                    "external_id": "APP-1"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63",
-            "created": "2017-10-25T14:48:25.322Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1463",
-                    "url": "https://attack.mitre.org/techniques/T1463"
-                },
-                {
-                    "source_name": "FireEye-SSL",
-                    "url": "https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html",
-                    "description": "Adrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-1"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to adversary-in-the-middle attacks (Citation: FireEye-SSL).",
-            "modified": "2022-04-06T15:44:48.421Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:45.230Z",
             "name": "Manipulate Device Communication",
-            "x_mitre_detection": "",
+            "description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to adversary-in-the-middle attacks (Citation: FireEye-SSL).",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "network-effects"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Without Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6.json b/mobile-attack/attack-pattern/attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6.json
index 53acc99842..7f88d626ac 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--9ea718ec-14e2-4752-b067-c6483b2c15a0",
+    "id": "bundle--d9355b01-06a5-41e0-8a63-b3c4056d39aa",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:38:27.848Z",
-            "name": "Video Capture",
-            "description": "An adversary can leverage a device\u2019s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files.  \n\n \n\nMalware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1513) due to use of the device\u2019s cameras for video recording rather than capturing the victim\u2019s screen. \n\n \n\nIn Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user.  ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "collection"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions. During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "2.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
             "created": "2019-08-09T16:14:58.254Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:56.716Z",
+            "name": "Video Capture",
+            "description": "An adversary can leverage a device\u2019s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files.  \n\n \n\nMalware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1513) due to use of the device\u2019s cameras for video recording rather than capturing the victim\u2019s screen. \n\n \n\nIn Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user.  ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions. During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e.json b/mobile-attack/attack-pattern/attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e.json
index ab1610ff17..ade321527f 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--8ec8bd48-e049-46dd-aeca-2bda072cfb6b",
+    "id": "bundle--69889595-fa41-44df-92c6-0e09f0b61dee",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-14T16:35:55.739Z",
-            "name": "One-Way Communication",
-            "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "command-and-control"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e",
             "created": "2022-04-06T15:52:07.711Z",
@@ -42,8 +19,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:56.869Z",
+            "name": "One-Way Communication",
+            "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a.json b/mobile-attack/attack-pattern/attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a.json
index 560dca02cc..2489bf9617 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a.json
@@ -1,109 +1,109 @@
 {
     "type": "bundle",
-    "id": "bundle--dc5a038a-2583-47df-bce8-ad1291a43a50",
+    "id": "bundle--90059a0b-1d15-495a-8ae8-acdbfcf0e3ec",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
+            "created": "2018-10-17T00:14:20.652Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1475",
+                    "external_id": "T1475"
+                },
+                {
+                    "source_name": "Oberheide-Bouncer",
+                    "description": "Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016.",
+                    "url": "https://jon.oberheide.org/files/summercon12-bouncer.pdf"
+                },
+                {
+                    "source_name": "Oberheide-RemoteInstall",
+                    "description": "Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016.",
+                    "url": "https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/"
+                },
+                {
+                    "source_name": "Percoco-Bouncer",
+                    "description": "Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016.",
+                    "url": "https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf"
+                },
+                {
+                    "source_name": "Konoth",
+                    "description": "Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016.",
+                    "url": "http://www.vvdveen.com/publications/BAndroid.pdf"
+                },
+                {
+                    "source_name": "Petsas",
+                    "description": "Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016.",
+                    "url": "http://dl.acm.org/citation.cfm?id=2592796"
+                },
+                {
+                    "source_name": "Wang",
+                    "description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016.",
+                    "url": "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html",
+                    "external_id": "ECO-4"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html",
+                    "external_id": "ECO-16"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html",
+                    "external_id": "ECO-17"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html",
+                    "external_id": "APP-20"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html",
+                    "external_id": "APP-21"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html",
+                    "external_id": "ECO-22"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
-            "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1475",
-                    "url": "https://attack.mitre.org/techniques/T1475"
-                },
-                {
-                    "source_name": "Oberheide-Bouncer",
-                    "url": "https://jon.oberheide.org/files/summercon12-bouncer.pdf",
-                    "description": "Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016."
-                },
-                {
-                    "source_name": "Oberheide-RemoteInstall",
-                    "url": "https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/",
-                    "description": "Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016."
-                },
-                {
-                    "source_name": "Percoco-Bouncer",
-                    "url": "https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf",
-                    "description": "Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016."
-                },
-                {
-                    "source_name": "Konoth",
-                    "url": "http://www.vvdveen.com/publications/BAndroid.pdf",
-                    "description": "Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016."
-                },
-                {
-                    "source_name": "Petsas",
-                    "url": "http://dl.acm.org/citation.cfm?id=2592796",
-                    "description": "Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016."
-                },
-                {
-                    "source_name": "Wang",
-                    "url": "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei",
-                    "description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "ECO-4"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "ECO-16"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "ECO-17"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-20"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-21"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "ECO-22"
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)",
-            "modified": "2022-04-06T15:41:33.827Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:45.413Z",
             "name": "Deliver Malicious App via Authorized App Store",
-            "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n* Developers can scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.",
+            "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "initial-access"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": true,
+            "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n* Developers can scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4.json b/mobile-attack/attack-pattern/attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4.json
index 6d7222a5a6..31f8ac8be4 100644
--- a/mobile-attack/attack-pattern/attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4.json
+++ b/mobile-attack/attack-pattern/attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--d0ac365b-a152-40e2-87fe-b23d431f280c",
+    "id": "bundle--719bd264-bc6e-4b46-8a3e-36545a301085",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T15:55:09.397Z",
-            "name": "Data Encrypted for Impact",
-            "description": "An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "impact"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "3.2",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
             "created": "2017-10-25T14:48:10.285Z",
@@ -46,8 +24,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:57.034Z",
+            "name": "Data Encrypted for Impact",
+            "description": "An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "impact"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "3.2",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9.json b/mobile-attack/attack-pattern/attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9.json
index d54dd41807..a6d2838425 100644
--- a/mobile-attack/attack-pattern/attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9.json
+++ b/mobile-attack/attack-pattern/attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--499cce52-89a7-407d-94d5-16e5ae4f7912",
+    "id": "bundle--31115b9c-dc19-4a3f-ac05-952fe89a2b34",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/attack-pattern/attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb.json b/mobile-attack/attack-pattern/attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb.json
index 9eebd20cf8..71b364e253 100644
--- a/mobile-attack/attack-pattern/attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb.json
+++ b/mobile-attack/attack-pattern/attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb.json
@@ -1,48 +1,48 @@
 {
     "type": "bundle",
-    "id": "bundle--07db031c-a022-4392-a8e2-e211c286d8df",
+    "id": "bundle--f7f8da30-e9d5-47af-93e3-cc6803294c27",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
+            "created": "2017-10-25T14:48:33.574Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1421",
+                    "external_id": "T1421"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
-            "created": "2017-10-25T14:48:33.574Z",
-            "x_mitre_version": "2.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1421",
-                    "url": "https://attack.mitre.org/techniques/T1421"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. \n\n \n\nThis is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs: \n\n \n\n* `WifiInfo` for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the `WiFiInfo` API requires the application to hold the `ACCESS_FINE_LOCATION` permission. \n\n* `BluetoothAdapter` for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime. \n\n* For Android versions prior to Q, applications can use the `TelephonyManager.getNeighboringCellInfo()` method. For Q and later, applications can use the `TelephonyManager.getAllCellInfo()` method. Both methods require the application hold the `ACCESS_FINE_LOCATION` permission.",
-            "modified": "2022-03-31T16:31:12.821Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-16T21:21:57.189Z",
             "name": "System Network Connections Discovery",
-            "x_mitre_detection": "System Network Connections Discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "description": "Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. \n\n \n\nThis is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs: \n\n \n\n* `WifiInfo` for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the `WiFiInfo` API requires the application to hold the `ACCESS_FINE_LOCATION` permission. \n\n* `BluetoothAdapter` for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime. \n\n* For Android versions prior to Q, applications can use the `TelephonyManager.getNeighboringCellInfo()` method. For Q and later, applications can use the `TelephonyManager.getAllCellInfo()` method. Both methods require the application hold the `ACCESS_FINE_LOCATION` permission.",
             "kill_chain_phases": [
                 {
-                    "phase_name": "discovery",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "discovery"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "System Network Connections Discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "2.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df.json b/mobile-attack/attack-pattern/attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df.json
index ebb3e9a30e..f2bf58f0ce 100644
--- a/mobile-attack/attack-pattern/attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df.json
+++ b/mobile-attack/attack-pattern/attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--491b8634-567c-440c-a756-162f515b0331",
+    "id": "bundle--4b8ac30d-4f69-4e55-a5af-95a7c640e75a",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/attack-pattern/attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002.json b/mobile-attack/attack-pattern/attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002.json
index fb781362dc..574786f33a 100644
--- a/mobile-attack/attack-pattern/attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002.json
+++ b/mobile-attack/attack-pattern/attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ce9ad7e6-9c7a-4d29-8733-cb3cb607ce66",
+    "id": "bundle--48e3ee3f-0b4f-4c11-aa26-97980d3d62cf",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/attack-pattern/attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd.json b/mobile-attack/attack-pattern/attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd.json
index a5574ad072..4c4a8e9748 100644
--- a/mobile-attack/attack-pattern/attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd.json
+++ b/mobile-attack/attack-pattern/attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c78cd9c4-7b2a-434b-b3a3-fa05d344ed7c",
+    "id": "bundle--7b038ad1-37db-473e-9e20-9f2ea6e4f805",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/attack-pattern/attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe.json b/mobile-attack/attack-pattern/attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe.json
index 27d56a633e..34e52fcfd6 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe.json
@@ -1,49 +1,49 @@
 {
     "type": "bundle",
-    "id": "bundle--680a7d16-eb19-47fe-b180-bd5d89a25eec",
+    "id": "bundle--960c7907-9b28-46fb-8776-6102ed7ffe48",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe",
+            "created": "2020-12-16T20:16:07.673Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1605",
+                    "external_id": "T1605"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe",
-            "created": "2020-12-16T20:16:07.673Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1605",
-                    "url": "https://attack.mitre.org/techniques/T1605"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java\u2019s `Runtime` package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken.\n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.",
-            "modified": "2022-03-30T14:00:45.099Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:45.593Z",
             "name": "Command-Line Interface",
-            "x_mitre_detection": "Command-Line Interface execution can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "description": "Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java\u2019s `Runtime` package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken.\n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "execution"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Command-Line Interface execution can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86.json b/mobile-attack/attack-pattern/attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86.json
index efa028307a..131dde5682 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--e09f3687-824f-419c-bbef-21022d032ebb",
+    "id": "bundle--55a167e6-5b1a-4693-9fbc-6afbf847c719",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T15:40:11.937Z",
-            "name": "Contact List",
-            "description": "Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user\u2019s knowledge or approval. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "collection"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "iOS",
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
             "created": "2022-04-01T13:17:52.740Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:57.342Z",
+            "name": "Contact List",
+            "description": "Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user\u2019s knowledge or approval. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "iOS",
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a.json b/mobile-attack/attack-pattern/attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a.json
index e119a41f4f..7cea77db40 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a.json
@@ -1,54 +1,54 @@
 {
     "type": "bundle",
-    "id": "bundle--a2b389d3-b319-419e-8d27-4cb930e2533e",
+    "id": "bundle--477753d5-70b5-49ad-8dc7-a904f5474839",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "created": "2019-10-10T15:12:42.790Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1533",
+                    "external_id": "T1533"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html",
+                    "external_id": "STA-41"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "created": "2019-10-10T15:12:42.790Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1533",
-                    "url": "https://attack.mitre.org/techniques/T1533"
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "STA-41"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration.  \n\n \n\nAccess to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions. \n\n ",
-            "modified": "2022-04-01T16:53:27.576Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-16T21:21:57.505Z",
             "name": "Data from Local System",
-            "x_mitre_detection": "Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration.  \n\n \n\nAccess to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions. \n\n ",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "collection"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2.json b/mobile-attack/attack-pattern/attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2.json
index 487a41f93d..29639f2583 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--ef2f11fe-902a-4887-9b9b-b6e0a462c198",
+    "id": "bundle--8542ba3a-3a54-40ad-afff-6700819f2baf",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-15T16:34:51.917Z",
-            "name": "Account Access Removal",
-            "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "impact"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Application vetting services could closely scrutinize applications that request Device Administrator permissions.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2",
             "created": "2022-04-06T13:29:47.590Z",
@@ -41,8 +19,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:57.695Z",
+            "name": "Account Access Removal",
+            "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "impact"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Application vetting services could closely scrutinize applications that request Device Administrator permissions.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77.json b/mobile-attack/attack-pattern/attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77.json
index e281e2ca55..d6c29b630c 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77.json
@@ -1,59 +1,59 @@
 {
     "type": "bundle",
-    "id": "bundle--6cf43214-520f-4dd9-908a-933949b389f4",
+    "id": "bundle--500cd223-d887-469d-8f16-0ac5b01c7f14",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "created": "2017-10-25T14:48:19.265Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1426",
+                    "external_id": "T1426"
+                },
+                {
+                    "source_name": "Android-Build",
+                    "description": "Android. (n.d.). Build. Retrieved December 21, 2016.",
+                    "url": "https://developer.android.com/reference/android/os/Build"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html",
+                    "external_id": "APP-12"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "created": "2017-10-25T14:48:19.265Z",
-            "x_mitre_version": "1.2",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1426",
-                    "url": "https://attack.mitre.org/techniques/T1426"
-                },
-                {
-                    "source_name": "Android-Build",
-                    "url": "https://developer.android.com/reference/android/os/Build",
-                    "description": "Android. (n.d.). Build. Retrieved December 21, 2016."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-12"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may attempt to get detailed information about a device\u2019s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. \n\n \n\nOn Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. (Citation: Android-Build) iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running. ",
-            "modified": "2022-04-11T19:21:34.776Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-16T21:21:57.841Z",
             "name": "System Information Discovery",
-            "x_mitre_detection": "System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "description": "Adversaries may attempt to get detailed information about a device\u2019s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. \n\n \n\nOn Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. (Citation: Android-Build) iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running. ",
             "kill_chain_phases": [
                 {
-                    "phase_name": "discovery",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "discovery"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.2",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9.json b/mobile-attack/attack-pattern/attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9.json
index 961a439fcb..495760447b 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--b4aa7966-4360-4df1-98ef-aa7d14f3bbd1",
+    "id": "bundle--a40717e4-006b-4743-8c4b-e515dcb0ecb8",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "id": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9",
             "type": "attack-pattern",
+            "id": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9",
             "created": "2017-10-25T14:48:28.786Z",
             "revoked": true,
             "external_references": [
@@ -18,8 +15,16 @@
                     "external_id": "T1442"
                 }
             ],
-            "modified": "2018-10-17T01:05:10.701Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:45.764Z",
             "name": "Fake Developer Accounts",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_version": "1.0",
             "x_mitre_is_subtechnique": false
         }
diff --git a/mobile-attack/attack-pattern/attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb.json b/mobile-attack/attack-pattern/attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb.json
index 40b89c53be..106f22740d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb.json
@@ -1,78 +1,78 @@
 {
     "type": "bundle",
-    "id": "bundle--a4e20748-edea-4dd7-b32f-4f62b91e5b1b",
+    "id": "bundle--6578327a-db19-46aa-b64b-3618a877dc1c",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb",
+            "created": "2019-07-26T14:15:31.451Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1510",
+                    "external_id": "T1510"
+                },
+                {
+                    "source_name": "Android 10 Privacy Changes",
+                    "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.",
+                    "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data"
+                },
+                {
+                    "source_name": "Dr.Webb Clipboard Modification origin August 2018",
+                    "description": "Dr.Webb. (2018, August 8). Android.Clipper.1.origin. Retrieved July 26, 2019.",
+                    "url": "https://vms.drweb.com/virus/?i=17517750"
+                },
+                {
+                    "source_name": "Dr.Webb Clipboard Modification origin2 August 2018",
+                    "description": "Dr.Webb. (2018, August 8). Android.Clipper.2.origin. Retrieved July 26, 2019.",
+                    "url": "https://vms.drweb.com/virus/?i=17517761"
+                },
+                {
+                    "source_name": "ESET Clipboard Modification February 2019",
+                    "description": "ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019.",
+                    "url": "https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/"
+                },
+                {
+                    "source_name": "Welivesecurity Clipboard Modification February 2019",
+                    "description": "Luk\u00e1\u0161 \u0160tefanko. (2019, February 8). First clipper malware discovered on Google Play. Retrieved July 26, 2019.",
+                    "url": "https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/"
+                },
+                {
+                    "source_name": "Syracuse Clipboard Modification 2014",
+                    "description": "Zhang, X; Du, W. (2014, January). Attacks on Android Clipboard. Retrieved July 26, 2019.",
+                    "url": "http://www.cis.syr.edu/~wedu/Research/paper/clipboard_attack_dimva2014.pdf"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb",
-            "created": "2019-07-26T14:15:31.451Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1510",
-                    "url": "https://attack.mitre.org/techniques/T1510"
-                },
-                {
-                    "source_name": "Android 10 Privacy Changes",
-                    "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data",
-                    "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019."
-                },
-                {
-                    "source_name": "Dr.Webb Clipboard Modification origin August 2018",
-                    "url": "https://vms.drweb.com/virus/?i=17517750",
-                    "description": "Dr.Webb. (2018, August 8). Android.Clipper.1.origin. Retrieved July 26, 2019."
-                },
-                {
-                    "source_name": "Dr.Webb Clipboard Modification origin2 August 2018",
-                    "url": "https://vms.drweb.com/virus/?i=17517761",
-                    "description": "Dr.Webb. (2018, August 8). Android.Clipper.2.origin. Retrieved July 26, 2019."
-                },
-                {
-                    "source_name": "ESET Clipboard Modification February 2019",
-                    "url": "https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/",
-                    "description": "ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019."
-                },
-                {
-                    "source_name": "Welivesecurity Clipboard Modification February 2019",
-                    "url": "https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/",
-                    "description": "Luk\u00e1\u0161 \u0160tefanko. (2019, February 8). First clipper malware discovered on Google Play. Retrieved July 26, 2019."
-                },
-                {
-                    "source_name": "Syracuse Clipboard Modification 2014",
-                    "url": "http://www.cis.syr.edu/~wedu/Research/paper/clipboard_attack_dimva2014.pdf",
-                    "description": "Zhang, X; Du, W. (2014, January). Attacks on Android Clipboard. Retrieved July 26, 2019."
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the <code>ClipboardManager.OnPrimaryClipChangedListener</code> interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes)\n\nAdversaries may use [Clipboard Modification](https://attack.mitre.org/techniques/T1510) to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Clipboard Modification](https://attack.mitre.org/techniques/T1510) had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)",
-            "modified": "2022-04-06T13:41:17.512Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:45.935Z",
             "name": "Clipboard Modification",
-            "x_mitre_detection": "Modifying clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "description": "Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the <code>ClipboardManager.OnPrimaryClipChangedListener</code> interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes)\n\nAdversaries may use [Clipboard Modification](https://attack.mitre.org/techniques/T1510) to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Clipboard Modification](https://attack.mitre.org/techniques/T1510) had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "impact"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Modifying clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--e3b936a4-6321-4172-9114-038a866362ec.json b/mobile-attack/attack-pattern/attack-pattern--e3b936a4-6321-4172-9114-038a866362ec.json
index e24b39ad22..cb34415434 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e3b936a4-6321-4172-9114-038a866362ec.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e3b936a4-6321-4172-9114-038a866362ec.json
@@ -1,49 +1,49 @@
 {
     "type": "bundle",
-    "id": "bundle--8df1ca19-582e-4745-b8d0-fed7ff15acd9",
+    "id": "bundle--d5f9d4df-35e3-4675-9b43-21b5bc44d899",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
+            "created": "2019-10-10T15:00:44.181Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1532",
+                    "external_id": "T1532"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
-            "created": "2019-10-10T15:00:44.181Z",
-            "x_mitre_version": "2.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1532",
-                    "url": "https://attack.mitre.org/techniques/T1532"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. \n\n \n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm.  ",
-            "modified": "2022-04-01T15:01:02.140Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-16T21:21:57.990Z",
             "name": "Archive Collected Data",
-            "x_mitre_detection": "Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.",
+            "description": "Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. \n\n \n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm.  ",
             "kill_chain_phases": [
                 {
-                    "phase_name": "collection",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "collection"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780.json b/mobile-attack/attack-pattern/attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780.json
index 11d82af9e4..8dedc8c2f5 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--21d4048e-1a35-48f9-946d-6501c7b5b41d",
+    "id": "bundle--ce5c6771-1313-456d-9620-45905a041010",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:58:14.240Z",
-            "name": "Geofencing",
-            "description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fis accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. \n\nOne method to accomplish\u202f[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fon Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to  other\u202f[Geofencing](https://attack.mitre.org/techniques/T1627/001) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \"Allow only while using the app\", which will effectively prohibit background location collection.  \n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call\u202f`requestWhenInUseAuthorization()`\u202for\u202f`requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground.  \n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fcan be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific input prompts and/or advertisements.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Users can review which applications have location permissions in the operating system\u2019s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background. Application vetting services can detect unnecessary and potentially abused location permissions or API calls.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
             "created": "2022-03-30T20:36:03.177Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:58.143Z",
+            "name": "Geofencing",
+            "description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fis accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. \n\nOne method to accomplish\u202f[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fon Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to  other\u202f[Geofencing](https://attack.mitre.org/techniques/T1627/001) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \"Allow only while using the app\", which will effectively prohibit background location collection.  \n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call\u202f`requestWhenInUseAuthorization()`\u202for\u202f`requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground.  \n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fcan be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific input prompts and/or advertisements.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Users can review which applications have location permissions in the operating system\u2019s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background. Application vetting services can detect unnecessary and potentially abused location permissions or API calls.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2.json b/mobile-attack/attack-pattern/attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2.json
index 724fdca1f8..d6416984ea 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2.json
@@ -1,48 +1,48 @@
 {
     "type": "bundle",
-    "id": "bundle--8ec73eb3-f601-4cae-b4d4-1845b4765b0d",
+    "id": "bundle--87bff974-a785-4ff9-b238-3bbdfe5dc2a8",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2",
+            "created": "2019-07-10T15:18:16.753Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1507",
+                    "external_id": "T1507"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2",
-            "created": "2019-07-10T15:18:16.753Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1507",
-                    "url": "https://attack.mitre.org/techniques/T1507"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.",
-            "modified": "2022-03-31T16:33:55.068Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:46.125Z",
             "name": "Network Information Discovery",
-            "x_mitre_detection": "",
+            "description": "Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "collection"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060.json b/mobile-attack/attack-pattern/attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060.json
index a96ab45fd3..87dc490d79 100644
--- a/mobile-attack/attack-pattern/attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060.json
+++ b/mobile-attack/attack-pattern/attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060.json
@@ -1,37 +1,27 @@
 {
     "type": "bundle",
-    "id": "bundle--4b25de86-606d-47d5-9673-57ec111b34c6",
+    "id": "bundle--0ebbb71b-be15-4c38-9349-91323dd612a1",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
+            "created": "2017-10-25T14:48:15.920Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1412",
+                    "external_id": "T1412"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
-            "created": "2017-10-25T14:48:15.920Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1412",
-                    "url": "https://attack.mitre.org/techniques/T1412"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.",
-            "modified": "2022-04-01T13:27:29.880Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:46.301Z",
             "name": "Capture SMS Messages",
-            "x_mitre_detection": "On Android, the user can view which applications have permission to access SMS messages through the device settings, and the user can choose to revoke the permission.",
+            "description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -42,12 +32,22 @@
                     "phase_name": "credential-access"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On Android, the user can view which applications have permission to access SMS messages through the device settings, and the user can choose to revoke the permission.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3.json b/mobile-attack/attack-pattern/attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3.json
index 538d429f72..4781ac701d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f9115e9e-7d1a-450a-b590-93ba10ad2059",
+    "id": "bundle--76cf5cad-29df-422a-ad4e-110f1ba34ccf",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/attack-pattern/attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3.json b/mobile-attack/attack-pattern/attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3.json
index 4964c3df8d..dc1819ec77 100644
--- a/mobile-attack/attack-pattern/attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3.json
+++ b/mobile-attack/attack-pattern/attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--c940d1bd-1cfa-4a8d-a8ea-a83223aba42a",
+    "id": "bundle--648bbe04-1aea-4e07-9400-8f573b8da535",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:41:56.376Z",
-            "name": "Endpoint Denial of Service",
-            "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device\u2019s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "impact"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "On Android, users can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
             "created": "2022-04-06T13:52:05.619Z",
@@ -52,8 +29,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:58.297Z",
+            "name": "Endpoint Denial of Service",
+            "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device\u2019s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "impact"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On Android, users can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd.json b/mobile-attack/attack-pattern/attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd.json
index 5f3c72e4ff..ee31bb592c 100644
--- a/mobile-attack/attack-pattern/attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd.json
+++ b/mobile-attack/attack-pattern/attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--af14f3ce-0b33-4b75-a09c-5112498477bf",
+    "id": "bundle--749b151b-d491-4e2e-8c02-69173844c248",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:53:59.025Z",
-            "name": "Out of Band Data",
-            "description": "Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. \n\n \n\nOn Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there. \n\n \n\nOn iOS, there is no way to programmatically read push notifications. ",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "command-and-control"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "If a user sees a notification with text they do not recognize, they should review their list of installed applications.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "2.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
             "created": "2022-04-06T15:27:34.300Z",
@@ -42,8 +19,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:58.451Z",
+            "name": "Out of Band Data",
+            "description": "Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. \n\n \n\nOn Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there. \n\n \n\nOn iOS, there is no way to programmatically read push notifications. ",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "If a user sees a notification with text they do not recognize, they should review their list of installed applications.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84.json b/mobile-attack/attack-pattern/attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84.json
index 86908f436b..19cd33de70 100644
--- a/mobile-attack/attack-pattern/attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84.json
+++ b/mobile-attack/attack-pattern/attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84.json
@@ -1,49 +1,49 @@
 {
     "type": "bundle",
-    "id": "bundle--783e9cab-0ee1-4511-8cd4-bd4de11b8f76",
+    "id": "bundle--9c553602-9963-425b-a832-36c50b13fc0e",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84",
+            "created": "2019-10-01T14:18:47.762Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1521",
+                    "external_id": "T1521"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84",
-            "created": "2019-10-01T14:18:47.762Z",
-            "x_mitre_version": "2.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1521",
-                    "url": "https://attack.mitre.org/techniques/T1521"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.",
-            "modified": "2022-04-05T20:11:35.852Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-16T21:21:58.602Z",
             "name": "Encrypted Channel",
-            "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+            "description": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "command-and-control"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884.json b/mobile-attack/attack-pattern/attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884.json
index 8d76a77f0d..bd1d65000b 100644
--- a/mobile-attack/attack-pattern/attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884.json
+++ b/mobile-attack/attack-pattern/attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884.json
@@ -1,61 +1,52 @@
 {
     "type": "bundle",
-    "id": "bundle--4de0733c-4fba-4f7f-92e1-d173dfae7e6f",
+    "id": "bundle--721009b6-dab3-424a-a3cb-f2aeb81aaa08",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
+            "created": "2017-10-25T14:48:22.716Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1405",
+                    "external_id": "T1405"
+                },
+                {
+                    "source_name": "EkbergTEE",
+                    "description": "Jan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016.",
+                    "url": "https://usmile.at/symposium/program/2015/ekberg"
+                },
+                {
+                    "source_name": "Thomas-TrustZone",
+                    "description": "Josh Thomas and Charles Holmes. (2015, September). An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture. Retrieved December 9, 2016.",
+                    "url": "https://usmile.at/symposium/program/2015/thomas-holmes"
+                },
+                {
+                    "source_name": "QualcommKeyMaster",
+                    "description": "laginimaineb. (2016, June). Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption. Retrieved December 9, 2016.",
+                    "url": "https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html"
+                },
+                {
+                    "source_name": "laginimaineb-TEE",
+                    "description": "laginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016.",
+                    "url": "http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
+                    "external_id": "APP-27"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884",
-            "created": "2017-10-25T14:48:22.716Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1405",
-                    "url": "https://attack.mitre.org/techniques/T1405"
-                },
-                {
-                    "source_name": "EkbergTEE",
-                    "url": "https://usmile.at/symposium/program/2015/ekberg",
-                    "description": "Jan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016."
-                },
-                {
-                    "source_name": "Thomas-TrustZone",
-                    "url": "https://usmile.at/symposium/program/2015/thomas-holmes",
-                    "description": "Josh Thomas and Charles Holmes. (2015, September). An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture. Retrieved December 9, 2016."
-                },
-                {
-                    "source_name": "QualcommKeyMaster",
-                    "url": "https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html",
-                    "description": "laginimaineb. (2016, June). Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption. Retrieved December 9, 2016."
-                },
-                {
-                    "source_name": "laginimaineb-TEE",
-                    "url": "http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html",
-                    "description": "laginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-27"
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).",
-            "modified": "2022-04-06T15:41:57.666Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:46.487Z",
             "name": "Exploit TEE Vulnerability",
-            "x_mitre_detection": "",
+            "description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -66,12 +57,21 @@
                     "phase_name": "privilege-escalation"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": true,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6.json b/mobile-attack/attack-pattern/attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6.json
index b041c9bbba..1007f67fa6 100644
--- a/mobile-attack/attack-pattern/attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6.json
+++ b/mobile-attack/attack-pattern/attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--63e76667-7466-4e6e-ac99-5011c8beafb0",
+    "id": "bundle--24a96d07-9cb6-4289-8f50-363ed70f91f6",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/attack-pattern/attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468.json b/mobile-attack/attack-pattern/attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468.json
index 33f2f29e91..a7e6a3e461 100644
--- a/mobile-attack/attack-pattern/attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468.json
+++ b/mobile-attack/attack-pattern/attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468.json
@@ -1,51 +1,42 @@
 {
     "type": "bundle",
-    "id": "bundle--be6708a6-93cf-4737-94d1-28fb0a0dedf5",
+    "id": "bundle--12ed0038-e5e6-4263-8048-d6b57e2dc5f8",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468",
+            "created": "2017-10-25T14:48:18.583Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1399",
+                    "external_id": "T1399"
+                },
+                {
+                    "source_name": "Apple-iOSSecurityGuide",
+                    "description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.",
+                    "url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf"
+                },
+                {
+                    "source_name": "Roth-Rootkits",
+                    "description": "Thomas Roth. (2013). Next generation mobile rootkits. Retrieved December 21, 2016.",
+                    "url": "https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
+                    "external_id": "APP-27"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468",
-            "created": "2017-10-25T14:48:18.583Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1399",
-                    "url": "https://attack.mitre.org/techniques/T1399"
-                },
-                {
-                    "source_name": "Apple-iOSSecurityGuide",
-                    "url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf",
-                    "description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016."
-                },
-                {
-                    "source_name": "Roth-Rootkits",
-                    "url": "https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf",
-                    "description": "Thomas Roth. (2013). Next generation mobile rootkits. Retrieved December 21, 2016."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "APP-27"
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)",
-            "modified": "2022-04-06T15:48:41.647Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:46.662Z",
             "name": "Modify Trusted Execution Environment",
-            "x_mitre_detection": "Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\niOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.(Citation: Apple-iOSSecurityGuide)",
+            "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
@@ -56,12 +47,21 @@
                     "phase_name": "persistence"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": true,
+            "x_mitre_detection": "Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\niOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.(Citation: Apple-iOSSecurityGuide)",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a.json b/mobile-attack/attack-pattern/attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a.json
index 017849eb60..780e112905 100644
--- a/mobile-attack/attack-pattern/attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a.json
+++ b/mobile-attack/attack-pattern/attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--fe7342e2-4430-4907-af97-385baadfc187",
+    "id": "bundle--d4362c09-e98c-441e-9abf-5464bf76fce7",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "id": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
             "type": "attack-pattern",
+            "id": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
             "created": "2017-10-25T14:48:23.652Z",
             "revoked": true,
             "external_references": [
@@ -18,8 +15,16 @@
                     "external_id": "T1459"
                 }
             ],
-            "modified": "2018-10-17T01:05:10.703Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:46.836Z",
             "name": "Device Unlock Code Guessing or Brute Force",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_version": "1.0",
             "x_mitre_is_subtechnique": false
         }
diff --git a/mobile-attack/attack-pattern/attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34.json b/mobile-attack/attack-pattern/attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34.json
index 14d1fdb51d..2e5376e7cc 100644
--- a/mobile-attack/attack-pattern/attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34.json
+++ b/mobile-attack/attack-pattern/attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34.json
@@ -1,59 +1,59 @@
 {
     "type": "bundle",
-    "id": "bundle--0b135f0a-ea50-40d0-8d9a-64a05a9ff2d3",
+    "id": "bundle--3696e42c-f628-46a4-951d-19c7a931395f",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34",
+            "created": "2017-10-25T14:48:21.667Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1466",
+                    "external_id": "T1466"
+                },
+                {
+                    "source_name": "NIST-SP800187",
+                    "description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.",
+                    "url": "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html",
+                    "external_id": "CEL-3"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34",
-            "created": "2017-10-25T14:48:21.667Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1466",
-                    "url": "https://attack.mitre.org/techniques/T1466"
-                },
-                {
-                    "source_name": "NIST-SP800187",
-                    "url": "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf",
-                    "description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "CEL-3"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.",
-            "modified": "2022-04-06T15:50:42.480Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:47.035Z",
             "name": "Downgrade to Insecure Protocols",
-            "x_mitre_detection": "",
+            "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "network-effects"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Without Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc.json b/mobile-attack/attack-pattern/attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc.json
index 137544414d..e29ae00a51 100644
--- a/mobile-attack/attack-pattern/attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc.json
+++ b/mobile-attack/attack-pattern/attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--a32f3ef3-ee2a-4b32-9894-7b70bcc5e1df",
+    "id": "bundle--f383abb1-d560-457e-b650-dc6f6f4ad94a",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-09-08T18:14:46.081Z",
-            "name": "Masquerading",
-            "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1655)\n",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "\n",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
             "created": "2023-07-12T20:29:48.758Z",
@@ -52,8 +29,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:58.771Z",
+            "name": "Masquerading",
+            "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1655)\n",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "\n",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf.json b/mobile-attack/attack-pattern/attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf.json
index 80f822c327..7a3e50a894 100644
--- a/mobile-attack/attack-pattern/attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf.json
+++ b/mobile-attack/attack-pattern/attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf.json
@@ -1,49 +1,49 @@
 {
     "type": "bundle",
-    "id": "bundle--c731b54c-ddf2-404f-8a21-2f69ce2a6038",
+    "id": "bundle--2aec7072-bab1-4c1b-a37c-b6d92cdacaf3",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
+            "created": "2017-10-25T14:48:18.937Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1472",
+                    "external_id": "T1472"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
-            "created": "2017-10-25T14:48:18.937Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1472",
-                    "url": "https://attack.mitre.org/techniques/T1472"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.",
-            "modified": "2022-04-06T13:57:49.177Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:47.215Z",
             "name": "Generate Fraudulent Advertising Revenue",
-            "x_mitre_detection": "",
+            "description": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "impact"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df.json b/mobile-attack/attack-pattern/attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df.json
index 2f378ff752..924b77ab82 100644
--- a/mobile-attack/attack-pattern/attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df.json
+++ b/mobile-attack/attack-pattern/attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--b4a9689d-65c1-4a73-a968-5cb01ddeae6b",
+    "id": "bundle--462bccb4-db1e-4167-aada-e97ca922f234",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "id": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
             "type": "attack-pattern",
+            "id": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
             "created": "2017-10-25T14:48:09.446Z",
             "revoked": true,
             "external_references": [
@@ -18,8 +15,16 @@
                     "external_id": "T1473"
                 }
             ],
-            "modified": "2018-10-17T01:05:10.704Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T18:00:47.386Z",
             "name": "Malicious or Vulnerable Built-in Device Functionality",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_version": "1.0",
             "x_mitre_is_subtechnique": false
         }
diff --git a/mobile-attack/attack-pattern/attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df.json b/mobile-attack/attack-pattern/attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df.json
index 4c102b420e..bdb64b01d1 100644
--- a/mobile-attack/attack-pattern/attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df.json
+++ b/mobile-attack/attack-pattern/attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df.json
@@ -1,48 +1,48 @@
 {
     "type": "bundle",
-    "id": "bundle--7b5c9af9-dfcd-4a3d-9e9c-1de1da04dd43",
+    "id": "bundle--2c9aca56-e17d-4958-9989-4493ca3a2ebd",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df",
+            "created": "2022-03-30T19:19:23.777Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1406/001",
+                    "external_id": "T1406.001"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df",
-            "created": "2022-03-30T19:19:23.777Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1406.001",
-                    "url": "https://attack.mitre.org/techniques/T1406/001"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.",
-            "modified": "2022-04-21T17:30:16.229Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-16T21:21:58.917Z",
             "name": "Steganography",
-            "x_mitre_detection": "Detection of steganography is difficult unless detectable artifacts with a known signature are left behind by the obfuscation process. Look for strings are other signatures left in system artifacts related to decoding steganography.",
+            "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.",
             "kill_chain_phases": [
                 {
-                    "phase_name": "defense-evasion",
-                    "kill_chain_name": "mitre-mobile-attack"
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Detection of steganography is difficult unless detectable artifacts with a known signature are left behind by the obfuscation process. Look for strings are other signatures left in system artifacts related to decoding steganography.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.0",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d.json b/mobile-attack/attack-pattern/attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d.json
index 3498f6bbc1..e674115960 100644
--- a/mobile-attack/attack-pattern/attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d.json
+++ b/mobile-attack/attack-pattern/attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d.json
@@ -1,84 +1,84 @@
 {
     "type": "bundle",
-    "id": "bundle--0a76409e-fa16-4f55-80f9-43179ea7c332",
+    "id": "bundle--45daca45-b1e5-4bca-b5fd-99983d26303f",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d",
+            "created": "2017-10-25T14:48:06.524Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1449",
+                    "external_id": "T1449"
+                },
+                {
+                    "source_name": "3GPP-Security",
+                    "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.",
+                    "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf"
+                },
+                {
+                    "source_name": "CSRIC5-WG10-FinalReport",
+                    "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.",
+                    "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"
+                },
+                {
+                    "source_name": "TheRegister-SS7",
+                    "description": "Iain Thomson. (2017, May 3). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts. Retrieved November 8, 2018.",
+                    "url": "https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/"
+                },
+                {
+                    "source_name": "Positive-SS7",
+                    "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.",
+                    "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf"
+                },
+                {
+                    "source_name": "Engel-SS7-2008",
+                    "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.",
+                    "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI"
+                },
+                {
+                    "source_name": "Engel-SS7",
+                    "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.",
+                    "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf"
+                },
+                {
+                    "source_name": "NIST Mobile Threat Catalogue",
+                    "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html",
+                    "external_id": "CEL-37"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d",
-            "created": "2017-10-25T14:48:06.524Z",
-            "x_mitre_version": "1.2",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1449",
-                    "url": "https://attack.mitre.org/techniques/T1449"
-                },
-                {
-                    "source_name": "3GPP-Security",
-                    "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf",
-                    "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016."
-                },
-                {
-                    "source_name": "CSRIC5-WG10-FinalReport",
-                    "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf",
-                    "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017."
-                },
-                {
-                    "source_name": "TheRegister-SS7",
-                    "url": "https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/",
-                    "description": "Iain Thomson. (2017, May 3). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts. Retrieved November 8, 2018."
-                },
-                {
-                    "source_name": "Positive-SS7",
-                    "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf",
-                    "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016."
-                },
-                {
-                    "source_name": "Engel-SS7-2008",
-                    "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI",
-                    "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016."
-                },
-                {
-                    "source_name": "Engel-SS7",
-                    "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf",
-                    "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016."
-                },
-                {
-                    "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html",
-                    "source_name": "NIST Mobile Threat Catalogue",
-                    "external_id": "CEL-37"
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).",
-            "modified": "2022-04-06T15:53:27.032Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:47.575Z",
             "name": "Exploit SS7 to Redirect Phone Calls/SMS",
-            "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the Communications, Security, Reliability, and Interoperability Council (CSRIC). (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
+            "description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "network-effects"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": true,
+            "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the Communications, Security, Reliability, and Interoperability Council (CSRIC). (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.2",
             "x_mitre_tactic_type": [
                 "Without Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f.json b/mobile-attack/attack-pattern/attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f.json
index 087678ddc0..739570abd3 100644
--- a/mobile-attack/attack-pattern/attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f.json
+++ b/mobile-attack/attack-pattern/attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--f30ef550-0287-406e-b2a6-b7d9404ea319",
+    "id": "bundle--40fa20af-3b54-4ad0-ba03-dd7e33524cb8",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-20T18:59:57.485Z",
-            "name": "Hide Artifacts",
-            "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application\u2019s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "The user can examine the list of all installed applications in the device settings. Application vetting services could potentially detect the usage of APIs intended for artifact hiding.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f",
             "created": "2022-03-30T20:00:12.654Z",
@@ -41,8 +19,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:59.084Z",
+            "name": "Hide Artifacts",
+            "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application\u2019s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "The user can examine the list of all installed applications in the device settings. Application vetting services could potentially detect the usage of APIs intended for artifact hiding.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0.json b/mobile-attack/attack-pattern/attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0.json
index 157e87430d..5a6ef73497 100644
--- a/mobile-attack/attack-pattern/attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0.json
+++ b/mobile-attack/attack-pattern/attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--1902ee38-63f6-4202-9efd-9404a70671d0",
+    "id": "bundle--a1f2008a-4b98-4561-93c5-ad1bdb23e42f",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-16T18:37:55.822Z",
-            "name": "Code Signing Policy Modification",
-            "description": "Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. \n\nMobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "defense-evasion"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
             "created": "2022-03-30T18:13:26.003Z",
@@ -47,8 +24,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:59.231Z",
+            "name": "Code Signing Policy Modification",
+            "description": "Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. \n\nMobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "defense-evasion"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--fd211238-f767-4599-8c0d-9dca36624626.json b/mobile-attack/attack-pattern/attack-pattern--fd211238-f767-4599-8c0d-9dca36624626.json
index a048866bae..bfbff24440 100644
--- a/mobile-attack/attack-pattern/attack-pattern--fd211238-f767-4599-8c0d-9dca36624626.json
+++ b/mobile-attack/attack-pattern/attack-pattern--fd211238-f767-4599-8c0d-9dca36624626.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--b5a589cf-6a80-4c80-8f78-3c1c52da38eb",
+    "id": "bundle--0a53af15-fddd-4301-a6b4-7083a23e2d7a",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-14T16:19:54.832Z",
-            "name": "Domain Generation Algorithms",
-            "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication   or malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "command-and-control"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names ",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": true,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626",
             "created": "2022-04-05T19:59:03.161Z",
@@ -52,8 +29,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:59.384Z",
+            "name": "Domain Generation Algorithms",
+            "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication   or malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "command-and-control"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names ",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": true,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57.json b/mobile-attack/attack-pattern/attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57.json
index 2c69d9bda2..4d838d3185 100644
--- a/mobile-attack/attack-pattern/attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57.json
+++ b/mobile-attack/attack-pattern/attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57.json
@@ -1,32 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--6e67c7a4-f444-4d42-9094-08d7452a6a26",
+    "id": "bundle--4a358405-1b53-407a-9c59-4f8ddddca4ff",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-07T17:12:07.620Z",
-            "name": "Drive-By Compromise",
-            "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n    * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n    * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.",
-            "kill_chain_phases": [
-                {
-                    "kill_chain_name": "mitre-mobile-attack",
-                    "phase_name": "initial-access"
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_detection": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_is_subtechnique": false,
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_version": "2.2",
-            "x_mitre_tactic_type": [
-                "Post-Adversary Device Access"
-            ],
             "type": "attack-pattern",
             "id": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
             "created": "2017-10-25T14:48:06.822Z",
@@ -52,8 +29,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:21:59.531Z",
+            "name": "Drive-By Compromise",
+            "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n    * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n    * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.",
+            "kill_chain_phases": [
+                {
+                    "kill_chain_name": "mitre-mobile-attack",
+                    "phase_name": "initial-access"
+                }
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_version": "2.2",
+            "x_mitre_tactic_type": [
+                "Post-Adversary Device Access"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/attack-pattern/attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2.json b/mobile-attack/attack-pattern/attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2.json
index 2113906ac2..203722037d 100644
--- a/mobile-attack/attack-pattern/attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2.json
+++ b/mobile-attack/attack-pattern/attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2.json
@@ -1,63 +1,63 @@
 {
     "type": "bundle",
-    "id": "bundle--68cbbf32-d8e6-4245-b3dc-d1495519ccde",
+    "id": "bundle--fcfd914a-2096-4d41-bf9f-570843dc4a4b",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "attack-pattern",
+            "id": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
+            "created": "2019-07-11T18:09:42.039Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": true,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/techniques/T1508",
+                    "external_id": "T1508"
+                },
+                {
+                    "source_name": "sunny-stolen-credentials",
+                    "description": "Luk\u00e1\u0161 \u0160tefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019.",
+                    "url": "https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/"
+                },
+                {
+                    "source_name": "android-trojan-steals-paypal-2fa",
+                    "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.",
+                    "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/"
+                },
+                {
+                    "source_name": "bankbot-spybanker",
+                    "description": "NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved July 11, 2019.",
+                    "url": "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "attack-pattern",
-            "id": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
-            "created": "2019-07-11T18:09:42.039Z",
-            "x_mitre_version": "1.1",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "T1508",
-                    "url": "https://attack.mitre.org/techniques/T1508"
-                },
-                {
-                    "source_name": "sunny-stolen-credentials",
-                    "url": "https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/",
-                    "description": "Luk\u00e1\u0161 \u0160tefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019."
-                },
-                {
-                    "source_name": "android-trojan-steals-paypal-2fa",
-                    "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/",
-                    "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019."
-                },
-                {
-                    "source_name": "bankbot-spybanker",
-                    "url": "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker",
-                    "description": "NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved July 11, 2019."
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": true,
-            "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.\n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)",
-            "modified": "2022-03-30T20:07:33.279Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:47.756Z",
             "name": "Suppress Application Icon",
-            "x_mitre_detection": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings.",
+            "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.\n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)",
             "kill_chain_phases": [
                 {
                     "kill_chain_name": "mitre-mobile-attack",
                     "phase_name": "defense-evasion"
                 }
             ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_deprecated": false,
+            "x_mitre_detection": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings.",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_is_subtechnique": false,
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_version": "1.1",
             "x_mitre_tactic_type": [
                 "Post-Adversary Device Access"
-            ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/campaign/campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f.json b/mobile-attack/campaign/campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f.json
index a4bc02a3c2..bbf469285a 100644
--- a/mobile-attack/campaign/campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f.json
+++ b/mobile-attack/campaign/campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5f9bcd5d-5960-4d4a-98a8-f0f7ca365f98",
+    "id": "bundle--4ce7c76c-9d72-4fc2-bbe1-14b89db03021",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/campaign/campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4.json b/mobile-attack/campaign/campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4.json
index d2e006189a..4e1a140639 100644
--- a/mobile-attack/campaign/campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4.json
+++ b/mobile-attack/campaign/campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a3f33553-34ca-4f35-818d-dd9000064fc2",
+    "id": "bundle--7d0a5933-a163-47da-bd3a-4a63169468c8",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/campaign/campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3.json b/mobile-attack/campaign/campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3.json
new file mode 100644
index 0000000000..6884993368
--- /dev/null
+++ b/mobile-attack/campaign/campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3.json
@@ -0,0 +1,46 @@
+{
+    "type": "bundle",
+    "id": "bundle--3294dbb9-7b7d-4bb5-b6e1-d047e6507c93",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "modified": "2025-03-28T15:23:16.915Z",
+            "name": "Operation Triangulation",
+            "description": "[Operation Triangulation](https://attack.mitre.org/campaigns/C0054) is a mobile campaign targeting iOS devices.(Citation: SecureList OpTriangulation 01Jun2023) The unidentified actors used zero-click exploits in iMessage attachments to gain [Initial Access](https://attack.mitre.org/tactics/TA0027), then executed exploits and validators, such as [Binary Validator](https://attack.mitre.org/software/S1215) before finally executing the [TriangleDB](https://attack.mitre.org/software/S1216) implant.  ",
+            "aliases": [
+                "Operation Triangulation"
+            ],
+            "first_seen": "2019-01-01T08:00:00.000Z",
+            "last_seen": "2023-06-01T07:00:00.000Z",
+            "x_mitre_first_seen_citation": "(Citation: SecureList OpTriangulation 01Jun2023)",
+            "x_mitre_last_seen_citation": "(Citation: SecureList OpTriangulation 01Jun2023)",
+            "x_mitre_deprecated": false,
+            "x_mitre_version": "1.0",
+            "type": "campaign",
+            "id": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "created": "2025-03-28T14:45:30.132Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/campaigns/C0054",
+                    "external_id": "C0054"
+                },
+                {
+                    "source_name": "SecureList OpTriangulation 01Jun2023",
+                    "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/operation-triangulation/109842/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/course-of-action/course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564.json b/mobile-attack/course-of-action/course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564.json
index c1c84309dc..1334fd9f97 100644
--- a/mobile-attack/course-of-action/course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564.json
+++ b/mobile-attack/course-of-action/course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564.json
@@ -1,17 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--5c6bc648-e161-41ae-af34-d93b425ef210",
+    "id": "bundle--6c10582c-5144-4f1c-a1ed-2ac16620abd9",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "type": "course-of-action",
+            "id": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "created": "2017-10-25T14:48:51.657Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -21,11 +15,18 @@
                     "external_id": "M1006"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:17.864Z",
             "name": "Use Recent OS Version",
             "description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/course-of-action/course-of-action--1553b156-6767-47f7-9eb4-2a692505666d.json b/mobile-attack/course-of-action/course-of-action--1553b156-6767-47f7-9eb4-2a692505666d.json
index 3b71802c01..5ea739f48b 100644
--- a/mobile-attack/course-of-action/course-of-action--1553b156-6767-47f7-9eb4-2a692505666d.json
+++ b/mobile-attack/course-of-action/course-of-action--1553b156-6767-47f7-9eb4-2a692505666d.json
@@ -1,34 +1,34 @@
 {
     "type": "bundle",
-    "id": "bundle--d0e57576-827f-4251-9be1-bcb56c304f13",
+    "id": "bundle--d8c2de4b-c04f-431f-a4d9-e34dc4be1828",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "course-of-action",
+            "id": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
+            "created": "2019-10-18T12:49:58.924Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/mitigations/M1005",
+                    "external_id": "M1005"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "course-of-action",
-            "id": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d",
-            "created": "2019-10-18T12:49:58.924Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "M1005",
-                    "url": "https://attack.mitre.org/mitigations/M1005"
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Evade Analysis Environment](https://attack.mitre.org/techniques/T1523) exist that can enable adversaries to bypass vetting.",
-            "modified": "2022-04-06T14:47:46.019Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:49.664Z",
             "name": "Application Vetting",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Evade Analysis Environment](https://attack.mitre.org/techniques/T1523) exist that can enable adversaries to bypass vetting.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": true,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/course-of-action/course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1.json b/mobile-attack/course-of-action/course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1.json
index 2d803d20fa..d9fc58b155 100644
--- a/mobile-attack/course-of-action/course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1.json
+++ b/mobile-attack/course-of-action/course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1.json
@@ -1,18 +1,18 @@
 {
     "type": "bundle",
-    "id": "bundle--0f43a4c5-4b46-448c-8c26-09408e5d4f5d",
+    "id": "bundle--66e4747c-83f9-4359-85b4-9246dee35aa5",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-09-27T20:18:19.004Z",
+            "modified": "2024-12-10T16:07:50.023Z",
             "name": "Application Developer Guidance",
-            "description": "This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.",
+            "description": "Application Developer Guidance focuses on providing developers with the knowledge, tools, and best practices needed to write secure code, reduce vulnerabilities, and implement secure design principles. By integrating security throughout the software development lifecycle (SDLC), this mitigation aims to prevent the introduction of exploitable weaknesses in applications, systems, and APIs. This mitigation can be implemented through the following measures:\n \nPreventing SQL Injection (Secure Coding Practice):\n\n- Implementation: Train developers to use parameterized queries or prepared statements instead of directly embedding user input into SQL queries.\n- Use Case: A web application accepts user input to search a database. By sanitizing and validating user inputs, developers can prevent attackers from injecting malicious SQL commands.\n\nCross-Site Scripting (XSS) Mitigation:\n\n- Implementation: Require developers to implement output encoding for all user-generated content displayed on a web page.\n- Use Case: An e-commerce site allows users to leave product reviews. Properly encoding and escaping user inputs prevents malicious scripts from being executed in other users\u2019 browsers.\n\nSecure API Design:\n\n- Implementation: Train developers to authenticate all API endpoints and avoid exposing sensitive information in API responses.\n- Use Case: A mobile banking application uses APIs for account management. By enforcing token-based authentication for every API call, developers reduce the risk of unauthorized access.\n\nStatic Code Analysis in the Build Pipeline:\n\n- Implementation: Incorporate tools into CI/CD pipelines to automatically scan for vulnerabilities during the build process.\n- Use Case: A fintech company integrates static analysis tools to detect hardcoded credentials in their source code before deployment.\n\nThreat Modeling in the Design Phase:\n\n- Implementation: Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to assess threats during application design.\n- Use Case: Before launching a customer portal, a SaaS company identifies potential abuse cases, such as session hijacking, and designs mitigations like secure session management.\n\n**Tools for Implementation**:\n\n- Static Code Analysis Tools: Use tools that can scan for known vulnerabilities in source code.\n- Dynamic Application Security Testing (DAST): Use tools like Burp Suite or OWASP ZAP to simulate runtime attacks and identify vulnerabilities.\n- Secure Frameworks: Recommend secure-by-default frameworks (e.g., Django for Python, Spring Security for Java) that enforce security best practices.",
             "x_mitre_deprecated": false,
             "x_mitre_domains": [
                 "enterprise-attack",
                 "mobile-attack"
             ],
-            "x_mitre_version": "1.1",
+            "x_mitre_version": "1.2",
             "type": "course-of-action",
             "id": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
             "created": "2017-10-25T14:48:53.732Z",
diff --git a/mobile-attack/course-of-action/course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee.json b/mobile-attack/course-of-action/course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee.json
index 8f8e6cc3ee..26bf022e08 100644
--- a/mobile-attack/course-of-action/course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee.json
+++ b/mobile-attack/course-of-action/course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee.json
@@ -1,17 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--b961fff0-898e-46b4-bc47-fbd97beb2656",
+    "id": "bundle--ef7e4b99-b0b5-4754-98fc-31a74bdbeca5",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "type": "course-of-action",
+            "id": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "created": "2017-10-25T14:48:53.318Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -21,11 +15,18 @@
                     "external_id": "M1012"
                 }
             ],
-            "modified": "2020-06-24T15:08:18.395Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:18.032Z",
             "name": "Enterprise Policy",
             "description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/course-of-action/course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1.json b/mobile-attack/course-of-action/course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1.json
index bbd6a64bf1..8c4e6d9460 100644
--- a/mobile-attack/course-of-action/course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1.json
+++ b/mobile-attack/course-of-action/course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1.json
@@ -1,31 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--2829133b-5d2a-43a3-af85-37d8190bd913",
+    "id": "bundle--def9e5cd-051d-45d5-844c-e3ea2169726d",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "type": "course-of-action",
+            "id": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "created": "2019-10-18T12:53:03.508Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "mitre-attack",
-                    "external_id": "M1011",
-                    "url": "https://attack.mitre.org/mitigations/M1011"
+                    "url": "https://attack.mitre.org/mitigations/M1011",
+                    "external_id": "M1011"
                 }
             ],
-            "modified": "2019-10-18T15:51:48.318Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:18.181Z",
             "name": "User Guidance",
             "description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/course-of-action/course-of-action--76a32151-5233-465f-a607-7e576c62c932.json b/mobile-attack/course-of-action/course-of-action--76a32151-5233-465f-a607-7e576c62c932.json
index 4dc8bf532a..6f9f1ed690 100644
--- a/mobile-attack/course-of-action/course-of-action--76a32151-5233-465f-a607-7e576c62c932.json
+++ b/mobile-attack/course-of-action/course-of-action--76a32151-5233-465f-a607-7e576c62c932.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5d928e17-ab04-41df-85f1-cd2679939f51",
+    "id": "bundle--40357671-60f2-49aa-84f3-3ecc640cb905",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/course-of-action/course-of-action--78671282-26aa-486c-a7a5-5921e1616b58.json b/mobile-attack/course-of-action/course-of-action--78671282-26aa-486c-a7a5-5921e1616b58.json
index c2fcdae770..01c56edf11 100644
--- a/mobile-attack/course-of-action/course-of-action--78671282-26aa-486c-a7a5-5921e1616b58.json
+++ b/mobile-attack/course-of-action/course-of-action--78671282-26aa-486c-a7a5-5921e1616b58.json
@@ -1,20 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--16917554-05cb-4cc8-bff1-3ed7e90a3d26",
+    "id": "bundle--61cc2f9f-778c-44f1-89c0-6a8c7af15391",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-09-21T19:36:08.280Z",
-            "name": "Antivirus/Antimalware",
-            "description": "Mobile security products, such as Mobile Threat Defense (MTD), offer various device-based mitigations against certain behaviors.",
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
             "type": "course-of-action",
             "id": "course-of-action--78671282-26aa-486c-a7a5-5921e1616b58",
             "created": "2023-09-21T19:36:08.280Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -26,9 +19,16 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:22:18.330Z",
+            "name": "Antivirus/Antimalware",
+            "description": "Mobile security products, such as Mobile Threat Defense (MTD), offer various device-based mitigations against certain behaviors.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/course-of-action/course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321.json b/mobile-attack/course-of-action/course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321.json
index d5bc405e6c..2e168e7676 100644
--- a/mobile-attack/course-of-action/course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321.json
+++ b/mobile-attack/course-of-action/course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321.json
@@ -1,17 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--4c86b2b6-ccf6-43c4-956b-8cac68f605f9",
+    "id": "bundle--f4dfc9ee-c255-4a49-b3e0-f06f85d5795e",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
             "type": "course-of-action",
+            "id": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
             "created": "2017-10-25T14:48:52.270Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -21,11 +15,18 @@
                     "external_id": "M1004"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:18.484Z",
             "name": "System Partition Integrity",
             "description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/course-of-action/course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8.json b/mobile-attack/course-of-action/course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8.json
index 5d47224ad8..3b13ed4cf1 100644
--- a/mobile-attack/course-of-action/course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8.json
+++ b/mobile-attack/course-of-action/course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8.json
@@ -1,17 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--30c78ab3-d368-4aa7-a783-9fce20701233",
+    "id": "bundle--b0fe12d9-d1fd-432b-84c9-af68edec58a7",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
             "type": "course-of-action",
+            "id": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
             "created": "2017-10-25T14:48:50.769Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -31,11 +25,18 @@
                     "url": "https://developer.android.com/training/articles/security-config.html"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:18.668Z",
             "name": "Encrypt Network Traffic",
             "description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security  (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected  (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/course-of-action/course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58.json b/mobile-attack/course-of-action/course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58.json
index 8cf6583bf7..70783c620a 100644
--- a/mobile-attack/course-of-action/course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58.json
+++ b/mobile-attack/course-of-action/course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58.json
@@ -1,17 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--5ba9d80c-3dcc-4d9c-82d9-15d61fdaddab",
+    "id": "bundle--eb065471-361c-40f2-b516-aaf5daeb7310",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
             "type": "course-of-action",
+            "id": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
             "created": "2017-10-25T14:48:49.554Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -21,11 +15,18 @@
                     "external_id": "M1003"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:18.821Z",
             "name": "Lock Bootloader",
             "description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/course-of-action/course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d.json b/mobile-attack/course-of-action/course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d.json
index de4edef614..ddaf1b648b 100644
--- a/mobile-attack/course-of-action/course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d.json
+++ b/mobile-attack/course-of-action/course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d.json
@@ -1,31 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--039533bb-a0aa-4b16-b24c-b486acf1ef7c",
+    "id": "bundle--21013cec-cd84-4350-b228-a9e159557675",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "type": "course-of-action",
+            "id": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "created": "2019-10-18T12:51:36.488Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "mitre-attack",
-                    "external_id": "M1001",
-                    "url": "https://attack.mitre.org/mitigations/M1001"
+                    "url": "https://attack.mitre.org/mitigations/M1001",
+                    "external_id": "M1001"
                 }
             ],
-            "modified": "2019-10-18T14:56:15.631Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:18.982Z",
             "name": "Security Updates",
             "description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n\nOn Android devices, access can be controlled based on each device's security patch level. On iOS devices, access can be controlled based on the iOS version.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/course-of-action/course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433.json b/mobile-attack/course-of-action/course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433.json
index 669b235090..fdf0879f81 100644
--- a/mobile-attack/course-of-action/course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433.json
+++ b/mobile-attack/course-of-action/course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433.json
@@ -1,17 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--88c473e2-a7c2-46fe-9e9d-1a2a829db21a",
+    "id": "bundle--e1c6a5dc-9a73-4a65-a282-b18d6ccfbe38",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
             "type": "course-of-action",
+            "id": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
             "created": "2017-10-25T14:48:52.601Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -21,11 +15,18 @@
                     "external_id": "M1010"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:19.136Z",
             "name": "Deploy Compromised Device Detection Method",
             "description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/course-of-action/course-of-action--e829ee51-1caf-4665-ba15-7f8979634124.json b/mobile-attack/course-of-action/course-of-action--e829ee51-1caf-4665-ba15-7f8979634124.json
index ab38eae9f7..7eb9fcb2b9 100644
--- a/mobile-attack/course-of-action/course-of-action--e829ee51-1caf-4665-ba15-7f8979634124.json
+++ b/mobile-attack/course-of-action/course-of-action--e829ee51-1caf-4665-ba15-7f8979634124.json
@@ -1,17 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--f3ce33da-3c2a-418c-9cfc-0238b8057d79",
+    "id": "bundle--01c196e8-279e-4f7e-bd90-9bf39cefe3e5",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-08-15T15:06:03.428Z",
-            "name": "Interconnection Filtering",
-            "description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).",
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
             "type": "course-of-action",
             "id": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124",
             "created": "2017-10-25T14:48:50.181Z",
@@ -32,8 +24,16 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:22:19.290Z",
+            "name": "Interconnection Filtering",
+            "description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/course-of-action/course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9.json b/mobile-attack/course-of-action/course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9.json
index aafadb41a9..0678012e77 100644
--- a/mobile-attack/course-of-action/course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9.json
+++ b/mobile-attack/course-of-action/course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9.json
@@ -1,34 +1,34 @@
 {
     "type": "bundle",
-    "id": "bundle--d3693b61-d30d-4200-89e9-050aecd8bd17",
+    "id": "bundle--bfbe1350-5c48-46ba-a434-aac9f4e611c9",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "course-of-action",
+            "id": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
+            "created": "2017-10-25T14:48:51.365Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/mitigations/M1007",
+                    "external_id": "M1007"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "course-of-action",
-            "id": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9",
-            "created": "2017-10-25T14:48:51.365Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "M1007",
-                    "url": "https://attack.mitre.org/mitigations/M1007"
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.",
-            "modified": "2022-04-06T14:47:19.714Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:49.835Z",
             "name": "Caution with Device Administrator Access",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": true,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/course-of-action/course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c.json b/mobile-attack/course-of-action/course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c.json
index 330677fe3e..46d26c2b16 100644
--- a/mobile-attack/course-of-action/course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c.json
+++ b/mobile-attack/course-of-action/course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c.json
@@ -1,31 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--e3e80ab8-930a-4283-8469-008e1886dfdc",
+    "id": "bundle--49dcef15-73c5-4f1d-8874-90f5dc670822",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
             "type": "course-of-action",
+            "id": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
             "created": "2019-10-18T12:50:35.335Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "mitre-attack",
-                    "external_id": "M1002",
-                    "url": "https://attack.mitre.org/mitigations/M1002"
+                    "url": "https://attack.mitre.org/mitigations/M1002",
+                    "external_id": "M1002"
                 }
             ],
-            "modified": "2019-10-18T14:52:53.019Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:19.448Z",
             "name": "Attestation",
             "description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json b/mobile-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json
index 7e67f615c2..4be041c64e 100644
--- a/mobile-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json
+++ b/mobile-attack/identity/identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5.json
@@ -1,18 +1,20 @@
 {
     "type": "bundle",
-    "id": "bundle--0a4c03ad-f46b-4223-8eb8-0be92ea29a1f",
+    "id": "bundle--c0d330e6-897b-4c81-a326-f33d1a93b3fc",
     "spec_version": "2.0",
     "objects": [
         {
+            "modified": "2025-03-19T15:00:40.855Z",
+            "name": "The MITRE Corporation",
+            "description": "",
+            "identity_class": "organization",
+            "type": "identity",
+            "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "created": "2017-06-01T00:00:00.000Z",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "type": "identity",
-            "identity_class": "organization",
-            "created": "2017-06-01T00:00:00.000Z",
-            "modified": "2017-06-01T00:00:00.000Z",
-            "name": "The MITRE Corporation"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/intrusion-set/intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd.json b/mobile-attack/intrusion-set/intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd.json
index 078fcbee38..0b11879dc5 100644
--- a/mobile-attack/intrusion-set/intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd.json
+++ b/mobile-attack/intrusion-set/intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd.json
@@ -1,39 +1,40 @@
 {
     "type": "bundle",
-    "id": "bundle--45dd8217-53a0-4fd2-aa8c-318d97e17cdb",
+    "id": "bundle--25bbefc6-ecb9-44a5-98f7-51016a97810a",
     "spec_version": "2.0",
     "objects": [
         {
-            "aliases": [
-                "Bouncing Golf"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd",
             "type": "intrusion-set",
+            "id": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd",
             "created": "2020-01-27T16:55:39.688Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "G0097",
                     "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/groups/G0097"
+                    "url": "https://attack.mitre.org/groups/G0097",
+                    "external_id": "G0097"
                 },
                 {
                     "source_name": "Trend Micro Bouncing Golf 2019",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
-                    "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020."
+                    "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
                 }
             ],
-            "modified": "2020-03-26T20:58:44.722Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:02.103Z",
             "name": "Bouncing Golf",
             "description": "[Bouncing Golf](https://attack.mitre.org/groups/G0097) is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)",
+            "aliases": [
+                "Bouncing Golf"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/intrusion-set/intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7.json b/mobile-attack/intrusion-set/intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7.json
new file mode 100644
index 0000000000..65104c5644
--- /dev/null
+++ b/mobile-attack/intrusion-set/intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7.json
@@ -0,0 +1,91 @@
+{
+    "type": "bundle",
+    "id": "bundle--70381940-798f-4cb7-a338-67510d2016d8",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "modified": "2024-10-10T14:31:35.326Z",
+            "name": "APT41",
+            "description": "[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)\n",
+            "aliases": [
+                "APT41",
+                "Wicked Panda",
+                "Brass Typhoon",
+                "BARIUM"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_version": "4.1",
+            "x_mitre_contributors": [
+                "Kyaw Pyiyt Htet, @KyawPyiytHtet",
+                "Nikita Rostovcev, Group-IB"
+            ],
+            "type": "intrusion-set",
+            "id": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+            "created": "2019-09-23T13:43:36.945Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/groups/G0096",
+                    "external_id": "G0096"
+                },
+                {
+                    "source_name": "Wicked Panda",
+                    "description": "(Citation: Crowdstrike GTR2020 Mar 2020)"
+                },
+                {
+                    "source_name": "APT41",
+                    "description": "(Citation: FireEye APT41 2019)"
+                },
+                {
+                    "source_name": "Brass Typhoon",
+                    "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                },
+                {
+                    "source_name": "BARIUM",
+                    "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                },
+                {
+                    "source_name": "Crowdstrike GTR2020 Mar 2020",
+                    "description": "Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.",
+                    "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"
+                },
+                {
+                    "source_name": "FireEye APT41 2019",
+                    "description": "FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.",
+                    "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf"
+                },
+                {
+                    "source_name": "FireEye APT41 Aug 2019",
+                    "description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.",
+                    "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf"
+                },
+                {
+                    "source_name": "apt41_mandiant",
+                    "description": "Mandiant. (n.d.). APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION. Retrieved June 11, 2024.",
+                    "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf"
+                },
+                {
+                    "source_name": "Microsoft Threat Actor Naming July 2023",
+                    "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                    "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                },
+                {
+                    "source_name": "Group IB APT 41 June 2021",
+                    "description": "Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.",
+                    "url": "https://www.group-ib.com/blog/colunmtk-apt41/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "x_mitre_domains": [
+                "enterprise-attack",
+                "mobile-attack"
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/intrusion-set/intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258.json b/mobile-attack/intrusion-set/intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258.json
index 89b651f85b..f5698d0e55 100644
--- a/mobile-attack/intrusion-set/intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258.json
+++ b/mobile-attack/intrusion-set/intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--1648c2ab-2974-4d05-aac2-1ab7295dda3b",
+    "id": "bundle--9f4f0171-fe0f-4d22-ba7c-a6e458f5cda6",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json b/mobile-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json
index 6be322c64b..38dc27dfe1 100644
--- a/mobile-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json
+++ b/mobile-attack/intrusion-set/intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192.json
@@ -1,10 +1,10 @@
 {
     "type": "bundle",
-    "id": "bundle--e511f0c4-a4ce-40a1-81b3-ee8d765541f8",
+    "id": "bundle--58148339-e84e-498c-af90-80325eb43494",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2024-09-12T17:37:44.040Z",
+            "modified": "2024-12-04T21:17:08.593Z",
             "name": "Sandworm Team",
             "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)",
             "aliases": [
@@ -21,7 +21,7 @@
                 "APT44"
             ],
             "x_mitre_deprecated": false,
-            "x_mitre_version": "4.1",
+            "x_mitre_version": "4.2",
             "x_mitre_contributors": [
                 "Dragos Threat Intelligence",
                 "Hakan KARABACAK"
diff --git a/mobile-attack/intrusion-set/intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b.json b/mobile-attack/intrusion-set/intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b.json
index 07b9444f50..8b2d3927b3 100644
--- a/mobile-attack/intrusion-set/intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b.json
+++ b/mobile-attack/intrusion-set/intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--dd1f8806-cee1-4b74-ba58-7d9020cbc1d5",
+    "id": "bundle--8bd3565a-f0ed-406e-96ef-4ee286dd0396",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/intrusion-set/intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f.json b/mobile-attack/intrusion-set/intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f.json
index 78b6531667..445c7038d4 100644
--- a/mobile-attack/intrusion-set/intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f.json
+++ b/mobile-attack/intrusion-set/intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f.json
@@ -1,18 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--7e297838-4387-40ce-b3c7-bf20358e7928",
+    "id": "bundle--6181c6fa-9930-4085-8bcd-4830dd5c337c",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-09-22T20:43:16.504Z",
-            "name": "Confucius",
-            "description": "[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)",
-            "aliases": [
-                "Confucius",
-                "Confucius APT"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_version": "1.1",
             "type": "intrusion-set",
             "id": "intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f",
             "created": "2021-12-26T23:11:39.442Z",
@@ -43,12 +34,21 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
+            "modified": "2025-04-16T20:37:36.476Z",
+            "name": "Confucius",
+            "description": "[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)",
+            "aliases": [
+                "Confucius",
+                "Confucius APT"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
             "x_mitre_domains": [
                 "enterprise-attack",
                 "mobile-attack"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/intrusion-set/intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28.json b/mobile-attack/intrusion-set/intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28.json
index 610134efe2..3270d8e0c9 100644
--- a/mobile-attack/intrusion-set/intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28.json
+++ b/mobile-attack/intrusion-set/intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28.json
@@ -1,17 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--b728f0b8-1768-498d-bdec-cb3c5f7542bf",
+    "id": "bundle--eba215c7-8291-484a-8199-3a65ad6fb293",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-09-26T14:34:08.342Z",
-            "name": "MoustachedBouncer",
-            "description": "[MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)",
-            "aliases": [
-                "MoustachedBouncer"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
             "type": "intrusion-set",
             "id": "intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28",
             "created": "2023-09-25T18:11:05.672Z",
@@ -32,12 +24,20 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
+            "modified": "2025-04-16T20:37:40.255Z",
+            "name": "MoustachedBouncer",
+            "description": "[MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)",
+            "aliases": [
+                "MoustachedBouncer"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
             "x_mitre_domains": [
                 "enterprise-attack",
                 "mobile-attack"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/intrusion-set/intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9.json b/mobile-attack/intrusion-set/intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9.json
index 0d0e49d4d5..1cddd95f4c 100644
--- a/mobile-attack/intrusion-set/intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9.json
+++ b/mobile-attack/intrusion-set/intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--46fe3a20-b6dd-4d47-bd58-9d0eb14addbb",
+    "id": "bundle--51e6b983-c9ca-45c9-9814-4798b567eb4c",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/intrusion-set/intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394.json b/mobile-attack/intrusion-set/intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394.json
index 0aa2862c5c..154d41a571 100644
--- a/mobile-attack/intrusion-set/intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394.json
+++ b/mobile-attack/intrusion-set/intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394.json
@@ -1,10 +1,10 @@
 {
     "type": "bundle",
-    "id": "bundle--50b1e4a8-71a6-4434-bfc2-ab585fd2f08d",
+    "id": "bundle--b8a63d7d-f669-4612-909e-a595ae2876db",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2024-04-16T15:31:48.747Z",
+            "modified": "2024-11-17T20:01:55.806Z",
             "name": "APT-C-23",
             "description": "[APT-C-23](https://attack.mitre.org/groups/G1028) is a threat group that has been active since at least 2014.(Citation: symantec_mantis) [APT-C-23](https://attack.mitre.org/groups/G1028) has primarily focused its operations on the Middle East, including Israeli military assets. [APT-C-23](https://attack.mitre.org/groups/G1028) has developed mobile spyware targeting Android and iOS devices since 2017.(Citation: welivesecurity_apt-c-23)",
             "aliases": [
@@ -59,8 +59,8 @@
                 },
                 {
                     "source_name": "fb_arid_viper",
-                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
+                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
                 },
                 {
                     "source_name": "sentinelone_israel_hamas_war",
diff --git a/mobile-attack/intrusion-set/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json b/mobile-attack/intrusion-set/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json
index 79e56fc4f5..cdb66c7d94 100644
--- a/mobile-attack/intrusion-set/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json
+++ b/mobile-attack/intrusion-set/intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--353e8af2-7217-4484-aca7-8c748f3ba11e",
+    "id": "bundle--5b83b9ac-9f7a-4ffa-b0a9-7a995b188373",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/intrusion-set/intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json b/mobile-attack/intrusion-set/intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json
index 0a86b06fed..3ff5f4664d 100644
--- a/mobile-attack/intrusion-set/intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json
+++ b/mobile-attack/intrusion-set/intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1.json
@@ -1,29 +1,28 @@
 {
     "type": "bundle",
-    "id": "bundle--b0a98f2d-cfff-4dcc-93c7-d1ff20e7cb12",
+    "id": "bundle--2e1272ba-b94e-43a4-a904-59304153d836",
     "spec_version": "2.0",
     "objects": [
         {
+            "modified": "2024-11-17T14:15:51.850Z",
+            "name": "Windshift",
+            "description": "[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)",
             "aliases": [
                 "Windshift",
                 "Bahamut"
             ],
-            "x_mitre_domains": [
-                "enterprise-attack",
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
+            "x_mitre_deprecated": false,
+            "x_mitre_version": "1.1",
             "type": "intrusion-set",
+            "id": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "created": "2020-06-25T17:16:39.168Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
-                    "external_id": "G0112",
                     "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/groups/G0112"
+                    "url": "https://attack.mitre.org/groups/G0112",
+                    "external_id": "G0112"
                 },
                 {
                     "source_name": "Bahamut",
@@ -31,24 +30,28 @@
                 },
                 {
                     "source_name": "SANS Windshift August 2018",
-                    "url": "https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf",
-                    "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020."
+                    "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved November 17, 2024.",
+                    "url": "https://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868"
                 },
                 {
                     "source_name": "objective-see windtail1 dec 2018",
-                    "url": "https://objective-see.com/blog/blog_0x3B.html",
-                    "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019."
+                    "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.",
+                    "url": "https://objective-see.com/blog/blog_0x3B.html"
                 },
                 {
                     "source_name": "objective-see windtail2 jan 2019",
-                    "url": "https://objective-see.com/blog/blog_0x3D.html",
-                    "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019."
+                    "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.",
+                    "url": "https://objective-see.com/blog/blog_0x3D.html"
                 }
             ],
-            "modified": "2021-04-26T14:37:33.234Z",
-            "name": "Windshift",
-            "description": "[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)",
-            "x_mitre_version": "1.1",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "x_mitre_domains": [
+                "enterprise-attack",
+                "mobile-attack"
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
         }
     ]
diff --git a/mobile-attack/intrusion-set/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json b/mobile-attack/intrusion-set/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json
index fa41fea01c..9c12a5abce 100644
--- a/mobile-attack/intrusion-set/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json
+++ b/mobile-attack/intrusion-set/intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c.json
@@ -1,10 +1,10 @@
 {
     "type": "bundle",
-    "id": "bundle--dca71ef7-8c52-481e-8e52-e0b7faf24441",
+    "id": "bundle--4d31d7de-70b4-4cd4-9a63-7085d2de1b6d",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2024-10-10T14:31:01.968Z",
+            "modified": "2025-03-10T20:15:06.958Z",
             "name": "APT28",
             "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.(Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ",
             "aliases": [
@@ -22,10 +22,11 @@
                 "Threat Group-4127",
                 "TG-4127",
                 "Forest Blizzard",
-                "FROZENLAKE"
+                "FROZENLAKE",
+                "GruesomeLarch"
             ],
             "x_mitre_deprecated": false,
-            "x_mitre_version": "5.1",
+            "x_mitre_version": "5.2",
             "x_mitre_contributors": [
                 "S\u00e9bastien Ruel, CGI",
                 "Drew Church, Splunk",
@@ -71,6 +72,10 @@
                     "source_name": "Forest Blizzard",
                     "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
                 },
+                {
+                    "source_name": "GruesomeLarch",
+                    "description": "(Citation: Nearest Neighbor Volexity)"
+                },
                 {
                     "source_name": "IRON TWILIGHT",
                     "description": "(Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)"
@@ -137,8 +142,8 @@
                 },
                 {
                     "source_name": "FireEye APT28 January 2017",
-                    "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.",
-                    "url": "https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"
+                    "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024.",
+                    "url": "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf"
                 },
                 {
                     "source_name": "FireEye APT28",
@@ -165,6 +170,11 @@
                     "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.",
                     "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"
                 },
+                {
+                    "source_name": "Nearest Neighbor Volexity",
+                    "description": "Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.",
+                    "url": "https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/"
+                },
                 {
                     "source_name": "Palo Alto Sofacy 06-2018",
                     "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.",
@@ -192,8 +202,8 @@
                 },
                 {
                     "source_name": "DOJ GRU Indictment Jul 2018",
-                    "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.",
-                    "url": "https://www.justice.gov/file/1080281/download"
+                    "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.",
+                    "url": "https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf"
                 },
                 {
                     "source_name": "Cybersecurity Advisory GRU Brute Force Campaign July 2021",
diff --git a/mobile-attack/intrusion-set/intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034.json b/mobile-attack/intrusion-set/intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034.json
index 8bfdd3d5f9..c7d8e506dc 100644
--- a/mobile-attack/intrusion-set/intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034.json
+++ b/mobile-attack/intrusion-set/intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8fde672a-fe17-47b7-8fba-206954212196",
+    "id": "bundle--abd8bcec-f90d-475d-b404-3f0d6932f415",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/intrusion-set/intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7.json b/mobile-attack/intrusion-set/intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7.json
new file mode 100644
index 0000000000..2e18f232e9
--- /dev/null
+++ b/mobile-attack/intrusion-set/intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7.json
@@ -0,0 +1,74 @@
+{
+    "type": "bundle",
+    "id": "bundle--03367076-6bc1-4719-9ceb-b6228eb7796b",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "modified": "2025-04-07T14:44:59.715Z",
+            "name": "LAPSUS$",
+            "description": "[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)",
+            "aliases": [
+                "LAPSUS$",
+                "DEV-0537",
+                "Strawberry Tempest"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_version": "2.1",
+            "x_mitre_contributors": [
+                "David Hughes, BT Security",
+                "Matt Brenton, Zurich Insurance Group",
+                "Flavio Costa, Cisco",
+                "Caio Silva"
+            ],
+            "type": "intrusion-set",
+            "id": "intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7",
+            "created": "2022-06-09T19:14:31.327Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/groups/G1004",
+                    "external_id": "G1004"
+                },
+                {
+                    "source_name": "Strawberry Tempest",
+                    "description": "(Citation: Microsoft Threat Actor Naming July 2023)"
+                },
+                {
+                    "source_name": "DEV-0537",
+                    "description": "(Citation: MSTIC DEV-0537 Mar 2022)"
+                },
+                {
+                    "source_name": "BBC LAPSUS Apr 2022",
+                    "description": "BBC. (2022, April 1). LAPSUS: Two UK Teenagers Charged with Hacking for Gang. Retrieved June 9, 2022.",
+                    "url": "https://www.bbc.com/news/technology-60953527"
+                },
+                {
+                    "source_name": "Microsoft Threat Actor Naming July 2023",
+                    "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.",
+                    "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"
+                },
+                {
+                    "source_name": "MSTIC DEV-0537 Mar 2022",
+                    "description": "MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.",
+                    "url": "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/"
+                },
+                {
+                    "source_name": "UNIT 42 LAPSUS Mar 2022",
+                    "description": "UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022.",
+                    "url": "https://unit42.paloaltonetworks.com/lapsus-group/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "x_mitre_domains": [
+                "enterprise-attack",
+                "mobile-attack"
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/intrusion-set/intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c.json b/mobile-attack/intrusion-set/intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c.json
index e4c93fe767..700d6126aa 100644
--- a/mobile-attack/intrusion-set/intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c.json
+++ b/mobile-attack/intrusion-set/intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5a0745e4-3d59-46ed-8ebf-6682e4edab36",
+    "id": "bundle--d8b356ec-a3da-467d-b4f1-1976334ccad4",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--007ebf84-4e14-44c7-a5aa-151d5de85320.json b/mobile-attack/malware/malware--007ebf84-4e14-44c7-a5aa-151d5de85320.json
index 383895f1cd..9068277aa9 100644
--- a/mobile-attack/malware/malware--007ebf84-4e14-44c7-a5aa-151d5de85320.json
+++ b/mobile-attack/malware/malware--007ebf84-4e14-44c7-a5aa-151d5de85320.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--1f32a80d-3c5f-4dfe-962a-f9f577591e7a",
+    "id": "bundle--a7e9e8fb-d8bb-4f9e-8c84-94c832047782",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
+            "created": "2020-11-10T16:50:38.917Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0529",
+                    "external_id": "S0529"
+                },
+                {
+                    "source_name": "Lookout Uyghur Campaign",
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:03.013Z",
+            "name": "CarbonSteal",
+            "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) is one of a family of four surveillanceware tools that share a common C2 infrastructure. [CarbonSteal](https://attack.mitre.org/software/S0529) primarily deals with audio surveillance. (Citation: Lookout Uyghur Campaign)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "CarbonSteal"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
-            "type": "malware",
-            "created": "2020-11-10T16:50:38.917Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0529",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0529"
-                },
-                {
-                    "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
-                }
-            ],
-            "modified": "2021-09-20T13:54:19.819Z",
-            "name": "CarbonSteal",
-            "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) is one of a family of four surveillanceware tools that share a common C2 infrastructure. [CarbonSteal](https://attack.mitre.org/software/S0529) primarily deals with audio surveillance. (Citation: Lookout Uyghur Campaign)",
-            "x_mitre_version": "1.1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9.json b/mobile-attack/malware/malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9.json
index 91099187a4..d43c3056b1 100644
--- a/mobile-attack/malware/malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9.json
+++ b/mobile-attack/malware/malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9.json
@@ -1,50 +1,50 @@
 {
     "type": "bundle",
-    "id": "bundle--c0969a5d-1c68-48fa-ac30-cc711d6d9178",
+    "id": "bundle--d1371f80-852c-4ac0-8d4b-24a90a714d46",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
+            "created": "2020-06-26T15:32:24.569Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0480",
+                    "external_id": "S0480"
+                },
+                {
+                    "source_name": "Threat Fabric Cerberus",
+                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:03.157Z",
+            "name": "Cerberus",
+            "description": "[Cerberus](https://attack.mitre.org/software/S0480) is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of [Cerberus](https://attack.mitre.org/software/S0480) claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_contributors": [
                 "Aviran Hazum, Check Point",
                 "Sergey Persikov, Check Point"
             ],
             "x_mitre_aliases": [
                 "Cerberus"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
-            "type": "malware",
-            "created": "2020-06-26T15:32:24.569Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0480",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0480"
-                },
-                {
-                    "source_name": "Threat Fabric Cerberus",
-                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
-                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
-                }
-            ],
-            "modified": "2020-09-11T15:43:49.079Z",
-            "name": "Cerberus",
-            "description": "[Cerberus](https://attack.mitre.org/software/S0480) is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of [Cerberus](https://attack.mitre.org/software/S0480) claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)",
-            "x_mitre_version": "1.1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1.json b/mobile-attack/malware/malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1.json
index 4ba46108c4..02465f62da 100644
--- a/mobile-attack/malware/malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1.json
+++ b/mobile-attack/malware/malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1.json
@@ -1,33 +1,19 @@
 {
     "type": "bundle",
-    "id": "bundle--f76cc1e7-3e47-4621-aeaa-e5be4fc353d1",
+    "id": "bundle--76f7b00a-1e49-4668-a7e5-085e12fd6bfe",
     "spec_version": "2.0",
     "objects": [
         {
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_aliases": [
-                "DroidJack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "malware",
             "id": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
             "created": "2017-10-25T14:48:40.571Z",
-            "x_mitre_version": "1.2",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "mitre-attack",
-                    "external_id": "S0320",
-                    "url": "https://attack.mitre.org/software/S0320"
+                    "url": "https://attack.mitre.org/software/S0320",
+                    "external_id": "S0320"
                 },
                 {
                     "source_name": "DroidJack",
@@ -35,23 +21,37 @@
                 },
                 {
                     "source_name": "Proofpoint-Droidjack",
-                    "url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app",
-                    "description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load\u2026It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017."
+                    "description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load\u2026It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.",
+                    "url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"
                 },
                 {
                     "source_name": "Zscaler-SuperMarioRun",
-                    "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat",
-                    "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017."
+                    "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
+                    "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)",
-            "modified": "2022-05-20T17:13:16.506Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:03.310Z",
             "name": "DroidJack",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "description": "[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "DroidJack"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--0626c181-93cb-4860-9cb0-dff3b1c13063.json b/mobile-attack/malware/malware--0626c181-93cb-4860-9cb0-dff3b1c13063.json
index 8934ca1e12..59c7138c19 100644
--- a/mobile-attack/malware/malware--0626c181-93cb-4860-9cb0-dff3b1c13063.json
+++ b/mobile-attack/malware/malware--0626c181-93cb-4860-9cb0-dff3b1c13063.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--5cb396b9-547f-46c2-89b8-ad74dd17ba9d",
+    "id": "bundle--0bac92cf-86e4-4653-b366-179e573b7ce4",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
+            "created": "2019-09-23T13:36:07.816Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0411",
+                    "external_id": "S0411"
+                },
+                {
+                    "source_name": "securelist rotexy 2018",
+                    "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
+                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:03.463Z",
+            "name": "Rotexy",
+            "description": "[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "Rotexy"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
-            "type": "malware",
-            "created": "2019-09-23T13:36:07.816Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0411",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0411"
-                },
-                {
-                    "source_name": "securelist rotexy 2018",
-                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
-                    "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019."
-                }
-            ],
-            "modified": "2020-09-11T15:53:38.216Z",
-            "name": "Rotexy",
-            "description": "[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)",
-            "x_mitre_version": "1.1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--085eb36d-697d-4d9a-bac3-96eb879fe73c.json b/mobile-attack/malware/malware--085eb36d-697d-4d9a-bac3-96eb879fe73c.json
index efe27ddeff..f0b2887a1a 100644
--- a/mobile-attack/malware/malware--085eb36d-697d-4d9a-bac3-96eb879fe73c.json
+++ b/mobile-attack/malware/malware--085eb36d-697d-4d9a-bac3-96eb879fe73c.json
@@ -1,27 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--8ce7ed92-e34c-44b1-b9d5-2cb5c83d73d4",
+    "id": "bundle--bc0a7d57-6d79-48c1-a132-fe0ffe899d3b",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Stealth Mango",
-            "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_aliases": [
-                "Stealth Mango"
-            ],
             "type": "malware",
             "id": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
             "created": "2018-10-17T00:14:20.652Z",
@@ -44,6 +26,24 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:03.669Z",
+            "name": "Stealth Mango",
+            "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.3",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "Stealth Mango"
             ]
         }
     ]
diff --git a/mobile-attack/malware/malware--08784a9d-09e9-4dce-a839-9612398214e8.json b/mobile-attack/malware/malware--08784a9d-09e9-4dce-a839-9612398214e8.json
index d686ffc0e5..aa7121ec2e 100644
--- a/mobile-attack/malware/malware--08784a9d-09e9-4dce-a839-9612398214e8.json
+++ b/mobile-attack/malware/malware--08784a9d-09e9-4dce-a839-9612398214e8.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--4658df35-fb2c-4c9a-8df9-38253bd5079c",
+    "id": "bundle--3fd73464-8e8e-4222-9992-1dd726f5b05b",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Allwinner",
-            "description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--08784a9d-09e9-4dce-a839-9612398214e8",
             "created": "2018-10-17T00:14:20.652Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:03.823Z",
+            "name": "Allwinner",
+            "description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--0b9c5d11-651a-4378-b129-5c584d0242c5.json b/mobile-attack/malware/malware--0b9c5d11-651a-4378-b129-5c584d0242c5.json
index ee60ca787b..f242fbe3c8 100644
--- a/mobile-attack/malware/malware--0b9c5d11-651a-4378-b129-5c584d0242c5.json
+++ b/mobile-attack/malware/malware--0b9c5d11-651a-4378-b129-5c584d0242c5.json
@@ -1,43 +1,43 @@
 {
     "type": "bundle",
-    "id": "bundle--1aac3e05-1b23-4732-82b0-40331395bb2c",
+    "id": "bundle--9afb2628-7fd5-40bc-acaf-19ea88d3e604",
     "spec_version": "2.0",
     "objects": [
         {
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_aliases": [
-                "GoldenEagle"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "type": "malware",
+            "id": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "created": "2020-12-24T22:04:27.667Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "S0551",
                     "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0551"
+                    "url": "https://attack.mitre.org/software/S0551",
+                    "external_id": "S0551"
                 },
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2021-03-25T16:20:28.165Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:03.977Z",
             "name": "GoldenEagle",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.(Citation: Lookout Uyghur Campaign)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "GoldenEagle"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--0ec9593f-3221-49b1-b597-37f307c19f13.json b/mobile-attack/malware/malware--0ec9593f-3221-49b1-b597-37f307c19f13.json
index 1c849e3e34..08749059d1 100644
--- a/mobile-attack/malware/malware--0ec9593f-3221-49b1-b597-37f307c19f13.json
+++ b/mobile-attack/malware/malware--0ec9593f-3221-49b1-b597-37f307c19f13.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e7d8aa32-a097-4d50-8c54-e8d1d17c823d",
+    "id": "bundle--ea573593-a342-440c-8ac9-c1ff47a22d94",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--108b2817-bc01-404e-8e1b-8cdeec846326.json b/mobile-attack/malware/malware--108b2817-bc01-404e-8e1b-8cdeec846326.json
index 97daac29fc..f5fce6bb95 100644
--- a/mobile-attack/malware/malware--108b2817-bc01-404e-8e1b-8cdeec846326.json
+++ b/mobile-attack/malware/malware--108b2817-bc01-404e-8e1b-8cdeec846326.json
@@ -1,29 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--5415adfa-89a9-4d61-a105-9648adb926b5",
+    "id": "bundle--3d075d8d-ad43-4893-a3ce-5d70e9d2126c",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-04-21T18:53:30.817Z",
-            "name": "Bread",
-            "description": "[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store\u2019s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_contributors": [
-                "Sergey Persikov, Check Point",
-                "Jonathan Shimonovich, Check Point",
-                "Aviran Hazum, Check Point"
-            ],
-            "x_mitre_aliases": [
-                "Bread",
-                "Joker"
-            ],
             "type": "malware",
             "id": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
             "created": "2020-05-04T14:04:55.823Z",
@@ -48,11 +28,31 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
+            "modified": "2025-04-16T21:22:04.130Z",
+            "name": "Bread",
+            "description": "[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store\u2019s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)",
             "labels": [
                 "malware"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Sergey Persikov, Check Point",
+                "Jonathan Shimonovich, Check Point",
+                "Aviran Hazum, Check Point"
+            ],
+            "x_mitre_aliases": [
+                "Bread",
+                "Joker"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f.json b/mobile-attack/malware/malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f.json
new file mode 100644
index 0000000000..cab0b67d0e
--- /dev/null
+++ b/mobile-attack/malware/malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f.json
@@ -0,0 +1,48 @@
+{
+    "type": "bundle",
+    "id": "bundle--f0485784-fc47-4204-8363-09f92f13ea85",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "modified": "2025-04-02T14:42:15.961Z",
+            "name": "TriangleDB",
+            "description": "[TriangleDB](https://attack.mitre.org/software/S1216) is an Objective-C written implant deployed after [Binary Validator](https://attack.mitre.org/software/S1215) and after root privileges are obtained during [Operation Triangulation](https://attack.mitre.org/campaigns/C0054)\u2019s infection chain. Upon execution, [TriangleDB](https://attack.mitre.org/software/S1216) communicates with the C2 server, relaying information about the victim device.(Citation: SecureList OpTriangulation 21Jun2023)  ",
+            "x_mitre_platforms": [
+                "iOS"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_aliases": [
+                "TriangleDB"
+            ],
+            "type": "malware",
+            "id": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f",
+            "created": "2025-03-27T22:51:45.705Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S1216",
+                    "external_id": "S1216"
+                },
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1.json b/mobile-attack/malware/malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1.json
index fba8b6863f..05a456fba3 100644
--- a/mobile-attack/malware/malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1.json
+++ b/mobile-attack/malware/malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8a4327dc-34c2-4628-9737-cfb94a49ba91",
+    "id": "bundle--745468b7-d583-4003-a9b9-d2d0443a0e52",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--172444ab-97fc-4d94-b142-179452bfb760.json b/mobile-attack/malware/malware--172444ab-97fc-4d94-b142-179452bfb760.json
index 7889e66ad3..532eed7420 100644
--- a/mobile-attack/malware/malware--172444ab-97fc-4d94-b142-179452bfb760.json
+++ b/mobile-attack/malware/malware--172444ab-97fc-4d94-b142-179452bfb760.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--5259c537-2551-4104-920e-c0ecbaf2b85e",
+    "id": "bundle--06b063c6-2e9f-4b1d-9d5b-a7f1a793ea24",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Judy",
-            "description": "[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--172444ab-97fc-4d94-b142-179452bfb760",
             "created": "2018-10-17T00:14:20.652Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:04.284Z",
+            "name": "Judy",
+            "description": "[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--2074b2ad-612e-4758-adce-7901c1b49bbc.json b/mobile-attack/malware/malware--2074b2ad-612e-4758-adce-7901c1b49bbc.json
index 6ca1aa589c..62b647d486 100644
--- a/mobile-attack/malware/malware--2074b2ad-612e-4758-adce-7901c1b49bbc.json
+++ b/mobile-attack/malware/malware--2074b2ad-612e-4758-adce-7901c1b49bbc.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--350304eb-e731-463b-8f2e-c2bedbab117b",
+    "id": "bundle--47b14667-a5f7-45df-9992-646eab845ee8",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "OldBoot",
-            "description": "[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc",
             "created": "2017-10-25T14:48:45.155Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:04.440Z",
+            "name": "OldBoot",
+            "description": "[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--20d56cd6-8dff-4871-9889-d32d254816de.json b/mobile-attack/malware/malware--20d56cd6-8dff-4871-9889-d32d254816de.json
index 9c5b19f557..e3938d6e02 100644
--- a/mobile-attack/malware/malware--20d56cd6-8dff-4871-9889-d32d254816de.json
+++ b/mobile-attack/malware/malware--20d56cd6-8dff-4871-9889-d32d254816de.json
@@ -1,28 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--d6b819d6-121b-4feb-b81b-dfd2bfe0e656",
+    "id": "bundle--0d4cff21-ac2d-41e0-9179-fcc5f44058ae",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Gooligan",
-            "description": "[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_aliases": [
-                "Gooligan",
-                "Ghost Push"
-            ],
             "type": "malware",
             "id": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
             "created": "2017-10-25T14:48:43.242Z",
@@ -59,6 +40,25 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:04.607Z",
+            "name": "Gooligan",
+            "description": "[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "Gooligan",
+                "Ghost Push"
             ]
         }
     ]
diff --git a/mobile-attack/malware/malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23.json b/mobile-attack/malware/malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23.json
index 0c5aa16415..902ae55df7 100644
--- a/mobile-attack/malware/malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23.json
+++ b/mobile-attack/malware/malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23.json
@@ -1,27 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--1a464787-099c-4d7f-bd15-a538e29f4a08",
+    "id": "bundle--f89f5c5e-98f0-4265-91af-5e61f0452205",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "SpyNote RAT",
-            "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_aliases": [
-                "SpyNote RAT"
-            ],
             "type": "malware",
             "id": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
             "created": "2017-10-25T14:48:45.794Z",
@@ -44,6 +26,24 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:04.768Z",
+            "name": "SpyNote RAT",
+            "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "SpyNote RAT"
             ]
         }
     ]
diff --git a/mobile-attack/malware/malware--21170624-89db-4e99-bf27-58d26be07c3a.json b/mobile-attack/malware/malware--21170624-89db-4e99-bf27-58d26be07c3a.json
index c54486897c..7191bf3d61 100644
--- a/mobile-attack/malware/malware--21170624-89db-4e99-bf27-58d26be07c3a.json
+++ b/mobile-attack/malware/malware--21170624-89db-4e99-bf27-58d26be07c3a.json
@@ -1,18 +1,43 @@
 {
     "type": "bundle",
-    "id": "bundle--bf20b515-7ace-499d-a85d-fb6084ba3b61",
+    "id": "bundle--a8236589-0dce-4ec0-9cfa-9962d6028205",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
+            "created": "2020-04-24T17:46:31.111Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0427",
+                    "external_id": "S0427"
+                },
+                {
+                    "source_name": "SecurityIntelligence TrickMo",
+                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.",
+                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:04.918Z",
+            "name": "TrickMo",
+            "description": "[TrickMo](https://attack.mitre.org/software/S0427) a 2FA bypass mobile banking trojan, most likely being distributed by [TrickBot](https://attack.mitre.org/software/S0266). [TrickMo](https://attack.mitre.org/software/S0427) has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)\n\n[TrickMo](https://attack.mitre.org/software/S0427) is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo) ",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_contributors": [
                 "Ohad Mana, Check Point",
                 "Aviran Hazum, Check Point",
@@ -20,32 +45,7 @@
             ],
             "x_mitre_aliases": [
                 "TrickMo"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
-            "type": "malware",
-            "created": "2020-04-24T17:46:31.111Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0427",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0427"
-                },
-                {
-                    "source_name": "SecurityIntelligence TrickMo",
-                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
-                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
-                }
-            ],
-            "modified": "2020-09-11T15:57:37.561Z",
-            "name": "TrickMo",
-            "description": "[TrickMo](https://attack.mitre.org/software/S0427) a 2FA bypass mobile banking trojan, most likely being distributed by [TrickBot](https://attack.mitre.org/software/S0266). [TrickMo](https://attack.mitre.org/software/S0427) has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)\n\n[TrickMo](https://attack.mitre.org/software/S0427) is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo) ",
-            "x_mitre_version": "1.1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901.json b/mobile-attack/malware/malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901.json
index 29cf45d5ae..3f89fceefc 100644
--- a/mobile-attack/malware/malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901.json
+++ b/mobile-attack/malware/malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--a16d6ca1-0629-45e8-952c-815d8149e4e9",
+    "id": "bundle--ef098c2e-d4c3-4d46-aa65-691867f5c988",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
+            "created": "2020-06-02T14:32:31.461Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0463",
+                    "external_id": "S0463"
+                },
+                {
+                    "source_name": "Volexity Insomnia",
+                    "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.",
+                    "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:05.067Z",
+            "name": "INSOMNIA",
+            "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) is spyware that has been used by the group Evil Eye.(Citation: Volexity Insomnia)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "iOS"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "INSOMNIA"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
-            "type": "malware",
-            "created": "2020-06-02T14:32:31.461Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0463",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0463"
-                },
-                {
-                    "source_name": "Volexity Insomnia",
-                    "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/",
-                    "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."
-                }
-            ],
-            "modified": "2020-06-24T18:24:35.433Z",
-            "name": "INSOMNIA",
-            "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) is spyware that has been used by the group Evil Eye.(Citation: Volexity Insomnia)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--22b596a6-d288-4409-8520-5f2846f85514.json b/mobile-attack/malware/malware--22b596a6-d288-4409-8520-5f2846f85514.json
index 1667d708ee..36c5e4d2a5 100644
--- a/mobile-attack/malware/malware--22b596a6-d288-4409-8520-5f2846f85514.json
+++ b/mobile-attack/malware/malware--22b596a6-d288-4409-8520-5f2846f85514.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--c867a03c-192e-4ca4-9fab-bd12a83a63f5",
+    "id": "bundle--71f92e71-7828-4941-802e-0787852a0cbd",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--22b596a6-d288-4409-8520-5f2846f85514",
+            "created": "2019-12-10T16:07:40.664Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0420",
+                    "external_id": "S0420"
+                },
+                {
+                    "source_name": "SecureList DVMap June 2017",
+                    "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.",
+                    "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:05.219Z",
+            "name": "Dvmap",
+            "description": "[Dvmap](https://attack.mitre.org/software/S0420) is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "Dvmap"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--22b596a6-d288-4409-8520-5f2846f85514",
-            "type": "malware",
-            "created": "2019-12-10T16:07:40.664Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0420",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0420"
-                },
-                {
-                    "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.",
-                    "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/",
-                    "source_name": "SecureList DVMap June 2017"
-                }
-            ],
-            "modified": "2020-01-22T22:17:23.015Z",
-            "name": "Dvmap",
-            "description": "[Dvmap](https://attack.mitre.org/software/S0420) is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--22faaa56-a8ac-4292-9be6-b571b255ee40.json b/mobile-attack/malware/malware--22faaa56-a8ac-4292-9be6-b571b255ee40.json
index 47dd64a84f..f2826c7994 100644
--- a/mobile-attack/malware/malware--22faaa56-a8ac-4292-9be6-b571b255ee40.json
+++ b/mobile-attack/malware/malware--22faaa56-a8ac-4292-9be6-b571b255ee40.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--5b182166-d873-421c-b3fe-e03d181b0699",
+    "id": "bundle--f4cedf96-3a36-4225-836f-974106fda585",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
+            "created": "2020-07-27T14:14:56.729Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0494",
+                    "external_id": "S0494"
+                },
+                {
+                    "source_name": "Google Security Zen",
+                    "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.",
+                    "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:05.422Z",
+            "name": "Zen",
+            "description": "[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "Zen"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
-            "type": "malware",
-            "created": "2020-07-27T14:14:56.729Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0494",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0494"
-                },
-                {
-                    "source_name": "Google Security Zen",
-                    "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
-                    "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
-                }
-            ],
-            "modified": "2020-08-11T14:23:15.002Z",
-            "name": "Zen",
-            "description": "[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe.json b/mobile-attack/malware/malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe.json
index 6d6fc7a342..c1f902ebe8 100644
--- a/mobile-attack/malware/malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe.json
+++ b/mobile-attack/malware/malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--57f36cb0-9c0d-456e-8f53-28d015bde466",
+    "id": "bundle--94400773-3854-4831-823c-4282bf7f2321",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "NotCompatible",
-            "description": "[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe",
             "created": "2017-10-25T14:48:36.707Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:05.573Z",
+            "name": "NotCompatible",
+            "description": "[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5.json b/mobile-attack/malware/malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5.json
index 5838cdf705..805e8d1c86 100644
--- a/mobile-attack/malware/malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5.json
+++ b/mobile-attack/malware/malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5.json
@@ -1,12 +1,12 @@
 {
     "type": "bundle",
-    "id": "bundle--589751dd-555c-45ca-878a-71d449361ca8",
+    "id": "bundle--c42a1380-9e63-4358-9a63-a57de54a1a54",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2024-04-16T15:46:27.358Z",
+            "modified": "2025-01-24T17:12:44.782Z",
             "name": "AhRat",
-            "description": "[AhRat](https://attack.mitre.org/software/S1095) is an Android remote access tool based on the open-source AhMyth remote access tool. [AhRat](https://attack.mitre.org/software/S1095) initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, \u201ciRecorder \u2013 Screen Recorder\u201d, which itself was released in September 2021.(Citation: welivesecurity_ahrat_0523)",
+            "description": "[AhRat](https://attack.mitre.org/software/S1095) is an Android remote access tool based on the open-source AhMyth remote access tool. [AhRat](https://attack.mitre.org/software/S1095) initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, \u201ciRecorder \u2013 Screen Recorder,\u201d which itself was released in September 2021.(Citation: welivesecurity_ahrat_0523)",
             "x_mitre_platforms": [
                 "Android"
             ],
diff --git a/mobile-attack/malware/malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c.json b/mobile-attack/malware/malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c.json
index efe165d474..9d52388f02 100644
--- a/mobile-attack/malware/malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c.json
+++ b/mobile-attack/malware/malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c.json
@@ -1,27 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--f3f95de6-9f26-44e1-8a3c-b9f8948eb2d8",
+    "id": "bundle--4679f036-46fd-46a8-9450-e6572104fce2",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "XLoader for Android",
-            "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "2.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_aliases": [
-                "XLoader for Android"
-            ],
             "type": "malware",
             "id": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
             "created": "2018-10-17T00:14:20.652Z",
@@ -49,6 +31,24 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:05.761Z",
+            "name": "XLoader for Android",
+            "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "2.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "XLoader for Android"
             ]
         }
     ]
diff --git a/mobile-attack/malware/malware--28e39395-91e7-4f02-b694-5e079c964da9.json b/mobile-attack/malware/malware--28e39395-91e7-4f02-b694-5e079c964da9.json
index 44e0c50a47..31954a5812 100644
--- a/mobile-attack/malware/malware--28e39395-91e7-4f02-b694-5e079c964da9.json
+++ b/mobile-attack/malware/malware--28e39395-91e7-4f02-b694-5e079c964da9.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--b29d17cc-8653-4872-a2ad-bc46d4e45361",
+    "id": "bundle--38d4a3d2-59d0-4edf-baa0-1c5e6008176c",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Trojan-SMS.AndroidOS.FakeInst.a",
-            "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--28e39395-91e7-4f02-b694-5e079c964da9",
             "created": "2017-10-25T14:48:46.107Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:05.907Z",
+            "name": "Trojan-SMS.AndroidOS.FakeInst.a",
+            "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--29944858-da52-4d3d-b428-f8a6eb8dde6f.json b/mobile-attack/malware/malware--29944858-da52-4d3d-b428-f8a6eb8dde6f.json
index 8d5d17f23f..4196198627 100644
--- a/mobile-attack/malware/malware--29944858-da52-4d3d-b428-f8a6eb8dde6f.json
+++ b/mobile-attack/malware/malware--29944858-da52-4d3d-b428-f8a6eb8dde6f.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--927be497-28e9-404e-9bd3-461136514a3b",
+    "id": "bundle--25eaaefc-7a23-41f4-aead-4168217af0ee",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f",
+            "created": "2020-07-20T13:58:53.422Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0490",
+                    "external_id": "S0490"
+                },
+                {
+                    "source_name": "TrendMicro-XLoader-FakeSpy",
+                    "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:06.053Z",
+            "name": "XLoader for iOS",
+            "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "iOS"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "XLoader for iOS"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f",
-            "type": "malware",
-            "created": "2020-07-20T13:58:53.422Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0490",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0490"
-                },
-                {
-                    "source_name": "TrendMicro-XLoader-FakeSpy",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
-                    "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
-                }
-            ],
-            "modified": "2021-12-07T14:46:08.852Z",
-            "name": "XLoader for iOS",
-            "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).",
-            "x_mitre_version": "1.1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--2aec175b-4429-4048-8e09-3ef6cbecfc64.json b/mobile-attack/malware/malware--2aec175b-4429-4048-8e09-3ef6cbecfc64.json
index 9aaabcaf06..604dce1c9f 100644
--- a/mobile-attack/malware/malware--2aec175b-4429-4048-8e09-3ef6cbecfc64.json
+++ b/mobile-attack/malware/malware--2aec175b-4429-4048-8e09-3ef6cbecfc64.json
@@ -1,23 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--3eb926fa-3416-4b64-b3ec-83c3c3eccc58",
+    "id": "bundle--d1fc8162-efe1-48d2-bce1-dd1404f7c8ae",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-04-13T22:33:55.061Z",
-            "name": "AbstractEmu",
-            "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. [AbstractEmu](https://attack.mitre.org/software/S1061) was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_aliases": [
-                "AbstractEmu"
-            ],
             "type": "malware",
             "id": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "created": "2023-02-06T18:48:41.442Z",
@@ -38,11 +24,25 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
+            "modified": "2025-04-16T21:22:06.208Z",
+            "name": "AbstractEmu",
+            "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. [AbstractEmu](https://attack.mitre.org/software/S1061) was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)",
             "labels": [
                 "malware"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "AbstractEmu"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f.json b/mobile-attack/malware/malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f.json
index b21561d8e0..a33aa41800 100644
--- a/mobile-attack/malware/malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f.json
+++ b/mobile-attack/malware/malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f.json
@@ -1,28 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--2f36cad6-ceac-49ee-a3b3-554cba60dea0",
+    "id": "bundle--8a1ea659-9bd1-4e3a-9b6f-1e57aacb8229",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-09-26T13:30:33.039Z",
-            "name": "Chameleon",
-            "description": "[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android\u2019s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_contributors": [
-                "Yasuhito Kawanishi, NEC Corporation",
-                "Manikantan Srinivasan, NEC Corporation India",
-                "Pooja Natarajan, NEC Corporation India"
-            ],
-            "x_mitre_aliases": [
-                "Chameleon"
-            ],
             "type": "malware",
             "id": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "created": "2023-08-16T16:30:44.598Z",
@@ -43,11 +24,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
+            "modified": "2025-04-16T21:22:06.355Z",
+            "name": "Chameleon",
+            "description": "[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android\u2019s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)",
             "labels": [
                 "malware"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Yasuhito Kawanishi, NEC Corporation",
+                "Manikantan Srinivasan, NEC Corporation India",
+                "Pooja Natarajan, NEC Corporation India"
+            ],
+            "x_mitre_aliases": [
+                "Chameleon"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb.json b/mobile-attack/malware/malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb.json
index f93e3ce3b0..450039876b 100644
--- a/mobile-attack/malware/malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb.json
+++ b/mobile-attack/malware/malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb.json
@@ -1,35 +1,35 @@
 {
     "type": "bundle",
-    "id": "bundle--d6c4abef-79f5-421b-ad34-9c4df5e06ba4",
+    "id": "bundle--6a3e92cf-1ed4-4db9-9e2a-b2124c6ceac6",
     "spec_version": "2.0",
     "objects": [
         {
-            "labels": [
-                "malware"
-            ],
+            "modified": "2024-11-17T18:31:54.806Z",
+            "name": "Exodus",
+            "description": "[Exodus](https://attack.mitre.org/software/S0405) is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)",
             "x_mitre_platforms": [
                 "Android"
             ],
+            "x_mitre_deprecated": false,
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
             "x_mitre_aliases": [
                 "Exodus",
                 "Exodus One",
                 "Exodus Two"
             ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "type": "malware",
+            "id": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "created": "2019-09-03T19:45:47.826Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
-                    "external_id": "S0405",
                     "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0405"
+                    "url": "https://attack.mitre.org/software/S0405",
+                    "external_id": "S0405"
                 },
                 {
                     "source_name": "Exodus One",
@@ -41,15 +41,17 @@
                 },
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
-            "modified": "2019-10-14T17:15:52.191Z",
-            "name": "Exodus",
-            "description": "[Exodus](https://attack.mitre.org/software/S0405) is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
         }
     ]
diff --git a/mobile-attack/malware/malware--317a2c10-d489-431e-b6b2-f0251fddc88e.json b/mobile-attack/malware/malware--317a2c10-d489-431e-b6b2-f0251fddc88e.json
index 1ca8671866..1d5c5ab16e 100644
--- a/mobile-attack/malware/malware--317a2c10-d489-431e-b6b2-f0251fddc88e.json
+++ b/mobile-attack/malware/malware--317a2c10-d489-431e-b6b2-f0251fddc88e.json
@@ -1,27 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--6c0157fa-f82f-4835-9fc0-41deb12038a2",
+    "id": "bundle--bcdee6b7-e14f-4246-ad91-00af13dd50de",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Dendroid",
-            "description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "2.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_aliases": [
-                "Dendroid"
-            ],
             "type": "malware",
             "id": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
             "created": "2017-10-25T14:48:37.438Z",
@@ -44,6 +26,24 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:06.526Z",
+            "name": "Dendroid",
+            "description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "2.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "Dendroid"
             ]
         }
     ]
diff --git a/mobile-attack/malware/malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb.json b/mobile-attack/malware/malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb.json
index a9e67232a7..b2d44c56b4 100644
--- a/mobile-attack/malware/malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb.json
+++ b/mobile-attack/malware/malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--94234884-351e-47d1-a4df-28639ae872d3",
+    "id": "bundle--63d5c5c7-b332-4721-9235-ce21dd2f1148",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "WireLurker",
-            "description": "[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
             "created": "2017-10-25T14:48:37.020Z",
@@ -39,7 +27,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:06.693Z",
+            "name": "WireLurker",
+            "description": "[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--3271c107-92c4-442e-9506-e76d62230ee8.json b/mobile-attack/malware/malware--3271c107-92c4-442e-9506-e76d62230ee8.json
index 086b8fcf62..c75be2f64b 100644
--- a/mobile-attack/malware/malware--3271c107-92c4-442e-9506-e76d62230ee8.json
+++ b/mobile-attack/malware/malware--3271c107-92c4-442e-9506-e76d62230ee8.json
@@ -1,45 +1,57 @@
 {
     "type": "bundle",
-    "id": "bundle--d27d0463-366e-4ab7-b6cc-4fd7edeb11cc",
+    "id": "bundle--6e98e054-ff01-4191-9ba6-d4a782bb5e17",
     "spec_version": "2.0",
     "objects": [
         {
-            "labels": [
-                "malware"
-            ],
+            "modified": "2025-01-13T17:52:20.612Z",
+            "name": "Desert Scorpion",
+            "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor [APT-C-23](https://attack.mitre.org/groups/G1028).(Citation: Lookout Desert Scorpion) \n\nThere are multiple close variants of [Desert Scorpion](https://attack.mitre.org/software/S0505), such as VAMP(Citation: Unit42 VAMP 2017), GnatSpy(Citation: Trendmicro GnatSpy 2017), [FrozenCell](https://attack.mitre.org/software/S0577) and [SpyC23](https://attack.mitre.org/software/S1195), which add some additional functionality but are not significantly different from the original malware.",
             "x_mitre_platforms": [
                 "Android"
             ],
+            "x_mitre_deprecated": false,
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.2",
             "x_mitre_aliases": [
                 "Desert Scorpion"
             ],
+            "type": "malware",
+            "id": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
+            "created": "2020-09-11T14:54:16.188Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0505",
+                    "external_id": "S0505"
+                },
+                {
+                    "source_name": "Lookout Desert Scorpion",
+                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/desert-scorpion-google-play"
+                },
+                {
+                    "source_name": "Unit42 VAMP 2017",
+                    "description": "Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.",
+                    "url": "https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/"
+                },
+                {
+                    "source_name": "Trendmicro GnatSpy 2017",
+                    "description": "Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024.",
+                    "url": "https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html"
+                }
+            ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
-            "type": "malware",
-            "created": "2020-09-11T14:54:16.188Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0505",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0505"
-                },
-                {
-                    "source_name": "Lookout Desert Scorpion",
-                    "url": "https://blog.lookout.com/desert-scorpion-google-play",
-                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
-                }
+            "labels": [
+                "malware"
             ],
-            "modified": "2021-04-19T17:11:50.159Z",
-            "name": "Desert Scorpion",
-            "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion) ",
-            "x_mitre_version": "1.1",
-            "x_mitre_attack_spec_version": "2.1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
         }
     ]
diff --git a/mobile-attack/malware/malware--33d9d91d-aad9-49d5-a516-220ce101ac8a.json b/mobile-attack/malware/malware--33d9d91d-aad9-49d5-a516-220ce101ac8a.json
index b1c13cf3fc..6956d6b338 100644
--- a/mobile-attack/malware/malware--33d9d91d-aad9-49d5-a516-220ce101ac8a.json
+++ b/mobile-attack/malware/malware--33d9d91d-aad9-49d5-a516-220ce101ac8a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--0b68ab8f-0af7-4695-b467-176cc27f675a",
+    "id": "bundle--10c7d0d6-9fcc-4ea3-a75d-1a3cd1e42152",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--35aae10a-97c5-471a-9c67-02c231a7a31a.json b/mobile-attack/malware/malware--35aae10a-97c5-471a-9c67-02c231a7a31a.json
index fcdc102d40..5d07e3eee8 100644
--- a/mobile-attack/malware/malware--35aae10a-97c5-471a-9c67-02c231a7a31a.json
+++ b/mobile-attack/malware/malware--35aae10a-97c5-471a-9c67-02c231a7a31a.json
@@ -1,27 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--77c7da56-e678-45a9-8140-85f8cf9c0b63",
+    "id": "bundle--f0d7c564-7f46-4887-923d-e684a48e6abe",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Tangelo",
-            "description": "[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_platforms": [
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_aliases": [
-                "Tangelo"
-            ],
             "type": "malware",
             "id": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
             "created": "2018-10-17T00:14:20.652Z",
@@ -44,6 +26,24 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:06.838Z",
+            "name": "Tangelo",
+            "description": "[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "iOS"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "Tangelo"
             ]
         }
     ]
diff --git a/mobile-attack/malware/malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b.json b/mobile-attack/malware/malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b.json
index c5462c0c39..59e41d0bfd 100644
--- a/mobile-attack/malware/malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b.json
+++ b/mobile-attack/malware/malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b.json
@@ -1,27 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--1be1f521-3fc7-4e01-8f98-5f5bcf850bb6",
+    "id": "bundle--d577e11c-27ed-491c-b42f-1ab7424fc496",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "RCSAndroid",
-            "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_aliases": [
-                "RCSAndroid"
-            ],
             "type": "malware",
             "id": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
             "created": "2017-10-25T14:48:38.274Z",
@@ -44,6 +26,24 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:06.991Z",
+            "name": "RCSAndroid",
+            "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "RCSAndroid"
             ]
         }
     ]
diff --git a/mobile-attack/malware/malware--366c800f-97a8-48d5-b0a6-79d00198252a.json b/mobile-attack/malware/malware--366c800f-97a8-48d5-b0a6-79d00198252a.json
index a9b6ef0f2c..099771383c 100644
--- a/mobile-attack/malware/malware--366c800f-97a8-48d5-b0a6-79d00198252a.json
+++ b/mobile-attack/malware/malware--366c800f-97a8-48d5-b0a6-79d00198252a.json
@@ -1,35 +1,18 @@
 {
     "type": "bundle",
-    "id": "bundle--dea30777-13f4-44a7-b843-8cca442b4c45",
+    "id": "bundle--e63ef35d-d32d-435e-a5e9-f8b7fbd08dc8",
     "spec_version": "2.0",
     "objects": [
         {
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_aliases": [
-                "Corona Updates",
-                "Wabi Music",
-                "Concipit1248"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "type": "malware",
+            "id": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "created": "2020-04-24T15:06:32.870Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "S0425",
                     "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0425"
+                    "url": "https://attack.mitre.org/software/S0425",
+                    "external_id": "S0425"
                 },
                 {
                     "source_name": "Wabi Music",
@@ -41,16 +24,33 @@
                 },
                 {
                     "source_name": "TrendMicro Coronavirus Updates",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
-                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
+                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"
                 }
             ],
-            "modified": "2020-09-11T15:45:38.235Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:07.148Z",
             "name": "Corona Updates",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "Corona Updates",
+                "Wabi Music",
+                "Concipit1248"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--3a913bac-4fae-4d0e-bca8-cae452f1599b.json b/mobile-attack/malware/malware--3a913bac-4fae-4d0e-bca8-cae452f1599b.json
index 6b28edc8a8..29ecf362ff 100644
--- a/mobile-attack/malware/malware--3a913bac-4fae-4d0e-bca8-cae452f1599b.json
+++ b/mobile-attack/malware/malware--3a913bac-4fae-4d0e-bca8-cae452f1599b.json
@@ -1,27 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--0028ddef-53b2-4ba9-be3d-94ce471838dc",
+    "id": "bundle--3b9d3adf-449f-4a8f-90ba-ba9472797233",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Skygofree",
-            "description": "[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_aliases": [
-                "Skygofree"
-            ],
             "type": "malware",
             "id": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
             "created": "2018-10-17T00:14:20.652Z",
@@ -44,6 +26,24 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:07.299Z",
+            "name": "Skygofree",
+            "description": "[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "Skygofree"
             ]
         }
     ]
diff --git a/mobile-attack/malware/malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50.json b/mobile-attack/malware/malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50.json
index 57e6189294..03a1159ec2 100644
--- a/mobile-attack/malware/malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50.json
+++ b/mobile-attack/malware/malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--09adc4bc-d745-4fb8-80fc-2d8e60ca1a70",
+    "id": "bundle--f8897245-c4c1-4e2e-b463-84bb1a818b01",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "KeyRaider",
-            "description": "[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
             "created": "2017-10-25T14:48:43.815Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:07.456Z",
+            "name": "KeyRaider",
+            "description": "[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0.json b/mobile-attack/malware/malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0.json
index a23d24cd68..f8f3365739 100644
--- a/mobile-attack/malware/malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0.json
+++ b/mobile-attack/malware/malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--772dbb02-5943-4d08-9dbd-32d03130cfeb",
+    "id": "bundle--2a2f8abb-06bb-4759-8a76-800e692024c5",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "ZergHelper",
-            "description": "[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
             "created": "2017-10-25T14:48:44.853Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:07.644Z",
+            "name": "ZergHelper",
+            "description": "[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--3d6c4389-3489-40a3-beda-c56e650b6f68.json b/mobile-attack/malware/malware--3d6c4389-3489-40a3-beda-c56e650b6f68.json
index cb9b3152b6..eb595c454c 100644
--- a/mobile-attack/malware/malware--3d6c4389-3489-40a3-beda-c56e650b6f68.json
+++ b/mobile-attack/malware/malware--3d6c4389-3489-40a3-beda-c56e650b6f68.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--01f7025b-aac2-434e-8690-784c69ff8f28",
+    "id": "bundle--15ad36a2-eb70-4863-ac0a-4954c322fb50",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
+            "created": "2020-12-24T21:50:02.027Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0550",
+                    "external_id": "S0550"
+                },
+                {
+                    "source_name": "Lookout Uyghur Campaign",
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:07.802Z",
+            "name": "DoubleAgent",
+            "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.(Citation: Lookout Uyghur Campaign)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "DoubleAgent"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
-            "type": "malware",
-            "created": "2020-12-24T21:50:02.027Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0550",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0550"
-                },
-                {
-                    "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
-                }
-            ],
-            "modified": "2021-04-19T17:05:42.253Z",
-            "name": "DoubleAgent",
-            "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.(Citation: Lookout Uyghur Campaign)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c.json b/mobile-attack/malware/malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c.json
index 14800d901d..75968cd5b5 100644
--- a/mobile-attack/malware/malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c.json
+++ b/mobile-attack/malware/malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c.json
@@ -1,27 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--ce7ed688-a986-44f4-983b-c377f40ad727",
+    "id": "bundle--30d15644-9f07-4b38-97de-25c1aa63c4aa",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Twitoor",
-            "description": "[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "2.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_aliases": [
-                "Twitoor"
-            ],
             "type": "malware",
             "id": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
             "created": "2017-10-25T14:48:42.313Z",
@@ -44,6 +26,24 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:07.968Z",
+            "name": "Twitoor",
+            "description": "[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "2.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "Twitoor"
             ]
         }
     ]
diff --git a/mobile-attack/malware/malware--429e1526-6293-495b-8808-af7f9a66c4be.json b/mobile-attack/malware/malware--429e1526-6293-495b-8808-af7f9a66c4be.json
index 09c354d72c..d3fe8bf3d0 100644
--- a/mobile-attack/malware/malware--429e1526-6293-495b-8808-af7f9a66c4be.json
+++ b/mobile-attack/malware/malware--429e1526-6293-495b-8808-af7f9a66c4be.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--28786c09-5ac6-4be9-a660-01978d832a1e",
+    "id": "bundle--bf633bd5-dcea-4f7c-a485-b3e8ca2be6b5",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--4b53eb01-57d7-47b4-b078-22766b002b36.json b/mobile-attack/malware/malware--4b53eb01-57d7-47b4-b078-22766b002b36.json
index f3e0757596..5671e1fa5e 100644
--- a/mobile-attack/malware/malware--4b53eb01-57d7-47b4-b078-22766b002b36.json
+++ b/mobile-attack/malware/malware--4b53eb01-57d7-47b4-b078-22766b002b36.json
@@ -1,23 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--19f14747-ea55-4a7b-8734-ba12ad750707",
+    "id": "bundle--7e88b7d6-359b-429f-be7e-a939ab62535b",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-04-13T22:32:16.509Z",
-            "name": "S.O.V.A.",
-            "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. [S.O.V.A.](https://attack.mitre.org/software/S1062), which is Russian for \"owl\", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_aliases": [
-                "S.O.V.A."
-            ],
             "type": "malware",
             "id": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "created": "2023-02-06T19:34:43.026Z",
@@ -43,11 +29,25 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
+            "modified": "2025-04-16T21:22:08.121Z",
+            "name": "S.O.V.A.",
+            "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. [S.O.V.A.](https://attack.mitre.org/software/S1062), which is Russian for \"owl\", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)",
             "labels": [
                 "malware"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "S.O.V.A."
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--4bf6ba32-4165-42c1-b911-9c36165891c8.json b/mobile-attack/malware/malware--4bf6ba32-4165-42c1-b911-9c36165891c8.json
index 4d4e5b4c34..16e37911de 100644
--- a/mobile-attack/malware/malware--4bf6ba32-4165-42c1-b911-9c36165891c8.json
+++ b/mobile-attack/malware/malware--4bf6ba32-4165-42c1-b911-9c36165891c8.json
@@ -1,27 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--acbb49bc-65e2-493b-a533-d2fada4709f0",
+    "id": "bundle--ccc1ac1d-7fd6-4089-93e2-f6cf9f3ba913",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "ANDROIDOS_ANSERVER.A",
-            "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_aliases": [
-                "ANDROIDOS_ANSERVER.A"
-            ],
             "type": "malware",
             "id": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
             "created": "2017-10-25T14:48:47.965Z",
@@ -44,6 +26,24 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:08.276Z",
+            "name": "ANDROIDOS_ANSERVER.A",
+            "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.3",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "ANDROIDOS_ANSERVER.A"
             ]
         }
     ]
diff --git a/mobile-attack/malware/malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878.json b/mobile-attack/malware/malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878.json
index 23e4b1cfbf..bf08d9f4ed 100644
--- a/mobile-attack/malware/malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878.json
+++ b/mobile-attack/malware/malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--343dbf62-7925-4ebf-969d-04138f55fd7d",
+    "id": "bundle--22327d11-be8d-4629-b190-b90a1db6a9a6",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "DualToy",
-            "description": "[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878",
             "created": "2017-10-25T14:48:41.721Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:08.432Z",
+            "name": "DualToy",
+            "description": "[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--52c994fa-b6c8-45a8-9586-a4275cf19307.json b/mobile-attack/malware/malware--52c994fa-b6c8-45a8-9586-a4275cf19307.json
index 27ad382f50..602a37e07a 100644
--- a/mobile-attack/malware/malware--52c994fa-b6c8-45a8-9586-a4275cf19307.json
+++ b/mobile-attack/malware/malware--52c994fa-b6c8-45a8-9586-a4275cf19307.json
@@ -1,37 +1,18 @@
 {
     "type": "bundle",
-    "id": "bundle--9d1f7665-698d-4f79-aece-430f376b8c68",
+    "id": "bundle--cf748ade-4263-4d16-919e-8d18e8060001",
     "spec_version": "2.0",
     "objects": [
         {
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_aliases": [
-                "Mandrake",
-                "oxide",
-                "briar",
-                "ricinus",
-                "darkmatter"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "type": "malware",
+            "id": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "created": "2020-07-15T20:20:58.846Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "S0485",
                     "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0485"
+                    "url": "https://attack.mitre.org/software/S0485",
+                    "external_id": "S0485"
                 },
                 {
                     "source_name": "oxide",
@@ -51,16 +32,35 @@
                 },
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "modified": "2020-09-11T15:52:12.097Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:08.595Z",
             "name": "Mandrake",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.\n\n[Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "Mandrake",
+                "oxide",
+                "briar",
+                "ricinus",
+                "darkmatter"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--55714f87-6178-4b89-b3e5-d3a643f647ca.json b/mobile-attack/malware/malware--55714f87-6178-4b89-b3e5-d3a643f647ca.json
index 687329ea94..aa6b75c746 100644
--- a/mobile-attack/malware/malware--55714f87-6178-4b89-b3e5-d3a643f647ca.json
+++ b/mobile-attack/malware/malware--55714f87-6178-4b89-b3e5-d3a643f647ca.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7ff25bd4-b02c-4934-9275-acd3535c81c6",
+    "id": "bundle--7369c7b4-da44-4621-b056-b88acf27a24a",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--56660521-6db4-4e5a-a927-464f22954b7c.json b/mobile-attack/malware/malware--56660521-6db4-4e5a-a927-464f22954b7c.json
index ed253cc516..c98332d958 100644
--- a/mobile-attack/malware/malware--56660521-6db4-4e5a-a927-464f22954b7c.json
+++ b/mobile-attack/malware/malware--56660521-6db4-4e5a-a927-464f22954b7c.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--3e617010-3761-40d2-9cd6-aa0f8d576fe3",
+    "id": "bundle--8adf59e5-5ded-4e60-966c-e51630e3ef6c",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "X-Agent for Android",
-            "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
             "created": "2017-10-25T14:48:42.034Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:08.784Z",
+            "name": "X-Agent for Android",
+            "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663.json b/mobile-attack/malware/malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663.json
index 9c7bac8fbf..8c4bd507db 100644
--- a/mobile-attack/malware/malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663.json
+++ b/mobile-attack/malware/malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663.json
@@ -1,49 +1,49 @@
 {
     "type": "bundle",
-    "id": "bundle--f0844b7a-bcb4-4388-b38e-61e26608a095",
+    "id": "bundle--93c9617a-fb7f-4133-8d65-180e17b71238",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663",
+            "created": "2020-06-26T15:12:39.648Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0479",
+                    "external_id": "S0479"
+                },
+                {
+                    "source_name": "ESET DEFENSOR ID",
+                    "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.",
+                    "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:08.935Z",
+            "name": "DEFENSOR ID",
+            "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim\u2019s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android\u2019s accessibility service.(Citation: ESET DEFENSOR ID) ",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_contributors": [
                 "Luk\u00e1\u0161 \u0160tefanko, ESET"
             ],
             "x_mitre_aliases": [
                 "DEFENSOR ID"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663",
-            "type": "malware",
-            "created": "2020-06-26T15:12:39.648Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0479",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0479"
-                },
-                {
-                    "source_name": "ESET DEFENSOR ID",
-                    "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/",
-                    "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020."
-                }
-            ],
-            "modified": "2020-06-26T20:16:31.850Z",
-            "name": "DEFENSOR ID",
-            "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim\u2019s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android\u2019s accessibility service.(Citation: ESET DEFENSOR ID) ",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4.json b/mobile-attack/malware/malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4.json
index bcfedcbd3b..3ff0fb41d1 100644
--- a/mobile-attack/malware/malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4.json
+++ b/mobile-attack/malware/malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ed91f3cb-243f-4a73-9186-bc0a8fccd298",
+    "id": "bundle--727cee13-6c8a-40ac-91e6-0a39e45c0b00",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927.json b/mobile-attack/malware/malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927.json
new file mode 100644
index 0000000000..09737991b9
--- /dev/null
+++ b/mobile-attack/malware/malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927.json
@@ -0,0 +1,56 @@
+{
+    "type": "bundle",
+    "id": "bundle--a56501ec-a94e-4d1e-af1c-8955c743f9f7",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "malware",
+            "id": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "created": "2025-01-03T20:41:46.276Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S1185",
+                    "external_id": "S1185"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-15T18:40:23.781Z",
+            "name": "LightSpy",
+            "description": "First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.(Citation: MelikovBlackBerry LightSpy 2024) ",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "Windows",
+                "iOS",
+                "macOS"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "enterprise-attack",
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Alden Schmidt",
+                "Dmitry Bestuzhev"
+            ],
+            "x_mitre_aliases": [
+                "LightSpy"
+            ],
+            "labels": [
+                "malware"
+            ]
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9.json b/mobile-attack/malware/malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9.json
index 5e00a169ff..85fa2028b4 100644
--- a/mobile-attack/malware/malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9.json
+++ b/mobile-attack/malware/malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--d730c7c4-867a-498c-8a92-4ea2a3e3bf19",
+    "id": "bundle--7bfe4c83-f4fc-46cc-ae88-2dffcaa0990d",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "MazarBOT",
-            "description": "[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
             "created": "2017-10-25T14:48:40.875Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:09.084Z",
+            "name": "MazarBOT",
+            "description": "[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--6146be90-470c-4049-bb3a-9986b8ffb65b.json b/mobile-attack/malware/malware--6146be90-470c-4049-bb3a-9986b8ffb65b.json
index 0b2ca1c59f..f4da563af7 100644
--- a/mobile-attack/malware/malware--6146be90-470c-4049-bb3a-9986b8ffb65b.json
+++ b/mobile-attack/malware/malware--6146be90-470c-4049-bb3a-9986b8ffb65b.json
@@ -1,50 +1,50 @@
 {
     "type": "bundle",
-    "id": "bundle--0973575b-b1e9-4a0e-9674-cc680b216c8b",
+    "id": "bundle--a80e5fe7-20b6-47f2-8be0-a396f707805f",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
+            "created": "2020-04-08T15:51:24.862Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0423",
+                    "external_id": "S0423"
+                },
+                {
+                    "source_name": "ThreatFabric Ginp",
+                    "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:09.244Z",
+            "name": "Ginp",
+            "description": "[Ginp](https://attack.mitre.org/software/S0423) is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from [Anubis](https://attack.mitre.org/software/S0422).(Citation: ThreatFabric Ginp)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_contributors": [
                 "Aviran Hazum, Check Point",
                 "Sergey Persikov, Check Point"
             ],
             "x_mitre_aliases": [
                 "Ginp"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
-            "type": "malware",
-            "created": "2020-04-08T15:51:24.862Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0423",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0423"
-                },
-                {
-                    "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.",
-                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
-                    "source_name": "ThreatFabric Ginp"
-                }
-            ],
-            "modified": "2020-09-11T15:50:18.707Z",
-            "name": "Ginp",
-            "description": "[Ginp](https://attack.mitre.org/software/S0423) is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from [Anubis](https://attack.mitre.org/software/S0422).(Citation: ThreatFabric Ginp)",
-            "x_mitre_version": "1.1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f.json b/mobile-attack/malware/malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f.json
index 2e5ac34cc4..2618e8b568 100644
--- a/mobile-attack/malware/malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f.json
+++ b/mobile-attack/malware/malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--de336f16-a531-42c2-9ddc-b19d6cd9b2d2",
+    "id": "bundle--4b347750-2b4b-4420-b160-aa88699bf8b8",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "HummingWhale",
-            "description": "[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f",
             "created": "2017-10-25T14:48:40.259Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:09.395Z",
+            "name": "HummingWhale",
+            "description": "[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--680f680c-eef9-4f8a-b5f5-f451bf47e403.json b/mobile-attack/malware/malware--680f680c-eef9-4f8a-b5f5-f451bf47e403.json
index 155672282a..d7e8beeead 100644
--- a/mobile-attack/malware/malware--680f680c-eef9-4f8a-b5f5-f451bf47e403.json
+++ b/mobile-attack/malware/malware--680f680c-eef9-4f8a-b5f5-f451bf47e403.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--641e8ef8-80b4-4e89-b826-5b3278b8473f",
+    "id": "bundle--575917a3-9525-47ad-87cd-6bfedc562624",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f.json b/mobile-attack/malware/malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f.json
index c708fef780..f38f737b31 100644
--- a/mobile-attack/malware/malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f.json
+++ b/mobile-attack/malware/malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f.json
@@ -1,23 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--568e3283-4b2c-42e9-9c44-76602eb56807",
+    "id": "bundle--e7b31a30-9441-4f6d-b02b-eed69e0ae042",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-01T22:00:09.640Z",
-            "name": "TangleBot",
-            "description": "[TangleBot](https://attack.mitre.org/software/S1069) is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. [TangleBot](https://attack.mitre.org/software/S1069) has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to [FluBot](https://attack.mitre.org/software/S1067) Android malware campaigns.(Citation: cloudmark_tanglebot_0921)",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_aliases": [
-                "TangleBot"
-            ],
             "type": "malware",
             "id": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f",
             "created": "2023-02-28T21:39:52.744Z",
@@ -38,11 +24,25 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
+            "modified": "2025-04-16T21:22:09.556Z",
+            "name": "TangleBot",
+            "description": "[TangleBot](https://attack.mitre.org/software/S1069) is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. [TangleBot](https://attack.mitre.org/software/S1069) has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to [FluBot](https://attack.mitre.org/software/S1067) Android malware campaigns.(Citation: cloudmark_tanglebot_0921)",
             "labels": [
                 "malware"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "TangleBot"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65.json b/mobile-attack/malware/malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65.json
index a4a68c8f0f..a73e72155e 100644
--- a/mobile-attack/malware/malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65.json
+++ b/mobile-attack/malware/malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65.json
@@ -1,49 +1,49 @@
 {
     "type": "bundle",
-    "id": "bundle--251c2133-d740-4742-83a3-cdb3a727025c",
+    "id": "bundle--36c52a2a-192a-4724-badb-4b091c98f780",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
+            "created": "2019-09-04T14:28:14.181Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0407",
+                    "external_id": "S0407"
+                },
+                {
+                    "source_name": "Lookout-Monokle",
+                    "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
+                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:09.753Z",
+            "name": "Monokle",
+            "description": "[Monokle](https://attack.mitre.org/software/S0407) is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_contributors": [
                 "J\u00f6rg Abraham, EclecticIQ"
             ],
             "x_mitre_aliases": [
                 "Monokle"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
-            "type": "malware",
-            "created": "2019-09-04T14:28:14.181Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "url": "https://attack.mitre.org/software/S0407",
-                    "source_name": "mitre-attack",
-                    "external_id": "S0407"
-                },
-                {
-                    "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
-                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
-                    "source_name": "Lookout-Monokle"
-                }
-            ],
-            "modified": "2021-11-01T18:30:41.998Z",
-            "name": "Monokle",
-            "description": "[Monokle](https://attack.mitre.org/software/S0407) is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)",
-            "x_mitre_version": "1.2",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--6e282bbf-5f32-476a-b879-ba77eec463c8.json b/mobile-attack/malware/malware--6e282bbf-5f32-476a-b879-ba77eec463c8.json
index 7c7daa7f5c..08b4d5215e 100644
--- a/mobile-attack/malware/malware--6e282bbf-5f32-476a-b879-ba77eec463c8.json
+++ b/mobile-attack/malware/malware--6e282bbf-5f32-476a-b879-ba77eec463c8.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--dd87a55c-f6e5-4f02-9311-1f972fe0cbbd",
+    "id": "bundle--3a2d7363-2fdc-43ca-9069-f60f31fcba34",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
+            "created": "2020-12-14T14:52:02.949Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0539",
+                    "external_id": "S0539"
+                },
+                {
+                    "source_name": "Sophos Red Alert 2.0",
+                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.",
+                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:09.903Z",
+            "name": "Red Alert 2.0",
+            "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0) ",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "Red Alert 2.0"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
-            "type": "malware",
-            "created": "2020-12-14T14:52:02.949Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0539",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0539"
-                },
-                {
-                    "source_name": "Sophos Red Alert 2.0",
-                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/",
-                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."
-                }
-            ],
-            "modified": "2020-12-16T20:52:20.822Z",
-            "name": "Red Alert 2.0",
-            "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0) ",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--6fcaf9b0-b509-4644-9f93-556222c81ed2.json b/mobile-attack/malware/malware--6fcaf9b0-b509-4644-9f93-556222c81ed2.json
index 7ce7cc00c0..7c8130556a 100644
--- a/mobile-attack/malware/malware--6fcaf9b0-b509-4644-9f93-556222c81ed2.json
+++ b/mobile-attack/malware/malware--6fcaf9b0-b509-4644-9f93-556222c81ed2.json
@@ -1,34 +1,18 @@
 {
     "type": "bundle",
-    "id": "bundle--255f163f-702f-4f2f-9875-ded637ca8221",
+    "id": "bundle--13dd86d7-4df8-4c4a-8dbf-82508cec959b",
     "spec_version": "2.0",
     "objects": [
         {
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_aliases": [
-                "ViceLeaker",
-                "Triout"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "type": "malware",
+            "id": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "created": "2019-11-21T16:42:48.203Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "S0418",
                     "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0418"
+                    "url": "https://attack.mitre.org/software/S0418",
+                    "external_id": "S0418"
                 },
                 {
                     "source_name": "ViceLeaker",
@@ -39,22 +23,38 @@
                     "description": "(Citation: SecureList - ViceLeaker 2019)"
                 },
                 {
+                    "source_name": "SecureList - ViceLeaker 2019",
                     "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.",
-                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
-                    "source_name": "SecureList - ViceLeaker 2019"
+                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"
                 },
                 {
                     "source_name": "Bitdefender - Triout 2018",
-                    "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/",
-                    "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020."
+                    "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.",
+                    "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/"
                 }
             ],
-            "modified": "2020-03-26T19:00:42.233Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:10.060Z",
             "name": "ViceLeaker",
             "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "ViceLeaker",
+                "Triout"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--8338393c-cb2e-4ee6-b944-34672499c785.json b/mobile-attack/malware/malware--8338393c-cb2e-4ee6-b944-34672499c785.json
index 193b6cfb95..1bfd955bca 100644
--- a/mobile-attack/malware/malware--8338393c-cb2e-4ee6-b944-34672499c785.json
+++ b/mobile-attack/malware/malware--8338393c-cb2e-4ee6-b944-34672499c785.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--92450b19-c002-497d-8609-793d2689ae1e",
+    "id": "bundle--95e3ff3f-dd6f-488e-8395-a79d6c4bcd13",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--838f647e-8ff8-48bd-bbd5-613cee7736cb.json b/mobile-attack/malware/malware--838f647e-8ff8-48bd-bbd5-613cee7736cb.json
index e5b854f1ea..1f74d4d669 100644
--- a/mobile-attack/malware/malware--838f647e-8ff8-48bd-bbd5-613cee7736cb.json
+++ b/mobile-attack/malware/malware--838f647e-8ff8-48bd-bbd5-613cee7736cb.json
@@ -1,49 +1,49 @@
 {
     "type": "bundle",
-    "id": "bundle--c345c55e-569e-4bc3-ac47-5c1bbefc0b7c",
+    "id": "bundle--38604438-184e-4152-aff7-80f33881087b",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
+            "created": "2020-09-15T15:18:11.971Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0509",
+                    "external_id": "S0509"
+                },
+                {
+                    "source_name": "Cybereason FakeSpy",
+                    "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.",
+                    "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:10.213Z",
+            "name": "FakeSpy",
+            "description": "[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_contributors": [
                 "Ofir Almkias, Cybereason"
             ],
             "x_mitre_aliases": [
                 "FakeSpy"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
-            "type": "malware",
-            "created": "2020-09-15T15:18:11.971Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0509",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0509"
-                },
-                {
-                    "source_name": "Cybereason FakeSpy",
-                    "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
-                    "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
-                }
-            ],
-            "modified": "2020-10-06T20:09:57.659Z",
-            "name": "FakeSpy",
-            "description": "[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b.json b/mobile-attack/malware/malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b.json
index fcbd96e68a..757f185970 100644
--- a/mobile-attack/malware/malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b.json
+++ b/mobile-attack/malware/malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b.json
@@ -1,27 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--1b14adf0-0663-48cb-ae00-6010a454de8a",
+    "id": "bundle--cd04aa69-55f2-4a47-b5fd-4ff041a66871",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "SpyDealer",
-            "description": "[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_aliases": [
-                "SpyDealer"
-            ],
             "type": "malware",
             "id": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
             "created": "2018-10-17T00:14:20.652Z",
@@ -44,6 +26,24 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:10.366Z",
+            "name": "SpyDealer",
+            "description": "[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "SpyDealer"
             ]
         }
     ]
diff --git a/mobile-attack/malware/malware--89c3dbf6-f281-41b7-be1d-a0e641014853.json b/mobile-attack/malware/malware--89c3dbf6-f281-41b7-be1d-a0e641014853.json
index 90abd1353b..711c4f95b3 100644
--- a/mobile-attack/malware/malware--89c3dbf6-f281-41b7-be1d-a0e641014853.json
+++ b/mobile-attack/malware/malware--89c3dbf6-f281-41b7-be1d-a0e641014853.json
@@ -1,34 +1,18 @@
 {
     "type": "bundle",
-    "id": "bundle--43b71c7c-89c3-488c-920e-47d0856e4ed2",
+    "id": "bundle--1efc2da6-922e-446e-b5a0-9a7677e6ea66",
     "spec_version": "2.0",
     "objects": [
         {
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_platforms": [
-                "iOS"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_aliases": [
-                "Concipit1248",
-                "Corona Updates"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853",
             "type": "malware",
+            "id": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853",
             "created": "2020-04-24T15:12:10.817Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "S0426",
                     "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0426"
+                    "url": "https://attack.mitre.org/software/S0426",
+                    "external_id": "S0426"
                 },
                 {
                     "source_name": "Corona Updates",
@@ -36,16 +20,32 @@
                 },
                 {
                     "source_name": "TrendMicro Coronavirus Updates",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
-                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
+                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"
                 }
             ],
-            "modified": "2020-04-30T18:30:05.787Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:10.526Z",
             "name": "Concipit1248",
             "description": "[Concipit1248](https://attack.mitre.org/software/S0426) is iOS spyware that was discovered using the same name as the developer of the Android spyware [Corona Updates](https://attack.mitre.org/software/S0425). Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.(Citation: TrendMicro Coronavirus Updates)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "iOS"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "Concipit1248",
+                "Corona Updates"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--936be60d-90eb-4c36-9247-4b31128432c4.json b/mobile-attack/malware/malware--936be60d-90eb-4c36-9247-4b31128432c4.json
index c11adb8815..9ec4fb83b1 100644
--- a/mobile-attack/malware/malware--936be60d-90eb-4c36-9247-4b31128432c4.json
+++ b/mobile-attack/malware/malware--936be60d-90eb-4c36-9247-4b31128432c4.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--c362d9bf-972b-41bd-80e3-3613ba8e4c53",
+    "id": "bundle--5d3a69eb-9f20-43b7-84fc-0947b124f803",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "RuMMS",
-            "description": "[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
             "created": "2017-10-25T14:48:48.917Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:10.719Z",
+            "name": "RuMMS",
+            "description": "[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--93799a9d-3537-43d8-b6f4-17215de1657c.json b/mobile-attack/malware/malware--93799a9d-3537-43d8-b6f4-17215de1657c.json
index b2f15b60e9..ff167eff5a 100644
--- a/mobile-attack/malware/malware--93799a9d-3537-43d8-b6f4-17215de1657c.json
+++ b/mobile-attack/malware/malware--93799a9d-3537-43d8-b6f4-17215de1657c.json
@@ -1,28 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--33df3a45-447f-4f71-a7b5-f10b964a412e",
+    "id": "bundle--0a498fee-d799-4110-95cf-21c855f1260d",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Pegasus for Android",
-            "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_aliases": [
-                "Pegasus for Android",
-                "Chrysaor"
-            ],
             "type": "malware",
             "id": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
             "created": "2017-10-25T14:48:41.202Z",
@@ -54,6 +35,25 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:10.874Z",
+            "name": "Pegasus for Android",
+            "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "Pegasus for Android",
+                "Chrysaor"
             ]
         }
     ]
diff --git a/mobile-attack/malware/malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807.json b/mobile-attack/malware/malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807.json
new file mode 100644
index 0000000000..231299d116
--- /dev/null
+++ b/mobile-attack/malware/malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807.json
@@ -0,0 +1,61 @@
+{
+    "type": "bundle",
+    "id": "bundle--ae7f9723-a536-4fad-a2c1-45d8c4445da3",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "modified": "2025-02-19T17:09:13.063Z",
+            "name": "SpyC23",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) is a mobile malware that has been used by [APT-C-23](https://attack.mitre.org/groups/G1028) since at least 2017. [SpyC23](https://attack.mitre.org/software/S1195) has been observed primarily targeting Android devices in the Middle East.(Citation: welivesecurity_apt-c-23) \n\nThere are multiple close variants of [SpyC23](https://attack.mitre.org/software/S1195), such as VAMP(Citation: Unit42 VAMP 2017), GnatSpy(Citation: Trendmicro GnatSpy 2017), [Desert Scorpion](https://attack.mitre.org/software/S0505) and [FrozenCell](https://attack.mitre.org/software/S0577), which add some additional functionality but are not significantly different from the original malware.",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_contributors": [
+                "Sittikorn Sangrattanapitak"
+            ],
+            "x_mitre_aliases": [
+                "SpyC23"
+            ],
+            "type": "malware",
+            "id": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "created": "2024-03-26T19:12:00.011Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S1195",
+                    "external_id": "S1195"
+                },
+                {
+                    "source_name": "Unit42 VAMP 2017",
+                    "description": "Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.",
+                    "url": "https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/"
+                },
+                {
+                    "source_name": "Trendmicro GnatSpy 2017",
+                    "description": "Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024.",
+                    "url": "https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html"
+                },
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62.json b/mobile-attack/malware/malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62.json
index a6ae9c513b..a7ea1958a6 100644
--- a/mobile-attack/malware/malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62.json
+++ b/mobile-attack/malware/malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62.json
@@ -1,45 +1,57 @@
 {
     "type": "bundle",
-    "id": "bundle--ce5bc8f2-876d-4128-aa63-029865f70960",
+    "id": "bundle--008bec3d-f751-4da6-9dd6-fa5ab4e19f9f",
     "spec_version": "2.0",
     "objects": [
         {
-            "labels": [
-                "malware"
-            ],
+            "modified": "2025-02-19T17:08:24.276Z",
+            "name": "FrozenCell",
+            "description": "[FrozenCell](https://attack.mitre.org/software/S0577) is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and [Micropsia](https://attack.mitre.org/software/S0339).(Citation: Lookout FrozenCell) \n\nThere are multiple close variants of [FrozenCell](https://attack.mitre.org/software/S0577), such as VAMP(Citation: Unit42 VAMP 2017), GnatSpy(Citation: Trendmicro GnatSpy 2017), [Desert Scorpion](https://attack.mitre.org/software/S0505) and [SpyC23](https://attack.mitre.org/software/S1195), which add some additional functionality but are not significantly different from the original malware.",
             "x_mitre_platforms": [
                 "Android"
             ],
+            "x_mitre_deprecated": false,
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.1",
             "x_mitre_aliases": [
                 "FrozenCell"
             ],
+            "type": "malware",
+            "id": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62",
+            "created": "2021-02-17T20:43:52.033Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0577",
+                    "external_id": "S0577"
+                },
+                {
+                    "source_name": "Unit42 VAMP 2017",
+                    "description": "Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.",
+                    "url": "https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/"
+                },
+                {
+                    "source_name": "Trendmicro GnatSpy 2017",
+                    "description": "Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024.",
+                    "url": "https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html"
+                },
+                {
+                    "source_name": "Lookout FrozenCell",
+                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.",
+                    "url": "https://blog.lookout.com/frozencell-mobile-threat"
+                }
+            ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62",
-            "type": "malware",
-            "created": "2021-02-17T20:43:52.033Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0577",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0577"
-                },
-                {
-                    "source_name": "Lookout FrozenCell",
-                    "url": "https://blog.lookout.com/frozencell-mobile-threat",
-                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."
-                }
+            "labels": [
+                "malware"
             ],
-            "modified": "2021-04-19T14:07:24.519Z",
-            "name": "FrozenCell",
-            "description": "[FrozenCell](https://attack.mitre.org/software/S0577) is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and [Micropsia](https://attack.mitre.org/software/S0339).(Citation: Lookout FrozenCell)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
         }
     ]
diff --git a/mobile-attack/malware/malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce.json b/mobile-attack/malware/malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce.json
index 34841bac2e..cf9fda6c49 100644
--- a/mobile-attack/malware/malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce.json
+++ b/mobile-attack/malware/malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--a08fcbfb-1280-4fa0-ab32-0bf8e9228f33",
+    "id": "bundle--b76a87e2-ef3d-4319-b3ec-fced263b0918",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce",
+            "created": "2020-10-29T18:41:49.272Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0524",
+                    "external_id": "S0524"
+                },
+                {
+                    "source_name": "Microsoft MalLockerB",
+                    "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.",
+                    "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:11.027Z",
+            "name": "AndroidOS/MalLocker.B",
+            "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "AndroidOS/MalLocker.B"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce",
-            "type": "malware",
-            "created": "2020-10-29T18:41:49.272Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0524",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0524"
-                },
-                {
-                    "source_name": "Microsoft MalLockerB",
-                    "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/",
-                    "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020."
-                }
-            ],
-            "modified": "2020-10-29T18:41:49.272Z",
-            "name": "AndroidOS/MalLocker.B",
-            "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--9cd72f5c-bec0-4f7e-bb6d-296937116291.json b/mobile-attack/malware/malware--9cd72f5c-bec0-4f7e-bb6d-296937116291.json
index c98eefb14e..c12f6819a6 100644
--- a/mobile-attack/malware/malware--9cd72f5c-bec0-4f7e-bb6d-296937116291.json
+++ b/mobile-attack/malware/malware--9cd72f5c-bec0-4f7e-bb6d-296937116291.json
@@ -1,23 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--256f2ce8-c973-4eca-8b05-d0a83b3178c7",
+    "id": "bundle--39e00299-2f99-4e78-8b02-6550142456f6",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-02-28T21:05:57.018Z",
-            "name": "SharkBot",
-            "description": "[SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_aliases": [
-                "SharkBot"
-            ],
             "type": "malware",
             "id": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "created": "2023-01-18T19:44:52.711Z",
@@ -38,11 +24,25 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
+            "modified": "2025-04-16T21:22:11.187Z",
+            "name": "SharkBot",
+            "description": "[SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)",
             "labels": [
                 "malware"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "SharkBot"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381.json b/mobile-attack/malware/malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381.json
index 652084e5dc..73ceecb8f9 100644
--- a/mobile-attack/malware/malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381.json
+++ b/mobile-attack/malware/malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381.json
@@ -1,24 +1,20 @@
 {
     "type": "bundle",
-    "id": "bundle--f07a1e2e-9b5c-4d5b-b46a-53b90796d1df",
+    "id": "bundle--0ada826c-85ba-4bfb-810c-c5565353aba5",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
+            "modified": "2024-11-17T14:24:44.696Z",
             "name": "RedDrop",
             "description": "[RedDrop](https://attack.mitre.org/software/S0326) is an Android malware family that exfiltrates sensitive data from devices. (Citation: Wandera-RedDrop)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
+            "x_mitre_deprecated": false,
             "x_mitre_domains": [
                 "mobile-attack"
             ],
             "x_mitre_version": "1.2",
-            "x_mitre_attack_spec_version": "2.1.0",
             "x_mitre_aliases": [
                 "RedDrop"
             ],
@@ -26,6 +22,7 @@
             "id": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "mitre-attack",
@@ -38,13 +35,18 @@
                 },
                 {
                     "source_name": "Wandera-RedDrop",
-                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
-                    "url": "https://www.wandera.com/reddrop-malware/"
+                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--a0d774e4-bafc-4292-8651-3ec899391341.json b/mobile-attack/malware/malware--a0d774e4-bafc-4292-8651-3ec899391341.json
index caa6f19fda..2181b1397b 100644
--- a/mobile-attack/malware/malware--a0d774e4-bafc-4292-8651-3ec899391341.json
+++ b/mobile-attack/malware/malware--a0d774e4-bafc-4292-8651-3ec899391341.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--5ea1e0d0-6e9a-4428-badf-519ad0139ed9",
+    "id": "bundle--dfb71fc5-e44d-473e-ba95-4e5afac10221",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--a0d774e4-bafc-4292-8651-3ec899391341",
+            "created": "2020-12-31T18:25:04.779Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0555",
+                    "external_id": "S0555"
+                },
+                {
+                    "source_name": "CYBERWARCON CHEMISTGAMES",
+                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.",
+                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:11.340Z",
+            "name": "CHEMISTGAMES",
+            "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) is a modular backdoor that has been deployed by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CYBERWARCON CHEMISTGAMES)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "CHEMISTGAMES"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--a0d774e4-bafc-4292-8651-3ec899391341",
-            "type": "malware",
-            "created": "2020-12-31T18:25:04.779Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0555",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0555"
-                },
-                {
-                    "source_name": "CYBERWARCON CHEMISTGAMES",
-                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w",
-                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."
-                }
-            ],
-            "modified": "2021-03-25T16:42:05.526Z",
-            "name": "CHEMISTGAMES",
-            "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) is a modular backdoor that has been deployed by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CYBERWARCON CHEMISTGAMES)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--a15c9357-2be0-4836-beec-594f28b9b4a9.json b/mobile-attack/malware/malware--a15c9357-2be0-4836-beec-594f28b9b4a9.json
index 6585759d96..da2e2715c0 100644
--- a/mobile-attack/malware/malware--a15c9357-2be0-4836-beec-594f28b9b4a9.json
+++ b/mobile-attack/malware/malware--a15c9357-2be0-4836-beec-594f28b9b4a9.json
@@ -1,24 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--c88f8b8f-f331-4816-b187-3be57708e7c4",
+    "id": "bundle--4bba199c-f580-4afc-9659-d25578143d4e",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-04-20T18:19:15.826Z",
-            "name": "YiSpecter",
-            "description": "[YiSpecter](https://attack.mitre.org/software/S0311) is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. [YiSpecter](https://attack.mitre.org/software/S0311) abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015)",
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "2.0",
-            "x_mitre_aliases": [
-                "YiSpecter"
-            ],
             "type": "malware",
             "id": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
             "created": "2017-10-25T14:48:48.301Z",
@@ -39,11 +24,26 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
+            "modified": "2025-04-16T21:22:11.527Z",
+            "name": "YiSpecter",
+            "description": "[YiSpecter](https://attack.mitre.org/software/S0311) is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. [YiSpecter](https://attack.mitre.org/software/S0311) abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015)",
             "labels": [
                 "malware"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "2.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "YiSpecter"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17.json b/mobile-attack/malware/malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17.json
index 90c8ca3b86..d21da14dcd 100644
--- a/mobile-attack/malware/malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17.json
+++ b/mobile-attack/malware/malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--c6c9637e-6210-4326-bddb-ad0ff8d5bc98",
+    "id": "bundle--e3665df9-a2d7-4907-ae34-b56a23033029",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Trojan-SMS.AndroidOS.Agent.ao",
-            "description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17",
             "created": "2017-10-25T14:48:46.411Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:11.724Z",
+            "name": "Trojan-SMS.AndroidOS.Agent.ao",
+            "description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1.json b/mobile-attack/malware/malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1.json
index 2ea14262b2..4d6d377b46 100644
--- a/mobile-attack/malware/malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1.json
+++ b/mobile-attack/malware/malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7ca7b7fc-af6a-4043-a698-c31774bb6560",
+    "id": "bundle--e25d6140-ad6e-4453-b1a3-dfc932ddec62",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e.json b/mobile-attack/malware/malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e.json
index 916e34d397..b5fbf418cf 100644
--- a/mobile-attack/malware/malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e.json
+++ b/mobile-attack/malware/malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e1a70acd-7823-4998-ad7d-da1caba6f6cb",
+    "id": "bundle--5e999478-2942-412e-a18a-27877f535c18",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--a3dad2be-ce62-4440-953b-00fbce7aba93.json b/mobile-attack/malware/malware--a3dad2be-ce62-4440-953b-00fbce7aba93.json
index 002553be40..61e749ad2c 100644
--- a/mobile-attack/malware/malware--a3dad2be-ce62-4440-953b-00fbce7aba93.json
+++ b/mobile-attack/malware/malware--a3dad2be-ce62-4440-953b-00fbce7aba93.json
@@ -1,10 +1,10 @@
 {
     "type": "bundle",
-    "id": "bundle--37f83d59-ecc6-4f20-80e7-057a1acefa6c",
+    "id": "bundle--1fa47801-a4ac-4e07-84a0-ddf6e33dfd77",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2024-04-16T21:01:50.792Z",
+            "modified": "2024-11-17T20:00:53.685Z",
             "name": "AndroRAT",
             "description": "[AndroRAT](https://attack.mitre.org/software/S0292) is an open-source remote access tool for Android devices. [AndroRAT](https://attack.mitre.org/software/S0292) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.(Citation: Lookout-EnterpriseApps)(Citation: github_androrat)(Citation: Forcepoint BITTER Pakistan Oct 2016) It is originally available through the `The404Hacking` Github repository.(Citation: github_androrat)",
             "x_mitre_platforms": [
@@ -41,8 +41,8 @@
                 },
                 {
                     "source_name": "github_androrat",
-                    "description": "The404Hacking. (n.d.). AndroRAT. Retrieved April 8, 2024.",
-                    "url": "https://web.archive.org/web/20221013124327/https://github.com/The404Hacking/AndroRAT"
+                    "description": "The404Hacking. (n.d.). AndroRAT. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221013124327/https:/github.com/The404Hacking/AndroRAT"
                 }
             ],
             "object_marking_refs": [
diff --git a/mobile-attack/malware/malware--a5528622-3a8a-4633-86ce-8cdaf8423858.json b/mobile-attack/malware/malware--a5528622-3a8a-4633-86ce-8cdaf8423858.json
index a6f7dee603..4ce29d58f4 100644
--- a/mobile-attack/malware/malware--a5528622-3a8a-4633-86ce-8cdaf8423858.json
+++ b/mobile-attack/malware/malware--a5528622-3a8a-4633-86ce-8cdaf8423858.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--36753e61-fd6b-4b67-a161-3ce8d22114d1",
+    "id": "bundle--917a8693-2338-490f-81cf-92e570bef65a",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--a6228601-03f6-4949-ae22-c1087627a637.json b/mobile-attack/malware/malware--a6228601-03f6-4949-ae22-c1087627a637.json
index 994a2ac464..4d7ad1ae18 100644
--- a/mobile-attack/malware/malware--a6228601-03f6-4949-ae22-c1087627a637.json
+++ b/mobile-attack/malware/malware--a6228601-03f6-4949-ae22-c1087627a637.json
@@ -1,50 +1,50 @@
 {
     "type": "bundle",
-    "id": "bundle--449d9b8f-f792-4e56-bd17-ed5414b7feb4",
+    "id": "bundle--798a9392-8b71-4e3d-9b3d-0e68e0970ee9",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--a6228601-03f6-4949-ae22-c1087627a637",
+            "created": "2020-05-07T15:18:34.417Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0440",
+                    "external_id": "S0440"
+                },
+                {
+                    "source_name": "CheckPoint Agent Smith",
+                    "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.",
+                    "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:11.884Z",
+            "name": "Agent Smith",
+            "description": "[Agent Smith](https://attack.mitre.org/software/S0440) is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 [Agent Smith](https://attack.mitre.org/software/S0440) had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_contributors": [
                 "Aviran Hazum, Check Point",
                 "Sergey Persikov, Check Point"
             ],
             "x_mitre_aliases": [
                 "Agent Smith"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--a6228601-03f6-4949-ae22-c1087627a637",
-            "type": "malware",
-            "created": "2020-05-07T15:18:34.417Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0440",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0440"
-                },
-                {
-                    "source_name": "CheckPoint Agent Smith",
-                    "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
-                    "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
-                }
-            ],
-            "modified": "2020-06-17T12:49:21.423Z",
-            "name": "Agent Smith",
-            "description": "[Agent Smith](https://attack.mitre.org/software/S0440) is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 [Agent Smith](https://attack.mitre.org/software/S0440) had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--a76b837b-93cc-417d-bf28-c47a6a284fa4.json b/mobile-attack/malware/malware--a76b837b-93cc-417d-bf28-c47a6a284fa4.json
index b5e6fb1d42..a72e17cd53 100644
--- a/mobile-attack/malware/malware--a76b837b-93cc-417d-bf28-c47a6a284fa4.json
+++ b/mobile-attack/malware/malware--a76b837b-93cc-417d-bf28-c47a6a284fa4.json
@@ -1,34 +1,18 @@
 {
     "type": "bundle",
-    "id": "bundle--2c78f6d7-2815-4bc0-8c22-afd8fbba6f95",
+    "id": "bundle--a76a79a6-1641-453e-81c3-2dd85bae418f",
     "spec_version": "2.0",
     "objects": [
         {
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_aliases": [
-                "Asacub",
-                "Trojan-SMS.AndroidOS.Smaps"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4",
             "type": "malware",
+            "id": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4",
             "created": "2020-12-14T15:02:35.007Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "S0540",
                     "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0540"
+                    "url": "https://attack.mitre.org/software/S0540",
+                    "external_id": "S0540"
                 },
                 {
                     "source_name": "Trojan-SMS.AndroidOS.Smaps",
@@ -36,16 +20,32 @@
                 },
                 {
                     "source_name": "Securelist Asacub",
-                    "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/",
-                    "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020."
+                    "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.",
+                    "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"
                 }
             ],
-            "modified": "2020-12-16T20:21:43.239Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:12.041Z",
             "name": "Asacub",
             "description": "[Asacub](https://attack.mitre.org/software/S0540) is a banking trojan that attempts to steal money from victims\u2019 bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "Asacub",
+                "Trojan-SMS.AndroidOS.Smaps"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--a993495c-9813-4372-b9ec-d168c7f7ec0a.json b/mobile-attack/malware/malware--a993495c-9813-4372-b9ec-d168c7f7ec0a.json
index 0b892fbe98..bcd77c7f00 100644
--- a/mobile-attack/malware/malware--a993495c-9813-4372-b9ec-d168c7f7ec0a.json
+++ b/mobile-attack/malware/malware--a993495c-9813-4372-b9ec-d168c7f7ec0a.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--f182ed48-7250-4497-a6e8-edade0fcc029",
+    "id": "bundle--e2cad326-666b-4a07-a30a-5fcf42dcf2cf",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
+            "created": "2020-11-24T17:55:12.561Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0536",
+                    "external_id": "S0536"
+                },
+                {
+                    "source_name": "Talos GPlayed",
+                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.",
+                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:12.191Z",
+            "name": "GPlayed",
+            "description": "[GPlayed](https://attack.mitre.org/software/S0536) is an Android trojan with a broad range of capabilities.(Citation: Talos GPlayed) ",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "GPlayed"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
-            "type": "malware",
-            "created": "2020-11-24T17:55:12.561Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0536",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0536"
-                },
-                {
-                    "source_name": "Talos GPlayed",
-                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html",
-                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."
-                }
-            ],
-            "modified": "2020-11-24T17:55:12.561Z",
-            "name": "GPlayed",
-            "description": "[GPlayed](https://attack.mitre.org/software/S0536) is an Android trojan with a broad range of capabilities.(Citation: Talos GPlayed) ",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--aecc0097-c9f8-4786-9b39-e891ff173f54.json b/mobile-attack/malware/malware--aecc0097-c9f8-4786-9b39-e891ff173f54.json
index e883069974..ec997c5e3c 100644
--- a/mobile-attack/malware/malware--aecc0097-c9f8-4786-9b39-e891ff173f54.json
+++ b/mobile-attack/malware/malware--aecc0097-c9f8-4786-9b39-e891ff173f54.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--5be7bdc4-4bf5-4bf7-a30b-e0c25a9304aa",
+    "id": "bundle--1b1a0a3a-b152-474f-8a52-9e3a372fbc55",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
+            "created": "2020-06-26T14:55:12.847Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0478",
+                    "external_id": "S0478"
+                },
+                {
+                    "source_name": "Cybereason EventBot",
+                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.",
+                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:12.346Z",
+            "name": "EventBot",
+            "description": "[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android\u2019s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "EventBot"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
-            "type": "malware",
-            "created": "2020-06-26T14:55:12.847Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0478",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0478"
-                },
-                {
-                    "source_name": "Cybereason EventBot",
-                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
-                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
-                }
-            ],
-            "modified": "2020-06-26T21:01:58.595Z",
-            "name": "EventBot",
-            "description": "[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android\u2019s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--aef537ba-10c2-40ed-a57a-80b8508aada4.json b/mobile-attack/malware/malware--aef537ba-10c2-40ed-a57a-80b8508aada4.json
index 581c533390..54f5718d9b 100644
--- a/mobile-attack/malware/malware--aef537ba-10c2-40ed-a57a-80b8508aada4.json
+++ b/mobile-attack/malware/malware--aef537ba-10c2-40ed-a57a-80b8508aada4.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--12c76061-ed0a-40e3-a42b-b8a4ec934131",
+    "id": "bundle--aaea21f7-2b56-406d-9b06-078a1bec504b",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
+            "created": "2020-12-17T20:15:22.110Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0544",
+                    "external_id": "S0544"
+                },
+                {
+                    "source_name": "Palo Alto HenBox",
+                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.",
+                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:12.500Z",
+            "name": "HenBox",
+            "description": "[HenBox](https://attack.mitre.org/software/S0544) is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. [HenBox](https://attack.mitre.org/software/S0544) has primarily been used to target Uyghurs, a minority Turkic ethnic group.(Citation: Palo Alto HenBox)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "HenBox"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
-            "type": "malware",
-            "created": "2020-12-17T20:15:22.110Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0544",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0544"
-                },
-                {
-                    "source_name": "Palo Alto HenBox",
-                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/",
-                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."
-                }
-            ],
-            "modified": "2021-04-12T03:02:06.792Z",
-            "name": "HenBox",
-            "description": "[HenBox](https://attack.mitre.org/software/S0544) is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. [HenBox](https://attack.mitre.org/software/S0544) has primarily been used to target Uyghurs, a minority Turkic ethnic group.(Citation: Palo Alto HenBox)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--b0a243dd-8075-42f9-86f6-64989600ed20.json b/mobile-attack/malware/malware--b0a243dd-8075-42f9-86f6-64989600ed20.json
new file mode 100644
index 0000000000..b2ae3e1877
--- /dev/null
+++ b/mobile-attack/malware/malware--b0a243dd-8075-42f9-86f6-64989600ed20.json
@@ -0,0 +1,48 @@
+{
+    "type": "bundle",
+    "id": "bundle--d47dae0a-72f4-4ecc-b70d-f994ab26c6d6",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "modified": "2025-04-02T15:36:23.931Z",
+            "name": "Binary Validator",
+            "description": "[Binary Validator](https://attack.mitre.org/software/S1215) is a Mach-O binary file used during [Operation Triangulation](https://attack.mitre.org/campaigns/C0054).(Citation: SecureList OpTriangulation 23Oct2023) [Binary Validator](https://attack.mitre.org/software/S1215) first collects information about the device, such as the device's phone number and a list of installed applications, before the deployment of the [TriangleDB](https://attack.mitre.org/software/S1216) implant.  After the actions are completed and the data is collected, [Binary Validator](https://attack.mitre.org/software/S1215) encrypts and sends the data to the C2 server, and in turn, the C2 server sends the [TriangleDB](https://attack.mitre.org/software/S1216) implant.",
+            "x_mitre_platforms": [
+                "iOS"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_aliases": [
+                "Binary Validator"
+            ],
+            "type": "malware",
+            "id": "malware--b0a243dd-8075-42f9-86f6-64989600ed20",
+            "created": "2025-03-27T22:44:51.717Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S1215",
+                    "external_id": "S1215"
+                },
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--c0efbaae-9e7d-4716-a92d-68373aac7424.json b/mobile-attack/malware/malware--c0efbaae-9e7d-4716-a92d-68373aac7424.json
index 20633c5ee3..66dbb6c06a 100644
--- a/mobile-attack/malware/malware--c0efbaae-9e7d-4716-a92d-68373aac7424.json
+++ b/mobile-attack/malware/malware--c0efbaae-9e7d-4716-a92d-68373aac7424.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--894a276a-82cf-4e67-b59f-5b6dd4ef797a",
+    "id": "bundle--dc1de458-6102-4664-8667-01d85b1854ed",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
+            "created": "2019-08-07T15:57:12.877Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0403",
+                    "external_id": "S0403"
+                },
+                {
+                    "source_name": "Kaspersky Riltok June 2019",
+                    "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.",
+                    "url": "https://securelist.com/mobile-banker-riltok/91374/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:12.694Z",
+            "name": "Riltok",
+            "description": "[Riltok](https://attack.mitre.org/software/S0403) is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "Riltok"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
-            "type": "malware",
-            "created": "2019-08-07T15:57:12.877Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0403",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0403"
-                },
-                {
-                    "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.",
-                    "url": "https://securelist.com/mobile-banker-riltok/91374/",
-                    "source_name": "Kaspersky Riltok June 2019"
-                }
-            ],
-            "modified": "2019-09-18T13:44:13.080Z",
-            "name": "Riltok",
-            "description": "[Riltok](https://attack.mitre.org/software/S0403) is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c.json b/mobile-attack/malware/malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c.json
index 86af31e81f..77e2a1e979 100644
--- a/mobile-attack/malware/malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c.json
+++ b/mobile-attack/malware/malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--ebaab47e-e9d7-4522-af93-89f6dce6c607",
+    "id": "bundle--9f227c46-bb83-47f4-80b0-c5fc84a1cf43",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
+            "created": "2020-01-27T17:05:57.712Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0421",
+                    "external_id": "S0421"
+                },
+                {
+                    "source_name": "Trend Micro Bouncing Golf 2019",
+                    "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:12.846Z",
+            "name": "GolfSpy",
+            "description": "[GolfSpy](https://attack.mitre.org/software/S0421) is Android spyware deployed by the group [Bouncing Golf](https://attack.mitre.org/groups/G0097).(Citation: Trend Micro Bouncing Golf 2019)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "GolfSpy"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
-            "type": "malware",
-            "created": "2020-01-27T17:05:57.712Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0421",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0421"
-                },
-                {
-                    "source_name": "Trend Micro Bouncing Golf 2019",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
-                    "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020."
-                }
-            ],
-            "modified": "2020-03-26T20:50:07.023Z",
-            "name": "GolfSpy",
-            "description": "[GolfSpy](https://attack.mitre.org/software/S0421) is Android spyware deployed by the group [Bouncing Golf](https://attack.mitre.org/groups/G0097).(Citation: Trend Micro Bouncing Golf 2019)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878.json b/mobile-attack/malware/malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878.json
index f0d60fd3ff..1571f66761 100644
--- a/mobile-attack/malware/malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878.json
+++ b/mobile-attack/malware/malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878.json
@@ -1,50 +1,50 @@
 {
     "type": "bundle",
-    "id": "bundle--2dc23b5c-415a-41a2-9ac4-1d1a951204c1",
+    "id": "bundle--6a1d6581-4806-4343-ba77-100f12426146",
     "spec_version": "2.0",
     "objects": [
         {
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_aliases": [
-                "Pallas"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "type": "malware",
+            "id": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "created": "2019-07-10T15:35:43.217Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "S0399",
                     "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0399"
+                    "url": "https://attack.mitre.org/software/S0399",
+                    "external_id": "S0399"
                 },
                 {
                     "source_name": "Pallas",
                     "description": "(Citation: Lookout Dark Caracal Jan 2018)"
                 },
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
+                    "source_name": "Lookout Dark Caracal Jan 2018",
                     "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
-                    "source_name": "Lookout Dark Caracal Jan 2018"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
                 }
             ],
-            "modified": "2019-09-18T20:17:17.744Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:12.993Z",
             "name": "Pallas",
             "description": "[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "Pallas"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24.json b/mobile-attack/malware/malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24.json
index 9e23bfa5fb..3984aaba83 100644
--- a/mobile-attack/malware/malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24.json
+++ b/mobile-attack/malware/malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24.json
@@ -1,43 +1,43 @@
 {
     "type": "bundle",
-    "id": "bundle--f9adcb21-e71e-4f49-8cb7-a43f42432174",
+    "id": "bundle--6daff0ac-a5b2-4d9e-bb9a-82fc51ada9fd",
     "spec_version": "2.0",
     "objects": [
         {
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_aliases": [
-                "Circles"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24",
             "type": "malware",
+            "id": "malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24",
             "created": "2021-04-26T15:33:55.798Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "S0602",
                     "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0602"
+                    "url": "https://attack.mitre.org/software/S0602",
+                    "external_id": "S0602"
                 },
                 {
                     "source_name": "CitizenLab Circles",
-                    "url": "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/",
-                    "description": "Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020."
+                    "description": "Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020.",
+                    "url": "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/"
                 }
             ],
-            "modified": "2021-04-26T15:33:55.798Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:13.137Z",
             "name": "Circles",
             "description": "[Circles](https://attack.mitre.org/software/S0602) reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company\u2019s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "Circles"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0.json b/mobile-attack/malware/malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0.json
index 0fdca153fd..3da1cdabb6 100644
--- a/mobile-attack/malware/malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0.json
+++ b/mobile-attack/malware/malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--d72f3e97-e9ab-4b06-afc0-20c258aa4daf",
+    "id": "bundle--b69f0903-7335-4f7b-9ae8-c5a79e0b9391",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
+            "created": "2021-01-05T20:16:19.968Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0558",
+                    "external_id": "S0558"
+                },
+                {
+                    "source_name": "Zscaler TikTok Spyware",
+                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.",
+                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:13.285Z",
+            "name": "Tiktok Pro",
+            "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "Tiktok Pro"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
-            "type": "malware",
-            "created": "2021-01-05T20:16:19.968Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0558",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0558"
-                },
-                {
-                    "source_name": "Zscaler TikTok Spyware",
-                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware",
-                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."
-                }
-            ],
-            "modified": "2021-04-19T16:30:16.930Z",
-            "name": "Tiktok Pro",
-            "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--c709da93-20c3-4d17-ab68-48cba76b2137.json b/mobile-attack/malware/malware--c709da93-20c3-4d17-ab68-48cba76b2137.json
index 5883a822ae..b3e21dcd5c 100644
--- a/mobile-attack/malware/malware--c709da93-20c3-4d17-ab68-48cba76b2137.json
+++ b/mobile-attack/malware/malware--c709da93-20c3-4d17-ab68-48cba76b2137.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--64663b3a-51ef-496e-8f5d-ae5e1d039a65",
+    "id": "bundle--25205788-ca61-4046-a134-7f7ec7a14947",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "PJApps",
-            "description": "[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
             "created": "2017-10-25T14:48:43.527Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:13.454Z",
+            "name": "PJApps",
+            "description": "[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--c80a6bef-b3ce-44d0-b113-946e93124898.json b/mobile-attack/malware/malware--c80a6bef-b3ce-44d0-b113-946e93124898.json
index 025989ffd2..ba6fd22e51 100644
--- a/mobile-attack/malware/malware--c80a6bef-b3ce-44d0-b113-946e93124898.json
+++ b/mobile-attack/malware/malware--c80a6bef-b3ce-44d0-b113-946e93124898.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--e6576646-c107-4575-befe-4134a0c1d9fc",
+    "id": "bundle--f74fbb71-8d42-43e8-bb57-da5019b2300a",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "ShiftyBug",
-            "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
             "created": "2017-10-25T14:48:38.690Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:13.608Z",
+            "name": "ShiftyBug",
+            "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--c8770c81-c29f-40d2-a140-38544206b2b4.json b/mobile-attack/malware/malware--c8770c81-c29f-40d2-a140-38544206b2b4.json
index 02ddd4788a..233a3798cf 100644
--- a/mobile-attack/malware/malware--c8770c81-c29f-40d2-a140-38544206b2b4.json
+++ b/mobile-attack/malware/malware--c8770c81-c29f-40d2-a140-38544206b2b4.json
@@ -1,20 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--93ab746f-435f-4178-a40a-f559cf09f3a7",
+    "id": "bundle--c9d2f39c-e1d1-4df7-80e3-cc4e275fb738",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-04-21T18:52:08.966Z",
-            "name": "HummingBad",
-            "description": "[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)",
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_aliases": [
-                "HummingBad"
-            ],
             "type": "malware",
             "id": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
             "created": "2017-10-25T14:48:42.948Z",
@@ -35,11 +24,22 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
+            "modified": "2025-04-16T21:22:13.785Z",
+            "name": "HummingBad",
+            "description": "[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)",
             "labels": [
                 "malware"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "HummingBad"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--c91cec55-634c-4670-ba10-2dc7ceb28e98.json b/mobile-attack/malware/malware--c91cec55-634c-4670-ba10-2dc7ceb28e98.json
index 6ba1a35f3a..f3200877a9 100644
--- a/mobile-attack/malware/malware--c91cec55-634c-4670-ba10-2dc7ceb28e98.json
+++ b/mobile-attack/malware/malware--c91cec55-634c-4670-ba10-2dc7ceb28e98.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e1705ae4-588f-4bdc-a921-44ed2882bd5e",
+    "id": "bundle--8b05da21-ccec-4e78-b3d8-5eebff70e1ee",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--ca4f63b9-a358-4214-bb26-8c912318cfde.json b/mobile-attack/malware/malware--ca4f63b9-a358-4214-bb26-8c912318cfde.json
index a622a61600..2743710041 100644
--- a/mobile-attack/malware/malware--ca4f63b9-a358-4214-bb26-8c912318cfde.json
+++ b/mobile-attack/malware/malware--ca4f63b9-a358-4214-bb26-8c912318cfde.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--e1ed29c5-2e6b-484a-9220-42b02b84a3c9",
+    "id": "bundle--f4db1b2b-aa75-48c3-9244-d7cbac4f2842",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "OBAD",
-            "description": "OBAD is an Android malware family. (Citation: TrendMicro-Obad)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde",
             "created": "2017-10-25T14:48:44.540Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:13.949Z",
+            "name": "OBAD",
+            "description": "OBAD is an Android malware family. (Citation: TrendMicro-Obad)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4.json b/mobile-attack/malware/malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4.json
new file mode 100644
index 0000000000..bb2b23a36e
--- /dev/null
+++ b/mobile-attack/malware/malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4.json
@@ -0,0 +1,51 @@
+{
+    "type": "bundle",
+    "id": "bundle--b8c51afc-ce00-452c-a89d-24f09b1bd632",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "modified": "2025-03-12T22:09:42.623Z",
+            "name": "FjordPhantom",
+            "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) is a malicious Android application first discovered in September 2024 with targets in Southeast Asia, specifically Indonesia, Thailand, and Vietnam. [FjordPhantom](https://attack.mitre.org/software/S1208) was distributed through email and messaging applications. Once installed, the application launches a virtualization solution to steal important information, such as bank accounts, and to manipulate the user interface. The malicious activity from the virtualization solution runs alongside legitimate banking applications.(Citation: Promon FjordPhantom Oct2024)   ",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_contributors": [
+                "Liran Ravich, CardinalOps"
+            ],
+            "x_mitre_aliases": [
+                "FjordPhantom"
+            ],
+            "type": "malware",
+            "id": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4",
+            "created": "2025-03-12T22:01:15.599Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S1208",
+                    "external_id": "S1208"
+                },
+                {
+                    "source_name": "Promon FjordPhantom Oct2024",
+                    "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.",
+                    "url": "https://promon.io/security-news/fjordphantom-android-malware"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--d05f7357-4cbe-47ea-bf83-b8604226d533.json b/mobile-attack/malware/malware--d05f7357-4cbe-47ea-bf83-b8604226d533.json
index 758956cf15..32be08479e 100644
--- a/mobile-attack/malware/malware--d05f7357-4cbe-47ea-bf83-b8604226d533.json
+++ b/mobile-attack/malware/malware--d05f7357-4cbe-47ea-bf83-b8604226d533.json
@@ -1,27 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--d02e0c92-bb8f-419d-a6a7-9c95e4492579",
+    "id": "bundle--94fcf1b0-07a6-4e70-8f19-75e9ef54f3c4",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Android/Chuli.A",
-            "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.2",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_aliases": [
-                "Android/Chuli.A"
-            ],
             "type": "malware",
             "id": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
             "created": "2017-10-25T14:48:45.482Z",
@@ -44,6 +26,24 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:14.103Z",
+            "name": "Android/Chuli.A",
+            "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "Android/Chuli.A"
             ]
         }
     ]
diff --git a/mobile-attack/malware/malware--d1c600f8-0fb6-4367-921b-85b71947d950.json b/mobile-attack/malware/malware--d1c600f8-0fb6-4367-921b-85b71947d950.json
index e96c94e4fd..1889e3084c 100644
--- a/mobile-attack/malware/malware--d1c600f8-0fb6-4367-921b-85b71947d950.json
+++ b/mobile-attack/malware/malware--d1c600f8-0fb6-4367-921b-85b71947d950.json
@@ -1,27 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--098a2e89-9d33-4d81-acaf-aa7b7403c495",
+    "id": "bundle--57b3275a-d293-4db7-98ba-9a6d2dc583bf",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Charger",
-            "description": "[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_aliases": [
-                "Charger"
-            ],
             "type": "malware",
             "id": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
             "created": "2017-10-25T14:48:39.631Z",
@@ -44,6 +26,24 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:14.258Z",
+            "name": "Charger",
+            "description": "[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "Charger"
             ]
         }
     ]
diff --git a/mobile-attack/malware/malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe.json b/mobile-attack/malware/malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe.json
index 2fab81d8bf..ae6bd13e68 100644
--- a/mobile-attack/malware/malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe.json
+++ b/mobile-attack/malware/malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe.json
@@ -1,10 +1,10 @@
 {
     "type": "bundle",
-    "id": "bundle--c41837d9-12b8-49b3-8d2f-047201eed54e",
+    "id": "bundle--6227a4c1-e8b4-4c81-9c15-6903a7dd2257",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-04-13T22:33:34.237Z",
+            "modified": "2024-11-17T18:11:27.761Z",
             "name": "Drinik",
             "description": "[Drinik](https://attack.mitre.org/software/S1054) is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, [Drinik](https://attack.mitre.org/software/S1054) resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.(Citation: cyble_drinik_1022)",
             "x_mitre_platforms": [
@@ -31,8 +31,8 @@
                 },
                 {
                     "source_name": "cyble_drinik_1022",
-                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.",
-                    "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
                 }
             ],
             "object_marking_refs": [
@@ -41,7 +41,7 @@
             "labels": [
                 "malware"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
         }
     ]
diff --git a/mobile-attack/malware/malware--d89c132d-7752-4c7f-9372-954a71522985.json b/mobile-attack/malware/malware--d89c132d-7752-4c7f-9372-954a71522985.json
index 746b91869d..8830569c50 100644
--- a/mobile-attack/malware/malware--d89c132d-7752-4c7f-9372-954a71522985.json
+++ b/mobile-attack/malware/malware--d89c132d-7752-4c7f-9372-954a71522985.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--098debc3-e62a-408f-adea-a9103254c0f4",
+    "id": "bundle--a1cca1a3-f07b-425b-b392-9a4f065b7fa3",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Trojan-SMS.AndroidOS.OpFake.a",
-            "description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--d89c132d-7752-4c7f-9372-954a71522985",
             "created": "2017-10-25T14:48:46.734Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:14.410Z",
+            "name": "Trojan-SMS.AndroidOS.OpFake.a",
+            "description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--d9e07aea-baad-4b68-bdca-90c77647d7f9.json b/mobile-attack/malware/malware--d9e07aea-baad-4b68-bdca-90c77647d7f9.json
index 94ae42140d..7f7fa30e27 100644
--- a/mobile-attack/malware/malware--d9e07aea-baad-4b68-bdca-90c77647d7f9.json
+++ b/mobile-attack/malware/malware--d9e07aea-baad-4b68-bdca-90c77647d7f9.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--df542b82-78c2-413f-971c-18c159103122",
+    "id": "bundle--19ee029e-54ad-4d7d-bc56-aab74793345a",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "XcodeGhost",
-            "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
             "created": "2017-10-25T14:48:42.661Z",
@@ -43,7 +31,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:14.566Z",
+            "name": "XcodeGhost",
+            "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--ddbe5657-e21e-4a89-8221-2f1362d397ec.json b/mobile-attack/malware/malware--ddbe5657-e21e-4a89-8221-2f1362d397ec.json
index 243d9d2ab3..dc13175362 100644
--- a/mobile-attack/malware/malware--ddbe5657-e21e-4a89-8221-2f1362d397ec.json
+++ b/mobile-attack/malware/malware--ddbe5657-e21e-4a89-8221-2f1362d397ec.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--6c39af54-6a80-4551-a358-0d928181cb81",
+    "id": "bundle--1a2a5f5f-9180-4f73-93d0-ebd7043ecb97",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
+            "created": "2020-12-24T21:41:36.719Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0549",
+                    "external_id": "S0549"
+                },
+                {
+                    "source_name": "Lookout Uyghur Campaign",
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:14.758Z",
+            "name": "SilkBean",
+            "description": "[SilkBean](https://attack.mitre.org/software/S0549) is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.(Citation: Lookout Uyghur Campaign)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "SilkBean"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
-            "type": "malware",
-            "created": "2020-12-24T21:41:36.719Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0549",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0549"
-                },
-                {
-                    "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
-                }
-            ],
-            "modified": "2021-04-19T14:29:45.809Z",
-            "name": "SilkBean",
-            "description": "[SilkBean](https://attack.mitre.org/software/S0549) is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.(Citation: Lookout Uyghur Campaign)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--dfdac962-9461-47f0-a212-36dfce2a97e6.json b/mobile-attack/malware/malware--dfdac962-9461-47f0-a212-36dfce2a97e6.json
index 3f6f698b1a..6bc52388c0 100644
--- a/mobile-attack/malware/malware--dfdac962-9461-47f0-a212-36dfce2a97e6.json
+++ b/mobile-attack/malware/malware--dfdac962-9461-47f0-a212-36dfce2a97e6.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--86624dd2-04e6-4e61-8740-26d2dcaa4fa0",
+    "id": "bundle--6f60e4b3-4951-40e2-8cb0-5ce00242dda2",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
+            "created": "2020-07-20T13:27:33.113Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0489",
+                    "external_id": "S0489"
+                },
+                {
+                    "source_name": "Talos-WolfRAT",
+                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.",
+                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:14.905Z",
+            "name": "WolfRAT",
+            "description": "[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT) ",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "WolfRAT"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
-            "type": "malware",
-            "created": "2020-07-20T13:27:33.113Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0489",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0489"
-                },
-                {
-                    "source_name": "Talos-WolfRAT",
-                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
-                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."
-                }
-            ],
-            "modified": "2020-09-11T15:58:40.564Z",
-            "name": "WolfRAT",
-            "description": "[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT) ",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4.json b/mobile-attack/malware/malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4.json
index cb6e14dbe3..ec27fdacd5 100644
--- a/mobile-attack/malware/malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4.json
+++ b/mobile-attack/malware/malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4.json
@@ -1,23 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--3bb7e0a7-18e2-4c85-9ea4-8e33977f464b",
+    "id": "bundle--e736a6dc-afce-4584-a061-35a9537765f3",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-28T17:20:20.194Z",
-            "name": "BusyGasper",
-            "description": "[BusyGasper](https://attack.mitre.org/software/S0655) is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.(Citation: SecureList BusyGasper)",
-            "x_mitre_platforms": [
-                "Android"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_aliases": [
-                "BusyGasper"
-            ],
             "type": "malware",
             "id": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "created": "2021-10-01T14:42:48.234Z",
@@ -38,11 +24,25 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
+            "modified": "2025-04-16T21:22:15.058Z",
+            "name": "BusyGasper",
+            "description": "[BusyGasper](https://attack.mitre.org/software/S0655) is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.(Citation: SecureList BusyGasper)",
             "labels": [
                 "malware"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "BusyGasper"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--e13d084c-382f-40fd-aa9a-98d69e20301e.json b/mobile-attack/malware/malware--e13d084c-382f-40fd-aa9a-98d69e20301e.json
index 6b970f114e..63ae2ca9db 100644
--- a/mobile-attack/malware/malware--e13d084c-382f-40fd-aa9a-98d69e20301e.json
+++ b/mobile-attack/malware/malware--e13d084c-382f-40fd-aa9a-98d69e20301e.json
@@ -1,47 +1,47 @@
 {
     "type": "bundle",
-    "id": "bundle--7d9bf7fc-4f56-4941-92ec-4dde2893cb07",
+    "id": "bundle--20f40136-be32-49d0-a42c-00bcd40054d2",
     "spec_version": "2.0",
     "objects": [
         {
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_domains": [
-                "mobile-attack"
+            "type": "malware",
+            "id": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
+            "created": "2017-10-25T14:48:47.674Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0293",
+                    "external_id": "S0293"
+                },
+                {
+                    "source_name": "CheckPoint-BrainTest",
+                    "description": "Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest \u2013 A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016.",
+                    "url": "http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/"
+                },
+                {
+                    "source_name": "Lookout-BrainTest",
+                    "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
+                    "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "malware",
-            "id": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
-            "created": "2017-10-25T14:48:47.674Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "S0293",
-                    "url": "https://attack.mitre.org/software/S0293"
-                },
-                {
-                    "source_name": "CheckPoint-BrainTest",
-                    "url": "http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/",
-                    "description": "Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest \u2013 A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016."
-                },
-                {
-                    "source_name": "Lookout-BrainTest",
-                    "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/",
-                    "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016."
-                }
-            ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)",
-            "modified": "2022-04-15T15:36:43.770Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-16T21:22:15.215Z",
             "name": "BrainTest",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "description": "[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--e296b110-46d3-4f7a-894c-cc71ea50168c.json b/mobile-attack/malware/malware--e296b110-46d3-4f7a-894c-cc71ea50168c.json
index 7249c78d81..448fcce620 100644
--- a/mobile-attack/malware/malware--e296b110-46d3-4f7a-894c-cc71ea50168c.json
+++ b/mobile-attack/malware/malware--e296b110-46d3-4f7a-894c-cc71ea50168c.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--6bb3078c-e213-4e2d-9c01-11b5327e46cb",
+    "id": "bundle--4b1bb760-41dc-4396-931b-62db2422497a",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
+            "created": "2020-12-18T20:14:46.858Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0545",
+                    "external_id": "S0545"
+                },
+                {
+                    "source_name": "WhiteOps TERRACOTTA",
+                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.",
+                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:15.370Z",
+            "name": "TERRACOTTA",
+            "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.(Citation: WhiteOps TERRACOTTA)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "TERRACOTTA"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
-            "type": "malware",
-            "created": "2020-12-18T20:14:46.858Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0545",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0545"
-                },
-                {
-                    "source_name": "WhiteOps TERRACOTTA",
-                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study",
-                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."
-                }
-            ],
-            "modified": "2020-12-28T18:59:32.817Z",
-            "name": "TERRACOTTA",
-            "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.(Citation: WhiteOps TERRACOTTA)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a.json b/mobile-attack/malware/malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a.json
index 61446f31c6..6ada5e51e8 100644
--- a/mobile-attack/malware/malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a.json
+++ b/mobile-attack/malware/malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e6a1724e-cb54-46c3-851f-6cf9929ed0e3",
+    "id": "bundle--a29d71ed-69f7-4b4f-a120-5522d6aa2b03",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--f082d7dd-20a9-4157-93c0-75e7aea09e42.json b/mobile-attack/malware/malware--f082d7dd-20a9-4157-93c0-75e7aea09e42.json
new file mode 100644
index 0000000000..0d318d0b08
--- /dev/null
+++ b/mobile-attack/malware/malware--f082d7dd-20a9-4157-93c0-75e7aea09e42.json
@@ -0,0 +1,48 @@
+{
+    "type": "bundle",
+    "id": "bundle--b0daec4e-0129-4ffb-8754-ca947a12675e",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "modified": "2025-03-27T14:28:40.768Z",
+            "name": "Android/SpyAgent",
+            "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) is a variant of spyware in the MoqHao phishing campaign primarily targeting Korean and Japanese users.(Citation: McAfee MoqHao 2019) Fake security applications were used to target Japanese users, while fake police applications were used to target Korean users. Both fake applications have common C2 commands and share the same crash report key on a cloud service.(Citation: McAfee MoqHao 2019)",
+            "x_mitre_platforms": [
+                "Android"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_aliases": [
+                "Android/SpyAgent"
+            ],
+            "type": "malware",
+            "id": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42",
+            "created": "2025-03-24T14:50:29.875Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S1214",
+                    "external_id": "S1214"
+                },
+                {
+                    "source_name": "McAfee MoqHao 2019",
+                    "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.",
+                    "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--f082fc59-0317-49cf-971f-a1b6296ebb52.json b/mobile-attack/malware/malware--f082fc59-0317-49cf-971f-a1b6296ebb52.json
index d2f5a25d2a..8d79319a22 100644
--- a/mobile-attack/malware/malware--f082fc59-0317-49cf-971f-a1b6296ebb52.json
+++ b/mobile-attack/malware/malware--f082fc59-0317-49cf-971f-a1b6296ebb52.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--9ae466b1-5f9f-437a-800d-395c9eb72c91",
+    "id": "bundle--7fd13af8-56bb-4aaa-a7dc-036be0d48472",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
+            "created": "2019-07-16T14:33:12.034Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0424",
+                    "external_id": "S0424"
+                },
+                {
+                    "source_name": "Kaspersky Triada March 2016",
+                    "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.",
+                    "url": "https://www.kaspersky.com/blog/triada-trojan/11481/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:15.523Z",
+            "name": "Triada",
+            "description": "[Triada](https://attack.mitre.org/software/S0424) was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.(Citation: Kaspersky Triada March 2016)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "Triada"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
-            "type": "malware",
-            "created": "2019-07-16T14:33:12.034Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0424",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0424"
-                },
-                {
-                    "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.",
-                    "url": "https://www.kaspersky.com/blog/triada-trojan/11481/",
-                    "source_name": "Kaspersky Triada March 2016"
-                }
-            ],
-            "modified": "2020-05-28T16:52:37.979Z",
-            "name": "Triada",
-            "description": "[Triada](https://attack.mitre.org/software/S0424) was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.(Citation: Kaspersky Triada March 2016)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--f3975cc0-72bc-4308-836e-ac701b83860e.json b/mobile-attack/malware/malware--f3975cc0-72bc-4308-836e-ac701b83860e.json
index 5376eecf0a..ba561f4437 100644
--- a/mobile-attack/malware/malware--f3975cc0-72bc-4308-836e-ac701b83860e.json
+++ b/mobile-attack/malware/malware--f3975cc0-72bc-4308-836e-ac701b83860e.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--50f52ee5-6e8c-4a6b-9502-a7f163f0d177",
+    "id": "bundle--c4413521-1f6a-4211-88e4-de229774cd85",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--f3975cc0-72bc-4308-836e-ac701b83860e",
+            "created": "2020-11-20T15:44:57.339Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0535",
+                    "external_id": "S0535"
+                },
+                {
+                    "source_name": "Symantec GoldenCup",
+                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.",
+                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:15.703Z",
+            "name": "Golden Cup",
+            "description": "[Golden Cup](https://attack.mitre.org/software/S0535) is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup) ",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "Golden Cup"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--f3975cc0-72bc-4308-836e-ac701b83860e",
-            "type": "malware",
-            "created": "2020-11-20T15:44:57.339Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0535",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0535"
-                },
-                {
-                    "source_name": "Symantec GoldenCup",
-                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans",
-                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."
-                }
-            ],
-            "modified": "2020-12-22T21:48:10.951Z",
-            "name": "Golden Cup",
-            "description": "[Golden Cup](https://attack.mitre.org/software/S0535) is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup) ",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc.json b/mobile-attack/malware/malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc.json
index a4cb3d0e52..1ee851ed42 100644
--- a/mobile-attack/malware/malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc.json
+++ b/mobile-attack/malware/malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc.json
@@ -1,12 +1,12 @@
 {
     "type": "bundle",
-    "id": "bundle--8b4678e8-405f-4d08-8b00-59c3c5dad1e6",
+    "id": "bundle--2674fe2c-c690-4a61-91de-8ce9c367cb65",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-31T23:02:48.577Z",
+            "modified": "2025-03-27T22:35:44.281Z",
             "name": "FluBot",
-            "description": "[FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)",
+            "description": "[FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524) An international law enforcement operation of 11 countries eventually disrupted the spread of [FluBot](https://attack.mitre.org/software/S1067).(Citation: Europol FluBot Jun2022)",
             "x_mitre_platforms": [
                 "Android"
             ],
@@ -14,7 +14,7 @@
             "x_mitre_domains": [
                 "mobile-attack"
             ],
-            "x_mitre_version": "1.0",
+            "x_mitre_version": "1.1",
             "x_mitre_aliases": [
                 "FluBot"
             ],
@@ -34,6 +34,11 @@
                     "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.",
                     "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"
                 },
+                {
+                    "source_name": "Europol FluBot Jun2022",
+                    "description": "Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.",
+                    "url": "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones"
+                },
                 {
                     "source_name": "bitdefender_flubot_0524",
                     "description": "Filip TRU\u021a\u0102, R\u0103zvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.",
@@ -46,7 +51,7 @@
             "labels": [
                 "malware"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
         }
     ]
diff --git a/mobile-attack/malware/malware--f666e17c-b290-43b3-8947-b96bd5148fbb.json b/mobile-attack/malware/malware--f666e17c-b290-43b3-8947-b96bd5148fbb.json
index f1d695b88f..43d47b82db 100644
--- a/mobile-attack/malware/malware--f666e17c-b290-43b3-8947-b96bd5148fbb.json
+++ b/mobile-attack/malware/malware--f666e17c-b290-43b3-8947-b96bd5148fbb.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--29ec8877-df39-46a4-8189-053f3175e1c2",
+    "id": "bundle--54cb7adf-ee7d-43f6-b3e1-b196154f0fba",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
+            "created": "2020-09-11T16:22:02.954Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0506",
+                    "external_id": "S0506"
+                },
+                {
+                    "source_name": "Lookout ViperRAT",
+                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/viperrat-mobile-apt"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:15.850Z",
+            "name": "ViperRAT",
+            "description": "[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT) ",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "ViperRAT"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
-            "type": "malware",
-            "created": "2020-09-11T16:22:02.954Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0506",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0506"
-                },
-                {
-                    "source_name": "Lookout ViperRAT",
-                    "url": "https://blog.lookout.com/viperrat-mobile-apt",
-                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
-                }
-            ],
-            "modified": "2020-09-29T20:03:42.662Z",
-            "name": "ViperRAT",
-            "description": "[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT) ",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf.json b/mobile-attack/malware/malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf.json
index 7986bfbab4..9150ddd96f 100644
--- a/mobile-attack/malware/malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf.json
+++ b/mobile-attack/malware/malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--c3be8714-7287-440c-a5d0-74daa2d237ba",
+    "id": "bundle--5424e077-4cf5-474f-80fb-21723ea15467",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Adups",
-            "description": "[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
             "created": "2017-10-25T14:48:47.038Z",
@@ -43,7 +31,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:15.993Z",
+            "name": "Adups",
+            "description": "[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--f79c01eb-2954-40d8-a819-00b342f47ce7.json b/mobile-attack/malware/malware--f79c01eb-2954-40d8-a819-00b342f47ce7.json
index 7802d603e2..fb2826d0c0 100644
--- a/mobile-attack/malware/malware--f79c01eb-2954-40d8-a819-00b342f47ce7.json
+++ b/mobile-attack/malware/malware--f79c01eb-2954-40d8-a819-00b342f47ce7.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--406f8a40-6151-4429-8cc7-71f9d51e314b",
+    "id": "bundle--5545e519-e94d-48a0-92d9-8714d5de67d1",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7",
+            "created": "2019-11-21T19:16:34.526Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0419",
+                    "external_id": "S0419"
+                },
+                {
+                    "source_name": "CheckPoint SimBad 2019",
+                    "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.",
+                    "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:16.143Z",
+            "name": "SimBad",
+            "description": "[SimBad](https://attack.mitre.org/software/S0419) was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name \"SimBad\" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.(Citation: CheckPoint SimBad 2019)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "SimBad"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7",
-            "type": "malware",
-            "created": "2019-11-21T19:16:34.526Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0419",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0419"
-                },
-                {
-                    "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.",
-                    "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/",
-                    "source_name": "CheckPoint SimBad 2019"
-                }
-            ],
-            "modified": "2020-01-27T17:01:31.634Z",
-            "name": "SimBad",
-            "description": "[SimBad](https://attack.mitre.org/software/S0419) was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name \"SimBad\" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.(Citation: CheckPoint SimBad 2019)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--f7e7b736-2cff-4c2a-9232-352cd383463a.json b/mobile-attack/malware/malware--f7e7b736-2cff-4c2a-9232-352cd383463a.json
index f2c8a87c12..52ed8d0a56 100644
--- a/mobile-attack/malware/malware--f7e7b736-2cff-4c2a-9232-352cd383463a.json
+++ b/mobile-attack/malware/malware--f7e7b736-2cff-4c2a-9232-352cd383463a.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--8af99481-0e77-4dd5-ace7-4b1f8102b19d",
+    "id": "bundle--e88643c5-7054-441f-8205-0673aa6c82bf",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a",
+            "created": "2020-10-29T19:19:08.848Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0525",
+                    "external_id": "S0525"
+                },
+                {
+                    "source_name": "WeLiveSecurity AdDisplayAshas",
+                    "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.",
+                    "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:16.304Z",
+            "name": "Android/AdDisplay.Ashas",
+            "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "Android/AdDisplay.Ashas"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a",
-            "type": "malware",
-            "created": "2020-10-29T19:19:08.848Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0525",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0525"
-                },
-                {
-                    "source_name": "WeLiveSecurity AdDisplayAshas",
-                    "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/",
-                    "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020."
-                }
-            ],
-            "modified": "2020-10-29T19:19:08.848Z",
-            "name": "Android/AdDisplay.Ashas",
-            "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--f97e2718-af50-41df-811f-215ebab45691.json b/mobile-attack/malware/malware--f97e2718-af50-41df-811f-215ebab45691.json
index 9d56d2f366..d010f84556 100644
--- a/mobile-attack/malware/malware--f97e2718-af50-41df-811f-215ebab45691.json
+++ b/mobile-attack/malware/malware--f97e2718-af50-41df-811f-215ebab45691.json
@@ -1,10 +1,10 @@
 {
     "type": "bundle",
-    "id": "bundle--32355f5d-5d3c-403e-b6d5-b43845698513",
+    "id": "bundle--daeef472-61cf-4d37-8357-b4f6cd6d2f12",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2024-04-17T14:17:42.833Z",
+            "modified": "2024-11-17T20:01:55.807Z",
             "name": "Phenakite",
             "description": "[Phenakite](https://attack.mitre.org/software/S1126) is a mobile malware that is used by [APT-C-23](https://attack.mitre.org/groups/G1028) to target iOS devices. According to several reports, [Phenakite](https://attack.mitre.org/software/S1126) was developed to fill a tooling gap and to target those who owned iPhones instead of Windows desktops or Android phones.(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)",
             "x_mitre_platforms": [
@@ -34,8 +34,8 @@
                 },
                 {
                     "source_name": "fb_arid_viper",
-                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
+                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
                 },
                 {
                     "source_name": "sentinelone_israel_hamas_war",
diff --git a/mobile-attack/malware/malware--f9854ba6-989d-43bf-828b-7240b8a65291.json b/mobile-attack/malware/malware--f9854ba6-989d-43bf-828b-7240b8a65291.json
index f2f85c27b2..b74a40d703 100644
--- a/mobile-attack/malware/malware--f9854ba6-989d-43bf-828b-7240b8a65291.json
+++ b/mobile-attack/malware/malware--f9854ba6-989d-43bf-828b-7240b8a65291.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4aee39e9-2689-4b65-aa0b-e5719e2af737",
+    "id": "bundle--a5c852ee-2da8-4cf1-9220-9c764a2ffc25",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6.json b/mobile-attack/malware/malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6.json
index 6792dbbb87..292c69a7fa 100644
--- a/mobile-attack/malware/malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6.json
+++ b/mobile-attack/malware/malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6.json
@@ -1,24 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--fa47fa58-72f8-4684-98af-19ecce0967fb",
+    "id": "bundle--8e5e9b1e-357d-4db6-8109-81a7214682d1",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-29T21:11:14.364Z",
-            "name": "TianySpy",
-            "description": "[TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122)  ",
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_aliases": [
-                "TianySpy"
-            ],
             "type": "malware",
             "id": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6",
             "created": "2023-01-19T18:05:30.924Z",
@@ -39,11 +24,26 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
+            "modified": "2025-04-16T21:22:16.464Z",
+            "name": "TianySpy",
+            "description": "[TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122)  ",
             "labels": [
                 "malware"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_aliases": [
+                "TianySpy"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--feae299d-e34f-4fc9-8545-486d0905bd41.json b/mobile-attack/malware/malware--feae299d-e34f-4fc9-8545-486d0905bd41.json
index 2156dc4a4c..68eccdd724 100644
--- a/mobile-attack/malware/malware--feae299d-e34f-4fc9-8545-486d0905bd41.json
+++ b/mobile-attack/malware/malware--feae299d-e34f-4fc9-8545-486d0905bd41.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--cfd86f9d-7e2e-435c-b89e-dfd7cbf82209",
+    "id": "bundle--0992bde1-1c7e-4658-8704-5268ed059688",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/malware/malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca.json b/mobile-attack/malware/malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca.json
index 41085e20ae..f7f041a0a5 100644
--- a/mobile-attack/malware/malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca.json
+++ b/mobile-attack/malware/malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--17b22bd7-0645-4166-a145-024bfac8753a",
+    "id": "bundle--273d58f7-2589-46b6-8612-419795353171",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "DressCode",
-            "description": "[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)",
-            "labels": [
-                "malware"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "malware",
             "id": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca",
             "created": "2017-10-25T14:48:37.856Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:16.646Z",
+            "name": "DressCode",
+            "description": "[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)",
+            "labels": [
+                "malware"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/malware/malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617.json b/mobile-attack/malware/malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617.json
index 32ac4eee7a..bf8467eee5 100644
--- a/mobile-attack/malware/malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617.json
+++ b/mobile-attack/malware/malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617.json
@@ -1,46 +1,46 @@
 {
     "type": "bundle",
-    "id": "bundle--74f62ec6-fafc-40fe-8a20-29ea1160d4ba",
+    "id": "bundle--ec94b09c-fd1d-45c3-ad4c-65517509bea0",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "malware",
+            "id": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
+            "created": "2019-09-03T20:08:00.241Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0406",
+                    "external_id": "S0406"
+                },
+                {
+                    "source_name": "Talos Gustuff Apr 2019",
+                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
+                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:16.804Z",
+            "name": "Gustuff",
+            "description": "[Gustuff](https://attack.mitre.org/software/S0406) is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)",
             "labels": [
                 "malware"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_aliases": [
                 "Gustuff"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
-            "type": "malware",
-            "created": "2019-09-03T20:08:00.241Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0406",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0406"
-                },
-                {
-                    "source_name": "Talos Gustuff Apr 2019",
-                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
-                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."
-                }
-            ],
-            "modified": "2019-10-14T19:14:17.007Z",
-            "name": "Gustuff",
-            "description": "[Gustuff](https://attack.mitre.org/software/S0406) is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json b/mobile-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json
index 0cccbd9bc6..1fb192d840 100644
--- a/mobile-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json
+++ b/mobile-attack/marking-definition/marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168.json
@@ -1,18 +1,17 @@
 {
     "type": "bundle",
-    "id": "bundle--6e68e23c-0dfe-41b1-b8bd-f31f86d04c8b",
+    "id": "bundle--1124de7d-13b8-4ebf-92c1-de39cd186b7a",
     "spec_version": "2.0",
     "objects": [
         {
             "definition": {
-                "statement": "Copyright 2015-2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation."
+                "statement": "Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation."
             },
             "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168",
             "type": "marking-definition",
             "created": "2017-06-01T00:00:00.000Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "definition_type": "statement",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "definition_type": "statement"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/mobile-attack.json b/mobile-attack/mobile-attack.json
index 9c55a512b3..88b0c67202 100644
--- a/mobile-attack/mobile-attack.json
+++ b/mobile-attack/mobile-attack.json
@@ -1 +1 @@
-{"type":"bundle","id":"bundle--bbbf4e83-168e-450e-b783-f946f2143a7d","objects":[{"tactic_refs":["x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210","x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"x-mitre-matrix","id":"x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"mobile-attack","url":"https://attack.mitre.org/matrices/mobile-attack"}],"x_mitre_deprecated":true,"revoked":false,"description":"Below are the tactics and techniques representing the two MITRE ATT&CK Matrices for Mobile. The Matrices cover techniques involving device access and network-based effects that can be used by adversaries without device access. The Matrices contains information for the following platforms: Android, iOS.","modified":"2022-04-06T15:44:04.736Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Network-Based Effects","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"tactic_refs":["x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6","x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756","x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54","x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8","x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df","x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10","x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1","x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f","x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba","x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3","x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981","x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"x-mitre-matrix","id":"x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"2.0","external_references":[{"source_name":"mitre-attack","external_id":"mobile-attack","url":"https://attack.mitre.org/matrices/mobile-attack"}],"x_mitre_deprecated":false,"revoked":false,"description":"Below are the tactics and technique representing the MITRE ATT&CK Matrix for Mobile. The Matrix contains information for the following platforms: Android, iOS.","modified":"2022-04-06T15:43:22.080Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Mobile ATT&CK","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","type":"course-of-action","created":"2017-10-25T14:48:51.657Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M1006","external_id":"M1006"}],"modified":"2018-10-17T00:14:20.652Z","name":"Use Recent OS Version","description":"New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"course-of-action","id":"course-of-action--1553b156-6767-47f7-9eb4-2a692505666d","created":"2019-10-18T12:49:58.924Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"M1005","url":"https://attack.mitre.org/mitigations/M1005"}],"x_mitre_deprecated":true,"revoked":false,"description":"Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Evade Analysis Environment](https://attack.mitre.org/techniques/T1523) exist that can enable adversaries to bypass vetting.","modified":"2022-04-06T14:47:46.019Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Application Vetting","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-27T20:18:19.004Z","name":"Application Developer Guidance","description":"This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.","x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_version":"1.1","type":"course-of-action","id":"course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1","created":"2017-10-25T14:48:53.732Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M1013","external_id":"M1013"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","type":"course-of-action","created":"2017-10-25T14:48:53.318Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M1012","external_id":"M1012"}],"modified":"2020-06-24T15:08:18.395Z","name":"Enterprise Policy","description":"An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","type":"course-of-action","created":"2019-10-18T12:53:03.508Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","external_id":"M1011","url":"https://attack.mitre.org/mitigations/M1011"}],"modified":"2019-10-18T15:51:48.318Z","name":"User Guidance","description":"Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-02-20T22:02:55.968Z","name":"Do Not Mitigate","description":"This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.","x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--76a32151-5233-465f-a607-7e576c62c932","created":"2024-02-20T22:02:55.968Z","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M1059","external_id":"M1059"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-21T19:36:08.280Z","name":"Antivirus/Antimalware","description":"Mobile security products, such as Mobile Threat Defense (MTD), offer various device-based mitigations against certain behaviors.","x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--78671282-26aa-486c-a7a5-5921e1616b58","created":"2023-09-21T19:36:08.280Z","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M1058","external_id":"M1058"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321","type":"course-of-action","created":"2017-10-25T14:48:52.270Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M1004","external_id":"M1004"}],"modified":"2018-10-17T00:14:20.652Z","name":"System Partition Integrity","description":"Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8","type":"course-of-action","created":"2017-10-25T14:48:50.769Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M1009","external_id":"M1009"},{"source_name":"TechCrunch-ATS","description":"Kate Conger. (2016, June 14). Apple will require HTTPS connections for iOS apps by the end of 2016. Retrieved December 19, 2016.","url":"https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/"},{"source_name":"Android-NetworkSecurityConfig","description":"Google. (n.d.). Network Security Configuration. Retrieved December 19, 2016.","url":"https://developer.android.com/training/articles/security-config.html"}],"modified":"2018-10-17T00:14:20.652Z","name":"Encrypt Network Traffic","description":"Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security  (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected  (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58","type":"course-of-action","created":"2017-10-25T14:48:49.554Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M1003","external_id":"M1003"}],"modified":"2018-10-17T00:14:20.652Z","name":"Lock Bootloader","description":"On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","type":"course-of-action","created":"2019-10-18T12:51:36.488Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","external_id":"M1001","url":"https://attack.mitre.org/mitigations/M1001"}],"modified":"2019-10-18T14:56:15.631Z","name":"Security Updates","description":"Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n\nOn Android devices, access can be controlled based on each device's security patch level. On iOS devices, access can be controlled based on the iOS version.","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433","type":"course-of-action","created":"2017-10-25T14:48:52.601Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M1010","external_id":"M1010"}],"modified":"2018-10-17T00:14:20.652Z","name":"Deploy Compromised Device Detection Method","description":"A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-15T15:06:03.428Z","name":"Interconnection Filtering","description":"In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).","x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","type":"course-of-action","id":"course-of-action--e829ee51-1caf-4665-ba15-7f8979634124","created":"2017-10-25T14:48:50.181Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/mitigations/M1014","external_id":"M1014"},{"source_name":"CSRIC5-WG10-FinalReport","description":"Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.","url":"https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"course-of-action","id":"course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9","created":"2017-10-25T14:48:51.365Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"M1007","url":"https://attack.mitre.org/mitigations/M1007"}],"x_mitre_deprecated":true,"revoked":false,"description":"Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.","modified":"2022-04-06T14:47:19.714Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Caution with Device Administrator Access","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c","type":"course-of-action","created":"2019-10-18T12:50:35.335Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","external_id":"M1002","url":"https://attack.mitre.org/mitigations/M1002"}],"modified":"2019-10-18T14:52:53.019Z","name":"Attestation","description":"Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["CarbonSteal"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","type":"malware","created":"2020-11-10T16:50:38.917Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0529","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0529"},{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2021-09-20T13:54:19.819Z","name":"CarbonSteal","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) is one of a family of four surveillanceware tools that share a common C2 infrastructure. [CarbonSteal](https://attack.mitre.org/software/S0529) primarily deals with audio surveillance. (Citation: Lookout Uyghur Campaign)","x_mitre_version":"1.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_contributors":["Aviran Hazum, Check Point","Sergey Persikov, Check Point"],"x_mitre_aliases":["Cerberus"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","type":"malware","created":"2020-06-26T15:32:24.569Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0480","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0480"},{"source_name":"Threat Fabric Cerberus","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."}],"modified":"2020-09-11T15:43:49.079Z","name":"Cerberus","description":"[Cerberus](https://attack.mitre.org/software/S0480) is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of [Cerberus](https://attack.mitre.org/software/S0480) claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)","x_mitre_version":"1.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["DroidJack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"malware","id":"malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1","created":"2017-10-25T14:48:40.571Z","x_mitre_version":"1.2","external_references":[{"source_name":"mitre-attack","external_id":"S0320","url":"https://attack.mitre.org/software/S0320"},{"source_name":"DroidJack","description":"(Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)"},{"source_name":"Proofpoint-Droidjack","url":"https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app","description":"Proofpoint. (2016, July 7). DroidJack Uses Side-Load…It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017."},{"source_name":"Zscaler-SuperMarioRun","url":"https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat","description":"Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017."}],"x_mitre_deprecated":false,"revoked":false,"description":"[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)","modified":"2022-05-20T17:13:16.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"DroidJack","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Rotexy"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","type":"malware","created":"2019-09-23T13:36:07.816Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0411","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0411"},{"source_name":"securelist rotexy 2018","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/","description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019."}],"modified":"2020-09-11T15:53:38.216Z","name":"Rotexy","description":"[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)","x_mitre_version":"1.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Stealth Mango","description":"[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.3","x_mitre_attack_spec_version":"2.1.0","x_mitre_aliases":["Stealth Mango"],"type":"malware","id":"malware--085eb36d-697d-4d9a-bac3-96eb879fe73c","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0328","external_id":"S0328"},{"source_name":"Stealth Mango","description":"(Citation: Lookout-StealthMango)"},{"source_name":"Lookout-StealthMango","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"Allwinner","description":"[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--08784a9d-09e9-4dce-a839-9612398214e8","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0319","external_id":"S0319"},{"source_name":"Allwinner","description":"(Citation: HackerNews-Allwinner)"},{"source_name":"HackerNews-Allwinner","description":"Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.","url":"https://thehackernews.com/2016/05/android-kernal-exploit.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"labels":["malware"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["GoldenEagle"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","type":"malware","created":"2020-12-24T22:04:27.667Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0551","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0551"},{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2021-03-25T16:20:28.165Z","name":"GoldenEagle","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.(Citation: Lookout Uyghur Campaign)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-03-19T18:32:01.207Z","name":"FlixOnline","description":"[FlixOnline](https://attack.mitre.org/software/S1103) is an Android malware, first detected in early 2021, believed to target users of WhatsApp. [FlixOnline](https://attack.mitre.org/software/S1103) primarily spreads via automatic replies to a device’s incoming WhatsApp messages.(Citation: checkpoint_flixonline_0421) ","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["FlixOnline"],"type":"malware","id":"malware--0ec9593f-3221-49b1-b597-37f307c19f13","created":"2024-01-26T17:30:31.022Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1103","external_id":"S1103"},{"source_name":"checkpoint_flixonline_0421","description":"Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.","url":"https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-04-21T18:53:30.817Z","name":"Bread","description":"[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.2","x_mitre_contributors":["Sergey Persikov, Check Point","Jonathan Shimonovich, Check Point","Aviran Hazum, Check Point"],"x_mitre_aliases":["Bread","Joker"],"type":"malware","id":"malware--108b2817-bc01-404e-8e1b-8cdeec846326","created":"2020-05-04T14:04:55.823Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0432","external_id":"S0432"},{"source_name":"Joker","description":"(Citation: Google Bread)"},{"source_name":"Google Bread","description":"A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.","url":"https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-07T21:29:43.845Z","name":"Hornbill","description":"[Hornbill](https://attack.mitre.org/software/S1077) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Hornbill](https://attack.mitre.org/software/S1077) was first active in early 2018. While [Hornbill](https://attack.mitre.org/software/S1077) and [Sunbird](https://attack.mitre.org/software/S1082) overlap in core capabilities, [Hornbill](https://attack.mitre.org/software/S1077) has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["Hornbill"],"type":"malware","id":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","created":"2023-06-09T19:07:18.101Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1077","external_id":"S1077"},{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Judy","description":"[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--172444ab-97fc-4d94-b142-179452bfb760","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0325","external_id":"S0325"},{"source_name":"Judy","description":"(Citation: CheckPoint-Judy)"},{"source_name":"CheckPoint-Judy","description":"CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.","url":"https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"OldBoot","description":"[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--2074b2ad-612e-4758-adce-7901c1b49bbc","created":"2017-10-25T14:48:45.155Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0285","external_id":"S0285"},{"source_name":"OldBoot","description":"(Citation: HackerNews-OldBoot)"},{"source_name":"HackerNews-OldBoot","description":"Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.","url":"http://thehackernews.com/2014/01/first-widely-distributed-android.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"Gooligan","description":"[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.2","x_mitre_attack_spec_version":"2.1.0","x_mitre_aliases":["Gooligan","Ghost Push"],"type":"malware","id":"malware--20d56cd6-8dff-4871-9889-d32d254816de","created":"2017-10-25T14:48:43.242Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0290","external_id":"S0290"},{"source_name":"Gooligan","description":"(Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)"},{"source_name":"Ghost Push","description":"Gooligan has been described as being part of the Ghost Push Android malware family. (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)"},{"source_name":"Gooligan Citation","description":"Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.","url":"http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"},{"source_name":"Ludwig-GhostPush","description":"Adrian Ludwig. (2016, November 29). The fight against Ghost Push continues. Retrieved December 12, 2016.","url":"https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi"},{"source_name":"Lookout-Gooligan","description":"Lookout. (2016, December 1). Ghost Push and Gooligan: One and the same. Retrieved December 12, 2016.","url":"https://blog.lookout.com/blog/2016/12/01/ghost-push-gooligan/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"SpyNote RAT","description":"[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.2","x_mitre_attack_spec_version":"2.1.0","x_mitre_aliases":["SpyNote RAT"],"type":"malware","id":"malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23","created":"2017-10-25T14:48:45.794Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0305","external_id":"S0305"},{"source_name":"SpyNote RAT","description":"(Citation: Zscaler-SpyNote)"},{"source_name":"Zscaler-SpyNote","description":"Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.","url":"https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_contributors":["Ohad Mana, Check Point","Aviran Hazum, Check Point","Sergey Persikov, Check Point"],"x_mitre_aliases":["TrickMo"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--21170624-89db-4e99-bf27-58d26be07c3a","type":"malware","created":"2020-04-24T17:46:31.111Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0427","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0427"},{"source_name":"SecurityIntelligence TrickMo","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."}],"modified":"2020-09-11T15:57:37.561Z","name":"TrickMo","description":"[TrickMo](https://attack.mitre.org/software/S0427) a 2FA bypass mobile banking trojan, most likely being distributed by [TrickBot](https://attack.mitre.org/software/S0266). [TrickMo](https://attack.mitre.org/software/S0427) has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)\n\n[TrickMo](https://attack.mitre.org/software/S0427) is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo) ","x_mitre_version":"1.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["iOS"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["INSOMNIA"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","type":"malware","created":"2020-06-02T14:32:31.461Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0463","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0463"},{"source_name":"Volexity Insomnia","url":"https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/","description":"A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."}],"modified":"2020-06-24T18:24:35.433Z","name":"INSOMNIA","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) is spyware that has been used by the group Evil Eye.(Citation: Volexity Insomnia)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Dvmap"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--22b596a6-d288-4409-8520-5f2846f85514","type":"malware","created":"2019-12-10T16:07:40.664Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0420","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0420"},{"description":"R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.","url":"https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/","source_name":"SecureList DVMap June 2017"}],"modified":"2020-01-22T22:17:23.015Z","name":"Dvmap","description":"[Dvmap](https://attack.mitre.org/software/S0420) is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Zen"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--22faaa56-a8ac-4292-9be6-b571b255ee40","type":"malware","created":"2020-07-27T14:14:56.729Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0494","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0494"},{"source_name":"Google Security Zen","url":"https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html","description":"Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."}],"modified":"2020-08-11T14:23:15.002Z","name":"Zen","description":"[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"NotCompatible","description":"[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe","created":"2017-10-25T14:48:36.707Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0299","external_id":"S0299"},{"source_name":"NotCompatible","description":"(Citation: Lookout-NotCompatible)"},{"source_name":"Lookout-NotCompatible","description":"Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.","url":"https://blog.lookout.com/blog/2014/11/19/notcompatible/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2024-04-16T15:46:27.358Z","name":"AhRat","description":"[AhRat](https://attack.mitre.org/software/S1095) is an Android remote access tool based on the open-source AhMyth remote access tool. [AhRat](https://attack.mitre.org/software/S1095) initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, “iRecorder – Screen Recorder”, which itself was released in September 2021.(Citation: welivesecurity_ahrat_0523)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_contributors":["Edward Stevens","BT Security"],"x_mitre_aliases":["AhRat"],"type":"malware","id":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","created":"2023-12-18T19:00:02.259Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1095","external_id":"S1095"},{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"XLoader for Android","description":"[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"2.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_aliases":["XLoader for Android"],"type":"malware","id":"malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0318","external_id":"S0318"},{"source_name":"XLoader for Android","description":"(Citation: TrendMicro-XLoader)"},{"source_name":"TrendMicro-XLoader-FakeSpy","description":"Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"},{"source_name":"TrendMicro-XLoader","description":"Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"Trojan-SMS.AndroidOS.FakeInst.a","description":"[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--28e39395-91e7-4f02-b694-5e079c964da9","created":"2017-10-25T14:48:46.107Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0306","external_id":"S0306"},{"source_name":"Trojan-SMS.AndroidOS.FakeInst.a","description":"(Citation: Kaspersky-MobileMalware)"},{"source_name":"Kaspersky-MobileMalware","description":"Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.","url":"https://securelist.com/mobile-malware-evolution-2013/58335/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"labels":["malware"],"x_mitre_platforms":["iOS"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["XLoader for iOS"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--29944858-da52-4d3d-b428-f8a6eb8dde6f","type":"malware","created":"2020-07-20T13:58:53.422Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0490","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0490"},{"source_name":"TrendMicro-XLoader-FakeSpy","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/","description":"Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."}],"modified":"2021-12-07T14:46:08.852Z","name":"XLoader for iOS","description":"[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).","x_mitre_version":"1.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-04-13T22:33:55.061Z","name":"AbstractEmu","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. [AbstractEmu](https://attack.mitre.org/software/S1061) was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["AbstractEmu"],"type":"malware","id":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","created":"2023-02-06T18:48:41.442Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1061","external_id":"S1061"},{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-26T13:30:33.039Z","name":"Chameleon","description":"[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android’s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_contributors":["Yasuhito Kawanishi, NEC Corporation","Manikantan Srinivasan, NEC Corporation India","Pooja Natarajan, NEC Corporation India"],"x_mitre_aliases":["Chameleon"],"type":"malware","id":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","created":"2023-08-16T16:30:44.598Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1083","external_id":"S1083"},{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Exodus","Exodus One","Exodus Two"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","type":"malware","created":"2019-09-03T19:45:47.826Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0405","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0405"},{"source_name":"Exodus One","description":"(Citation: SWB Exodus March 2019)"},{"source_name":"Exodus Two","description":"(Citation: SWB Exodus March 2019)"},{"source_name":"SWB Exodus March 2019","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."}],"modified":"2019-10-14T17:15:52.191Z","name":"Exodus","description":"[Exodus](https://attack.mitre.org/software/S0405) is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Dendroid","description":"[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"2.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_aliases":["Dendroid"],"type":"malware","id":"malware--317a2c10-d489-431e-b6b2-f0251fddc88e","created":"2017-10-25T14:48:37.438Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0301","external_id":"S0301"},{"source_name":"Dendroid","description":"(Citation: Lookout-Dendroid)"},{"source_name":"Lookout-Dendroid","description":"Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.","url":"https://blog.lookout.com/blog/2014/03/06/dendroid/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"WireLurker","description":"[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb","created":"2017-10-25T14:48:37.020Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0312","external_id":"S0312"},{"source_name":"WireLurker","description":"Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.","url":"https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf"},{"source_name":"PaloAlto-WireLurker","description":"Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.","url":"https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Desert Scorpion"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--3271c107-92c4-442e-9506-e76d62230ee8","type":"malware","created":"2020-09-11T14:54:16.188Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0505","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0505"},{"source_name":"Lookout Desert Scorpion","url":"https://blog.lookout.com/desert-scorpion-google-play","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."}],"modified":"2021-04-19T17:11:50.159Z","name":"Desert Scorpion","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion) ","x_mitre_version":"1.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-06T00:01:53.588Z","name":"Pegasus for iOS","description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.(Citation: Lookout-Pegasus)(Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).","x_mitre_platforms":["iOS"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.2","x_mitre_aliases":["Pegasus for iOS"],"type":"malware","id":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","created":"2017-10-25T14:48:44.238Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0289","external_id":"S0289"},{"source_name":"Pegasus for iOS","description":"(Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab)"},{"source_name":"PegasusCitizenLab","description":"Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.","url":"https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/"},{"source_name":"Lookout-Pegasus","description":"Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Tangelo","description":"[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["iOS"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.2","x_mitre_attack_spec_version":"2.1.0","x_mitre_aliases":["Tangelo"],"type":"malware","id":"malware--35aae10a-97c5-471a-9c67-02c231a7a31a","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0329","external_id":"S0329"},{"source_name":"Tangelo","description":"(Citation: Lookout-StealthMango)"},{"source_name":"Lookout-StealthMango","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"RCSAndroid","description":"[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.2","x_mitre_attack_spec_version":"2.1.0","x_mitre_aliases":["RCSAndroid"],"type":"malware","id":"malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b","created":"2017-10-25T14:48:38.274Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0295","external_id":"S0295"},{"source_name":"RCSAndroid","description":"(Citation: TrendMicro-RCSAndroid)"},{"source_name":"TrendMicro-RCSAndroid","description":"Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.","url":"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Corona Updates","Wabi Music","Concipit1248"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","type":"malware","created":"2020-04-24T15:06:32.870Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0425","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0425"},{"source_name":"Wabi Music","description":"(Citation: TrendMicro Coronavirus Updates)"},{"source_name":"Concipit1248","description":"(Citation: TrendMicro Coronavirus Updates)"},{"source_name":"TrendMicro Coronavirus Updates","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."}],"modified":"2020-09-11T15:45:38.235Z","name":"Corona Updates","description":"[Corona Updates](https://attack.mitre.org/software/S0425) is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)","x_mitre_version":"1.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Skygofree","description":"[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.2","x_mitre_attack_spec_version":"2.1.0","x_mitre_aliases":["Skygofree"],"type":"malware","id":"malware--3a913bac-4fae-4d0e-bca8-cae452f1599b","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0327","external_id":"S0327"},{"source_name":"Skygofree","description":"(Citation: Kaspersky-Skygofree)"},{"source_name":"Kaspersky-Skygofree","description":"Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.","url":"https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"KeyRaider","description":"[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50","created":"2017-10-25T14:48:43.815Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0288","external_id":"S0288"},{"source_name":"KeyRaider","description":"(Citation: Xiao-KeyRaider)"},{"source_name":"Xiao-KeyRaider","description":"Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.","url":"http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"ZergHelper","description":"[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0","created":"2017-10-25T14:48:44.853Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0287","external_id":"S0287"},{"source_name":"ZergHelper","description":"(Citation: Xiao-ZergHelper)"},{"source_name":"Xiao-ZergHelper","description":"Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.","url":"http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["DoubleAgent"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","type":"malware","created":"2020-12-24T21:50:02.027Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0550","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0550"},{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2021-04-19T17:05:42.253Z","name":"DoubleAgent","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.(Citation: Lookout Uyghur Campaign)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Twitoor","description":"[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"2.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_aliases":["Twitoor"],"type":"malware","id":"malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c","created":"2017-10-25T14:48:42.313Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0302","external_id":"S0302"},{"source_name":"Twitoor","description":"(Citation: ESET-Twitoor)"},{"source_name":"ESET-Twitoor","description":"ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.","url":"http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-11T14:36:39.396Z","name":"Fakecalls","description":"[Fakecalls](https://attack.mitre.org/software/S1080) is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.(Citation: kaspersky_fakecalls_0422) ","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_contributors":["Pooja Natarajan, NEC Corporation India","Hiroki Nagahama, NEC Corporation","Manikantan Srinivasan, NEC Corporation India"],"x_mitre_aliases":["Fakecalls"],"type":"malware","id":"malware--429e1526-6293-495b-8808-af7f9a66c4be","created":"2023-07-21T19:49:44.577Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1080","external_id":"S1080"},{"source_name":"kaspersky_fakecalls_0422","description":"Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.","url":"https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-04-13T22:32:16.509Z","name":"S.O.V.A.","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. [S.O.V.A.](https://attack.mitre.org/software/S1062), which is Russian for \"owl\", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["S.O.V.A."],"type":"malware","id":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","created":"2023-02-06T19:34:43.026Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1062","external_id":"S1062"},{"source_name":"cleafy_sova_1122","description":"Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.","url":"https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly"},{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"ANDROIDOS_ANSERVER.A","description":"[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.3","x_mitre_attack_spec_version":"2.1.0","x_mitre_aliases":["ANDROIDOS_ANSERVER.A"],"type":"malware","id":"malware--4bf6ba32-4165-42c1-b911-9c36165891c8","created":"2017-10-25T14:48:47.965Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0310","external_id":"S0310"},{"source_name":"ANDROIDOS_ANSERVER.A","description":"(Citation: TrendMicro-Anserver)"},{"source_name":"TrendMicro-Anserver","description":"Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.","url":"http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"DualToy","description":"[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878","created":"2017-10-25T14:48:41.721Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0315","external_id":"S0315"},{"source_name":"DualToy","description":"(Citation: PaloAlto-DualToy)"},{"source_name":"PaloAlto-DualToy","description":"Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.","url":"https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Mandrake","oxide","briar","ricinus","darkmatter"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","type":"malware","created":"2020-07-15T20:20:58.846Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0485","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0485"},{"source_name":"oxide","description":"(Citation: Bitdefender Mandrake)"},{"source_name":"briar","description":"(Citation: Bitdefender Mandrake)"},{"source_name":"ricinus","description":"(Citation: Bitdefender Mandrake)"},{"source_name":"darkmatter","description":"(Citation: Bitdefender Mandrake)"},{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"modified":"2020-09-11T15:52:12.097Z","name":"Mandrake","description":"[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.\n\n[Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-10T21:58:07.962Z","name":"HilalRAT","description":"[HilalRAT](https://attack.mitre.org/software/S1128) is a remote access-capable Android malware, developed and used by [UNC788](https://attack.mitre.org/groups/G1029).(Citation: Meta Adversarial Threat Report 2022)   [HilalRAT](https://attack.mitre.org/software/S1128) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as activating a device's camera and microphone.(Citation: Meta Adversarial Threat Report 2022)  ","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_contributors":["Denise Tan"],"x_mitre_aliases":["HilalRAT"],"type":"malware","id":"malware--55714f87-6178-4b89-b3e5-d3a643f647ca","created":"2024-04-02T19:01:36.303Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1128","external_id":"S1128"},{"source_name":"Meta Adversarial Threat Report 2022","description":"Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.","url":"https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"X-Agent for Android","description":"[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--56660521-6db4-4e5a-a927-464f22954b7c","created":"2017-10-25T14:48:42.034Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0314","external_id":"S0314"},{"source_name":"X-Agent for Android","description":"(Citation: CrowdStrike-Android)"},{"source_name":"CrowdStrike-Android","description":"CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.","url":"https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_contributors":["Lukáš Štefanko, ESET"],"x_mitre_aliases":["DEFENSOR ID"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663","type":"malware","created":"2020-06-26T15:12:39.648Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0479","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0479"},{"source_name":"ESET DEFENSOR ID","url":"https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/","description":"L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020."}],"modified":"2020-06-26T20:16:31.850Z","name":"DEFENSOR ID","description":"[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android’s accessibility service.(Citation: ESET DEFENSOR ID) ","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-17T17:06:28.821Z","name":"BRATA","description":"[BRATA](https://attack.mitre.org/software/S1094) (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, [BRATA](https://attack.mitre.org/software/S1094) was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of [BRATA](https://attack.mitre.org/software/S1094).(Citation: securelist_brata_0819)(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_contributors":["Pooja Natarajan, NEC Corporation India"],"x_mitre_aliases":["BRATA"],"type":"malware","id":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","created":"2023-12-18T18:06:22.975Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1094","external_id":"S1094"},{"source_name":"cleafy_brata_0122","description":"Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.","url":"https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"},{"source_name":"mcafee_brata_0421","description":"Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"},{"source_name":"securelist_brata_0819","description":"Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.","url":"https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"MazarBOT","description":"[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9","created":"2017-10-25T14:48:40.875Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0303","external_id":"S0303"},{"source_name":"MazarBOT","description":"(Citation: Tripwire-MazarBOT)"},{"source_name":"Tripwire-MazarBOT","description":"Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.","url":"https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_contributors":["Aviran Hazum, Check Point","Sergey Persikov, Check Point"],"x_mitre_aliases":["Ginp"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--6146be90-470c-4049-bb3a-9986b8ffb65b","type":"malware","created":"2020-04-08T15:51:24.862Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0423","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0423"},{"description":"ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.","url":"https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html","source_name":"ThreatFabric Ginp"}],"modified":"2020-09-11T15:50:18.707Z","name":"Ginp","description":"[Ginp](https://attack.mitre.org/software/S0423) is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from [Anubis](https://attack.mitre.org/software/S0422).(Citation: ThreatFabric Ginp)","x_mitre_version":"1.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"HummingWhale","description":"[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f","created":"2017-10-25T14:48:40.259Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0321","external_id":"S0321"},{"source_name":"HummingWhale","description":"(Citation: ArsTechnica-HummingWhale)"},{"source_name":"ArsTechnica-HummingWhale","description":"Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.","url":"http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2024-03-29T15:07:58.675Z","name":"eSurv","description":"[eSurv](https://attack.mitre.org/software/S0507) is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.(Citation: Lookout eSurv)","x_mitre_platforms":["Android","iOS"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.1","x_mitre_aliases":["eSurv"],"type":"malware","id":"malware--680f680c-eef9-4f8a-b5f5-f451bf47e403","created":"2020-09-14T14:13:45.032Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0507","external_id":"S0507"},{"source_name":"Lookout eSurv","description":"A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.","url":"https://blog.lookout.com/esurv-research"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-01T22:00:09.640Z","name":"TangleBot","description":"[TangleBot](https://attack.mitre.org/software/S1069) is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. [TangleBot](https://attack.mitre.org/software/S1069) has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to [FluBot](https://attack.mitre.org/software/S1067) Android malware campaigns.(Citation: cloudmark_tanglebot_0921)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["TangleBot"],"type":"malware","id":"malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f","created":"2023-02-28T21:39:52.744Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1069","external_id":"S1069"},{"source_name":"cloudmark_tanglebot_0921","description":"Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.","url":"https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_contributors":["Jörg Abraham, EclecticIQ"],"x_mitre_aliases":["Monokle"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","type":"malware","created":"2019-09-04T14:28:14.181Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://attack.mitre.org/software/S0407","source_name":"mitre-attack","external_id":"S0407"},{"description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf","source_name":"Lookout-Monokle"}],"modified":"2021-11-01T18:30:41.998Z","name":"Monokle","description":"[Monokle](https://attack.mitre.org/software/S0407) is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)","x_mitre_version":"1.2","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Red Alert 2.0"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--6e282bbf-5f32-476a-b879-ba77eec463c8","type":"malware","created":"2020-12-14T14:52:02.949Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0539","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0539"},{"source_name":"Sophos Red Alert 2.0","url":"https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/","description":"J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."}],"modified":"2020-12-16T20:52:20.822Z","name":"Red Alert 2.0","description":"[Red Alert 2.0](https://attack.mitre.org/software/S0539) is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0) ","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["ViceLeaker","Triout"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--6fcaf9b0-b509-4644-9f93-556222c81ed2","type":"malware","created":"2019-11-21T16:42:48.203Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0418","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0418"},{"source_name":"ViceLeaker","description":"(Citation: SecureList - ViceLeaker 2019)"},{"source_name":"Triout","description":"(Citation: SecureList - ViceLeaker 2019)"},{"description":"GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.","url":"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/","source_name":"SecureList - ViceLeaker 2019"},{"source_name":"Bitdefender - Triout 2018","url":"https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/","description":"L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020."}],"modified":"2020-03-26T19:00:42.233Z","name":"ViceLeaker","description":"[ViceLeaker](https://attack.mitre.org/software/S0418) is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-16T16:57:33.534Z","name":"FlyTrap","description":"[FlyTrap](https://attack.mitre.org/software/S1093) is an Android trojan, first detected in March 2021, that uses social engineering tactics to compromise Facebook accounts. [FlyTrap](https://attack.mitre.org/software/S1093) was initially detected through infected apps on the Google Play store, and is believed to have impacted over 10,000 victims across at least 140 countries.(Citation: Trend Micro FlyTrap) ","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_contributors":["Pooja Natarajan, NEC Corporation India","Hiroki Nagahama, NEC Corporation","Manikantan Srinivasan, NEC Corporation India"],"x_mitre_aliases":["FlyTrap"],"type":"malware","id":"malware--8338393c-cb2e-4ee6-b944-34672499c785","created":"2023-09-28T17:36:00.965Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1093","external_id":"S1093"},{"source_name":"Trend Micro FlyTrap","description":"Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts — Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.","url":"https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_contributors":["Ofir Almkias, Cybereason"],"x_mitre_aliases":["FakeSpy"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","type":"malware","created":"2020-09-15T15:18:11.971Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0509","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0509"},{"source_name":"Cybereason FakeSpy","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."}],"modified":"2020-10-06T20:09:57.659Z","name":"FakeSpy","description":"[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"SpyDealer","description":"[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.2","x_mitre_attack_spec_version":"2.1.0","x_mitre_aliases":["SpyDealer"],"type":"malware","id":"malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0324","external_id":"S0324"},{"source_name":"SpyDealer","description":"(Citation: PaloAlto-SpyDealer)"},{"source_name":"PaloAlto-SpyDealer","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.","url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"labels":["malware"],"x_mitre_platforms":["iOS"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Concipit1248","Corona Updates"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--89c3dbf6-f281-41b7-be1d-a0e641014853","type":"malware","created":"2020-04-24T15:12:10.817Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0426","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0426"},{"source_name":"Corona Updates","description":"(Citation: TrendMicro Coronavirus Updates)"},{"source_name":"TrendMicro Coronavirus Updates","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."}],"modified":"2020-04-30T18:30:05.787Z","name":"Concipit1248","description":"[Concipit1248](https://attack.mitre.org/software/S0426) is iOS spyware that was discovered using the same name as the developer of the Android spyware [Corona Updates](https://attack.mitre.org/software/S0425). Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.(Citation: TrendMicro Coronavirus Updates)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"RuMMS","description":"[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--936be60d-90eb-4c36-9247-4b31128432c4","created":"2017-10-25T14:48:48.917Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0313","external_id":"S0313"},{"source_name":"RuMMS","description":"(Citation: FireEye-RuMMS)"},{"source_name":"FireEye-RuMMS","description":"Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.","url":"https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"Pegasus for Android","description":"[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.2","x_mitre_attack_spec_version":"2.1.0","x_mitre_aliases":["Pegasus for Android","Chrysaor"],"type":"malware","id":"malware--93799a9d-3537-43d8-b6f4-17215de1657c","created":"2017-10-25T14:48:41.202Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0316","external_id":"S0316"},{"source_name":"Pegasus for Android","description":"(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)"},{"source_name":"Chrysaor","description":"(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)"},{"source_name":"Lookout-PegasusAndroid","description":"Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.","url":"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"},{"source_name":"Google-Chrysaor","description":"Rich Cannings et al.. (2017, April 3). An investigation of Chrysaor Malware on Android. Retrieved April 16, 2017.","url":"https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["FrozenCell"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62","type":"malware","created":"2021-02-17T20:43:52.033Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0577","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0577"},{"source_name":"Lookout FrozenCell","url":"https://blog.lookout.com/frozencell-mobile-threat","description":"Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."}],"modified":"2021-04-19T14:07:24.519Z","name":"FrozenCell","description":"[FrozenCell](https://attack.mitre.org/software/S0577) is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and [Micropsia](https://attack.mitre.org/software/S0339).(Citation: Lookout FrozenCell)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["AndroidOS/MalLocker.B"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce","type":"malware","created":"2020-10-29T18:41:49.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0524","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0524"},{"source_name":"Microsoft MalLockerB","url":"https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/","description":"D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020."}],"modified":"2020-10-29T18:41:49.272Z","name":"AndroidOS/MalLocker.B","description":"[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-02-28T21:05:57.018Z","name":"SharkBot","description":"[SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["SharkBot"],"type":"malware","id":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","created":"2023-01-18T19:44:52.711Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1055","external_id":"S1055"},{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"RedDrop","description":"[RedDrop](https://attack.mitre.org/software/S0326) is an Android malware family that exfiltrates sensitive data from devices. (Citation: Wandera-RedDrop)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.2","x_mitre_attack_spec_version":"2.1.0","x_mitre_aliases":["RedDrop"],"type":"malware","id":"malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0326","external_id":"S0326"},{"source_name":"RedDrop","description":"(Citation: Wandera-RedDrop)"},{"source_name":"Wandera-RedDrop","description":"Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.","url":"https://www.wandera.com/reddrop-malware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["CHEMISTGAMES"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--a0d774e4-bafc-4292-8651-3ec899391341","type":"malware","created":"2020-12-31T18:25:04.779Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0555","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0555"},{"source_name":"CYBERWARCON CHEMISTGAMES","url":"https://www.youtube.com/watch?v=xoNSbm1aX_w","description":"B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."}],"modified":"2021-03-25T16:42:05.526Z","name":"CHEMISTGAMES","description":"[CHEMISTGAMES](https://attack.mitre.org/software/S0555) is a modular backdoor that has been deployed by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CYBERWARCON CHEMISTGAMES)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-04-20T18:19:15.826Z","name":"YiSpecter","description":"[YiSpecter](https://attack.mitre.org/software/S0311) is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. [YiSpecter](https://attack.mitre.org/software/S0311) abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015)","x_mitre_platforms":["Android","iOS"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"2.0","x_mitre_aliases":["YiSpecter"],"type":"malware","id":"malware--a15c9357-2be0-4836-beec-594f28b9b4a9","created":"2017-10-25T14:48:48.301Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0311","external_id":"S0311"},{"source_name":"paloalto_yispecter_1015","description":"Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.","url":"https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Trojan-SMS.AndroidOS.Agent.ao","description":"[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17","created":"2017-10-25T14:48:46.411Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0307","external_id":"S0307"},{"source_name":"Trojan-SMS.AndroidOS.Agent.ao","description":"(Citation: Kaspersky-MobileMalware)"},{"source_name":"Kaspersky-MobileMalware","description":"Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.","url":"https://securelist.com/mobile-malware-evolution-2013/58335/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-10-20T21:40:21.121Z","name":"BOULDSPY","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that [BOULDSPY](https://attack.mitre.org/software/S1079) primarily targeted minority groups in Iran.(Citation: lookout_bouldspy_0423)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_contributors":["Gunji Satoshi, NEC Corporation","Manikantan Srinivasan, NEC Corporation India","Pooja Natarajan, NEC Corporation India","Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd"],"x_mitre_aliases":["BOULDSPY"],"type":"malware","id":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","created":"2023-07-21T19:31:54.632Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1079","external_id":"S1079"},{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-09-25T15:03:05.100Z","name":"Anubis","description":"[Anubis](https://attack.mitre.org/software/S0422) is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.(Citation: Cofense Anubis)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.3","x_mitre_contributors":["Aviran Hazum, Check Point","Sergey Persikov, Check Point"],"x_mitre_aliases":["Anubis"],"type":"malware","id":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","created":"2020-04-08T15:41:19.114Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0422","external_id":"S0422"},{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-16T21:01:50.792Z","name":"AndroRAT","description":"[AndroRAT](https://attack.mitre.org/software/S0292) is an open-source remote access tool for Android devices. [AndroRAT](https://attack.mitre.org/software/S0292) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.(Citation: Lookout-EnterpriseApps)(Citation: github_androrat)(Citation: Forcepoint BITTER Pakistan Oct 2016) It is originally available through the `The404Hacking` Github repository.(Citation: github_androrat)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.1","x_mitre_aliases":["AndroRAT"],"type":"malware","id":"malware--a3dad2be-ce62-4440-953b-00fbce7aba93","created":"2017-10-25T14:48:47.363Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0292","external_id":"S0292"},{"source_name":"Forcepoint BITTER Pakistan Oct 2016","description":"Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.","url":"https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"},{"source_name":"Lookout-EnterpriseApps","description":"Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.","url":"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"},{"source_name":"github_androrat","description":"The404Hacking. (n.d.). AndroRAT. Retrieved April 8, 2024.","url":"https://web.archive.org/web/20221013124327/https://github.com/The404Hacking/AndroRAT"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-09-12T17:23:46.687Z","name":"FinFisher","description":"[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://attack.mitre.org/software/S0176). (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)","x_mitre_platforms":["Windows","Android"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_version":"1.4","x_mitre_aliases":["FinFisher","FinSpy"],"type":"malware","id":"malware--a5528622-3a8a-4633-86ce-8cdaf8423858","created":"2018-01-16T16:13:52.465Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0182","external_id":"S0182"},{"source_name":"FinFisher","description":"(Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)"},{"source_name":"FinSpy","description":"(Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)"},{"source_name":"Microsoft FinFisher March 2018","description":"Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.","url":"https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/"},{"source_name":"Microsoft SIR Vol 21","description":"Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.","url":"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf"},{"source_name":"FinFisher Citation","description":"FinFisher. (n.d.). Retrieved September 12, 2024.","url":"https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html"},{"source_name":"FireEye FinSpy Sept 2017","description":"Jiang, G., et al. (2017, September 12). FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY. Retrieved February 15, 2018.","url":"https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html"},{"source_name":"Securelist BlackOasis Oct 2017","description":"Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.","url":"https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_contributors":["Aviran Hazum, Check Point","Sergey Persikov, Check Point"],"x_mitre_aliases":["Agent Smith"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--a6228601-03f6-4949-ae22-c1087627a637","type":"malware","created":"2020-05-07T15:18:34.417Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0440","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0440"},{"source_name":"CheckPoint Agent Smith","url":"https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/","description":"A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."}],"modified":"2020-06-17T12:49:21.423Z","name":"Agent Smith","description":"[Agent Smith](https://attack.mitre.org/software/S0440) is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 [Agent Smith](https://attack.mitre.org/software/S0440) had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Asacub","Trojan-SMS.AndroidOS.Smaps"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--a76b837b-93cc-417d-bf28-c47a6a284fa4","type":"malware","created":"2020-12-14T15:02:35.007Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0540","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0540"},{"source_name":"Trojan-SMS.AndroidOS.Smaps","description":"(Citation: Securelist Asacub)"},{"source_name":"Securelist Asacub","url":"https://securelist.com/the-rise-of-mobile-banker-asacub/87591/","description":"T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020."}],"modified":"2020-12-16T20:21:43.239Z","name":"Asacub","description":"[Asacub](https://attack.mitre.org/software/S0540) is a banking trojan that attempts to steal money from victims’ bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["GPlayed"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","type":"malware","created":"2020-11-24T17:55:12.561Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0536","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0536"},{"source_name":"Talos GPlayed","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."}],"modified":"2020-11-24T17:55:12.561Z","name":"GPlayed","description":"[GPlayed](https://attack.mitre.org/software/S0536) is an Android trojan with a broad range of capabilities.(Citation: Talos GPlayed) ","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["EventBot"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--aecc0097-c9f8-4786-9b39-e891ff173f54","type":"malware","created":"2020-06-26T14:55:12.847Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0478","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0478"},{"source_name":"Cybereason EventBot","url":"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born","description":"D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."}],"modified":"2020-06-26T21:01:58.595Z","name":"EventBot","description":"[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["HenBox"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","type":"malware","created":"2020-12-17T20:15:22.110Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0544","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0544"},{"source_name":"Palo Alto HenBox","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."}],"modified":"2021-04-12T03:02:06.792Z","name":"HenBox","description":"[HenBox](https://attack.mitre.org/software/S0544) is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. [HenBox](https://attack.mitre.org/software/S0544) has primarily been used to target Uyghurs, a minority Turkic ethnic group.(Citation: Palo Alto HenBox)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Riltok"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--c0efbaae-9e7d-4716-a92d-68373aac7424","type":"malware","created":"2019-08-07T15:57:12.877Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0403","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0403"},{"description":"Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.","url":"https://securelist.com/mobile-banker-riltok/91374/","source_name":"Kaspersky Riltok June 2019"}],"modified":"2019-09-18T13:44:13.080Z","name":"Riltok","description":"[Riltok](https://attack.mitre.org/software/S0403) is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["GolfSpy"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","type":"malware","created":"2020-01-27T17:05:57.712Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0421","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0421"},{"source_name":"Trend Micro Bouncing Golf 2019","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/","description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020."}],"modified":"2020-03-26T20:50:07.023Z","name":"GolfSpy","description":"[GolfSpy](https://attack.mitre.org/software/S0421) is Android spyware deployed by the group [Bouncing Golf](https://attack.mitre.org/groups/G0097).(Citation: Trend Micro Bouncing Golf 2019)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Pallas"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","type":"malware","created":"2019-07-10T15:35:43.217Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0399","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0399"},{"source_name":"Pallas","description":"(Citation: Lookout Dark Caracal Jan 2018)"},{"url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","source_name":"Lookout Dark Caracal Jan 2018"}],"modified":"2019-09-18T20:17:17.744Z","name":"Pallas","description":"[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)","x_mitre_version":"1.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Circles"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24","type":"malware","created":"2021-04-26T15:33:55.798Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0602","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0602"},{"source_name":"CitizenLab Circles","url":"https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/","description":"Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020."}],"modified":"2021-04-26T15:33:55.798Z","name":"Circles","description":"[Circles](https://attack.mitre.org/software/S0602) reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company’s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Tiktok Pro"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","type":"malware","created":"2021-01-05T20:16:19.968Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0558","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0558"},{"source_name":"Zscaler TikTok Spyware","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."}],"modified":"2021-04-19T16:30:16.930Z","name":"Tiktok Pro","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"PJApps","description":"[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--c709da93-20c3-4d17-ab68-48cba76b2137","created":"2017-10-25T14:48:43.527Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0291","external_id":"S0291"},{"source_name":"PJApps","description":"(Citation: Lookout-EnterpriseApps)"},{"source_name":"Lookout-EnterpriseApps","description":"Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.","url":"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"ShiftyBug","description":"[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--c80a6bef-b3ce-44d0-b113-946e93124898","created":"2017-10-25T14:48:38.690Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0294","external_id":"S0294"},{"source_name":"ShiftyBug","description":"(Citation: Lookout-Adware)"},{"source_name":"Lookout-Adware","description":"Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.","url":"https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-04-21T18:52:08.966Z","name":"HummingBad","description":"[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)","x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.1","x_mitre_aliases":["HummingBad"],"type":"malware","id":"malware--c8770c81-c29f-40d2-a140-38544206b2b4","created":"2017-10-25T14:48:42.948Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0322","external_id":"S0322"},{"source_name":"ArsTechnica-HummingBad","description":"Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.","url":"http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-10-01T15:53:53.833Z","name":"Exobot","description":"[Exobot](https://attack.mitre.org/software/S0522) is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.(Citation: Threat Fabric Exobot)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["Exobot"],"type":"malware","id":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","created":"2020-10-29T13:32:20.972Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0522","external_id":"S0522"},{"source_name":"Threat Fabric Exobot","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"OBAD","description":"OBAD is an Android malware family. (Citation: TrendMicro-Obad)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--ca4f63b9-a358-4214-bb26-8c912318cfde","created":"2017-10-25T14:48:44.540Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0286","external_id":"S0286"},{"source_name":"OBAD","description":"(Citation: TrendMicro-Obad)"},{"source_name":"TrendMicro-Obad","description":"Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.","url":"http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"Android/Chuli.A","description":"[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.2","x_mitre_attack_spec_version":"2.1.0","x_mitre_aliases":["Android/Chuli.A"],"type":"malware","id":"malware--d05f7357-4cbe-47ea-bf83-b8604226d533","created":"2017-10-25T14:48:45.482Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0304","external_id":"S0304"},{"source_name":"Android/Chuli.A","description":"(Citation: Kaspersky-WUC)"},{"source_name":"Kaspersky-WUC","description":"Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.","url":"https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"Charger","description":"[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_aliases":["Charger"],"type":"malware","id":"malware--d1c600f8-0fb6-4367-921b-85b71947d950","created":"2017-10-25T14:48:39.631Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0323","external_id":"S0323"},{"source_name":"Charger","description":"(Citation: CheckPoint-Charger)"},{"source_name":"CheckPoint-Charger","description":"Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.","url":"http://blog.checkpoint.com/2017/01/24/charger-malware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2023-04-13T22:33:34.237Z","name":"Drinik","description":"[Drinik](https://attack.mitre.org/software/S1054) is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, [Drinik](https://attack.mitre.org/software/S1054) resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.(Citation: cyble_drinik_1022)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["Drinik"],"type":"malware","id":"malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe","created":"2023-01-18T19:05:43.194Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1054","external_id":"S1054"},{"source_name":"cyble_drinik_1022","description":"Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.","url":"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Trojan-SMS.AndroidOS.OpFake.a","description":"[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--d89c132d-7752-4c7f-9372-954a71522985","created":"2017-10-25T14:48:46.734Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0308","external_id":"S0308"},{"source_name":"Trojan-SMS.AndroidOS.OpFake.a","description":"(Citation: Kaspersky-MobileMalware)"},{"source_name":"Kaspersky-MobileMalware","description":"Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.","url":"https://securelist.com/mobile-malware-evolution-2013/58335/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"modified":"2022-10-24T15:09:07.609Z","name":"XcodeGhost","description":"[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--d9e07aea-baad-4b68-bdca-90c77647d7f9","created":"2017-10-25T14:48:42.661Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0297","external_id":"S0297"},{"source_name":"XcodeGhost","description":"(Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)"},{"source_name":"PaloAlto-XcodeGhost1","description":"Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.","url":"http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"},{"source_name":"PaloAlto-XcodeGhost","description":"Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.","url":"http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["SilkBean"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","type":"malware","created":"2020-12-24T21:41:36.719Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0549","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0549"},{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2021-04-19T14:29:45.809Z","name":"SilkBean","description":"[SilkBean](https://attack.mitre.org/software/S0549) is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.(Citation: Lookout Uyghur Campaign)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["WolfRAT"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","type":"malware","created":"2020-07-20T13:27:33.113Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0489","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0489"},{"source_name":"Talos-WolfRAT","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."}],"modified":"2020-09-11T15:58:40.564Z","name":"WolfRAT","description":"[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT) ","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-28T17:20:20.194Z","name":"BusyGasper","description":"[BusyGasper](https://attack.mitre.org/software/S0655) is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.(Citation: SecureList BusyGasper)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["BusyGasper"],"type":"malware","id":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","created":"2021-10-01T14:42:48.234Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0655","external_id":"S0655"},{"source_name":"SecureList BusyGasper","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"malware","id":"malware--e13d084c-382f-40fd-aa9a-98d69e20301e","created":"2017-10-25T14:48:47.674Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"S0293","url":"https://attack.mitre.org/software/S0293"},{"source_name":"CheckPoint-BrainTest","url":"http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/","description":"Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest – A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016."},{"source_name":"Lookout-BrainTest","url":"https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/","description":"Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)","modified":"2022-04-15T15:36:43.770Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"BrainTest","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["TERRACOTTA"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","type":"malware","created":"2020-12-18T20:14:46.858Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0545","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0545"},{"source_name":"WhiteOps TERRACOTTA","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."}],"modified":"2020-12-28T18:59:32.817Z","name":"TERRACOTTA","description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.(Citation: WhiteOps TERRACOTTA)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-11T14:36:10.445Z","name":"Escobar","description":"[Escobar](https://attack.mitre.org/software/S1092) is an Android banking trojan, first detected in March 2021, believed to be a new variant of AbereBot.(Citation: Bleeipng Computer Escobar)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_contributors":["Pooja Natarajan, NEC Corporation India","Hiroki Nagahama, NEC Corporation","Manikantan Srinivasan, NEC Corporation India"],"x_mitre_aliases":["Escobar"],"type":"malware","id":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","created":"2023-09-28T17:04:46.516Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1092","external_id":"S1092"},{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Triada"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--f082fc59-0317-49cf-971f-a1b6296ebb52","type":"malware","created":"2019-07-16T14:33:12.034Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0424","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0424"},{"description":"Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.","url":"https://www.kaspersky.com/blog/triada-trojan/11481/","source_name":"Kaspersky Triada March 2016"}],"modified":"2020-05-28T16:52:37.979Z","name":"Triada","description":"[Triada](https://attack.mitre.org/software/S0424) was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.(Citation: Kaspersky Triada March 2016)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Golden Cup"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--f3975cc0-72bc-4308-836e-ac701b83860e","type":"malware","created":"2020-11-20T15:44:57.339Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0535","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0535"},{"source_name":"Symantec GoldenCup","url":"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans","description":"R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."}],"modified":"2020-12-22T21:48:10.951Z","name":"Golden Cup","description":"[Golden Cup](https://attack.mitre.org/software/S0535) is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup) ","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-31T23:02:48.577Z","name":"FluBot","description":"[FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["FluBot"],"type":"malware","id":"malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc","created":"2023-02-28T20:25:59.034Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1067","external_id":"S1067"},{"source_name":"proofpoint_flubot_0421","description":"Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.","url":"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"},{"source_name":"bitdefender_flubot_0524","description":"Filip TRUȚĂ, Răzvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.","url":"https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["ViperRAT"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--f666e17c-b290-43b3-8947-b96bd5148fbb","type":"malware","created":"2020-09-11T16:22:02.954Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0506","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0506"},{"source_name":"Lookout ViperRAT","url":"https://blog.lookout.com/viperrat-mobile-apt","description":"M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."}],"modified":"2020-09-29T20:03:42.662Z","name":"ViperRAT","description":"[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT) ","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Adups","description":"[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf","created":"2017-10-25T14:48:47.038Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0309","external_id":"S0309"},{"source_name":"Adups","description":"(Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)"},{"source_name":"NYTimes-BackDoor","description":"Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.","url":"https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"},{"source_name":"BankInfoSecurity-BackDoor","description":"Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.","url":"http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["SimBad"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--f79c01eb-2954-40d8-a819-00b342f47ce7","type":"malware","created":"2019-11-21T19:16:34.526Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0419","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0419"},{"description":"Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.","url":"https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/","source_name":"CheckPoint SimBad 2019"}],"modified":"2020-01-27T17:01:31.634Z","name":"SimBad","description":"[SimBad](https://attack.mitre.org/software/S0419) was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name \"SimBad\" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.(Citation: CheckPoint SimBad 2019)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Android/AdDisplay.Ashas"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--f7e7b736-2cff-4c2a-9232-352cd383463a","type":"malware","created":"2020-10-29T19:19:08.848Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0525","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0525"},{"source_name":"WeLiveSecurity AdDisplayAshas","url":"https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/","description":"L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020."}],"modified":"2020-10-29T19:19:08.848Z","name":"Android/AdDisplay.Ashas","description":"[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-17T14:17:42.833Z","name":"Phenakite","description":"[Phenakite](https://attack.mitre.org/software/S1126) is a mobile malware that is used by [APT-C-23](https://attack.mitre.org/groups/G1028) to target iOS devices. According to several reports, [Phenakite](https://attack.mitre.org/software/S1126) was developed to fill a tooling gap and to target those who owned iPhones instead of Windows desktops or Android phones.(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)","x_mitre_platforms":["iOS"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_contributors":["Sittikorn Sangrattanapitak"],"x_mitre_aliases":["Phenakite"],"type":"malware","id":"malware--f97e2718-af50-41df-811f-215ebab45691","created":"2024-03-26T18:47:29.820Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1126","external_id":"S1126"},{"source_name":"fb_arid_viper","description":"Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"},{"source_name":"sentinelone_israel_hamas_war","description":"Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20240208234008/www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-09-30T18:57:47.266Z","name":"Marcher","description":"[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)","x_mitre_deprecated":true,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["Marcher"],"type":"malware","id":"malware--f9854ba6-989d-43bf-828b-7240b8a65291","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0317","external_id":"S0317"},{"source_name":"Proofpoint-Marcher","description":"Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.","url":"https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-29T21:11:14.364Z","name":"TianySpy","description":"[TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122)  ","x_mitre_platforms":["Android","iOS"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["TianySpy"],"type":"malware","id":"malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6","created":"2023-01-19T18:05:30.924Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1056","external_id":"S1056"},{"source_name":"trendmicro_tianyspy_0122","description":"Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.","url":"https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-07T21:33:03.773Z","name":"Sunbird","description":"[Sunbird](https://attack.mitre.org/software/S1082) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142).  Analysis suggests that [Sunbird](https://attack.mitre.org/software/S1082) was first active in early 2017. While [Sunbird](https://attack.mitre.org/software/S1082) and [Hornbill](https://attack.mitre.org/software/S1077) overlap in core capabilities, [Sunbird](https://attack.mitre.org/software/S1082) has a more extensive set of malicious features.(Citation: lookout_hornbill_sunbird_0221)","x_mitre_platforms":["Android"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_aliases":["Sunbird"],"type":"malware","id":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","created":"2023-08-04T18:27:24.614Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S1082","external_id":"S1082"},{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"labels":["malware"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"DressCode","description":"[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)","labels":["malware"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"malware","id":"malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca","created":"2017-10-25T14:48:37.856Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0300","external_id":"S0300"},{"source_name":"DressCode","description":"(Citation: TrendMicro-DressCode)"},{"source_name":"TrendMicro-DressCode","description":"Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.","url":"http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"labels":["malware"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_aliases":["Gustuff"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","type":"malware","created":"2019-09-03T20:08:00.241Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0406","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0406"},{"source_name":"Talos Gustuff Apr 2019","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html","description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."}],"modified":"2019-10-14T19:14:17.007Z","name":"Gustuff","description":"[Gustuff](https://attack.mitre.org/software/S0406) is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"labels":["tool"],"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_contributors":["Emily Ratliff, IBM"],"x_mitre_aliases":["FlexiSpy"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","type":"tool","created":"2019-09-04T15:38:56.070Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"S0408","source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0408"},{"description":"K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.","url":"https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf","source_name":"FortiGuard-FlexiSpy"},{"source_name":"CyberMerchants-FlexiSpy","url":"http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html","description":"Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."},{"source_name":"FlexiSpy-Website","url":"https://www.flexispy.com/","description":"FlexiSpy. (n.d.). FlexiSpy. Retrieved September 4, 2019."}],"modified":"2019-10-14T18:08:28.349Z","name":"FlexiSpy","description":"[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)\n\n[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Xbot","description":"[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)","labels":["tool"],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","type":"tool","id":"tool--da21929e-40c0-443d-bdf4-6b60d15448b4","created":"2017-10-25T14:48:48.609Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/software/S0298","external_id":"S0298"},{"source_name":"Xbot","description":"(Citation: PaloAlto-Xbot)"},{"source_name":"PaloAlto-Xbot","description":"Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.","url":"http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"]},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6","type":"x-mitre-tactic","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"TA0027","url":"https://attack.mitre.org/tactics/TA0027","source_name":"mitre-attack"}],"modified":"2020-01-27T14:02:36.744Z","name":"Initial Access","description":"The adversary is trying to get into your device.\n\nThe initial access tactic represents the vectors adversaries use to gain an initial foothold onto a mobile device.","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_shortname":"initial-access"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981","type":"x-mitre-tactic","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"TA0036","url":"https://attack.mitre.org/tactics/TA0036","source_name":"mitre-attack"}],"modified":"2020-01-27T14:06:42.009Z","name":"Exfiltration","description":"The adversary is trying to steal data.\n\nExfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from the targeted mobile device.\n\nIn the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_shortname":"exfiltration"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54","type":"x-mitre-tactic","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"TA0028","url":"https://attack.mitre.org/tactics/TA0028","source_name":"mitre-attack"}],"modified":"2020-01-27T14:03:15.455Z","name":"Persistence","description":" The adversary is trying to maintain their foothold.\n\nPersistence is any access, action, or configuration change to a mobile device that gives an attacker a persistent presence on the device. Attackers often will need to maintain access to mobile devices through interruptions such as device reboots and potentially even factory data resets.","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_shortname":"persistence"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8","type":"x-mitre-tactic","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"TA0029","url":"https://attack.mitre.org/tactics/TA0029","source_name":"mitre-attack"}],"modified":"2020-01-27T14:03:49.343Z","name":"Privilege Escalation","description":" The adversary is trying to gain higher-level permissions.\n\nPrivilege escalation includes techniques that allow an attacker to obtain a higher level of permissions on the mobile device. Attackers may enter the mobile device with very limited privileges and may be required to take advantage of a device weakness to obtain higher privileges necessary to successfully carry out their mission objectives.","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_shortname":"privilege-escalation"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3","type":"x-mitre-tactic","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"TA0037","url":"https://attack.mitre.org/tactics/TA0037","source_name":"mitre-attack"}],"modified":"2020-01-27T14:06:59.132Z","name":"Command and Control","description":"The adversary is trying to communicate with compromised devices to control them.\n\nThe command and control tactic represents how adversaries communicate with systems under their control within a target network. There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology. Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control. There are still a great many specific techniques within the documented methods, largely due to how easy it is to define new protocols and use existing, legitimate protocols and network services for communication. \n\nThe resulting breakdown should help convey the concept that detecting intrusion through command and control protocols without prior knowledge is a difficult proposition over the long term. Adversaries' main constraints in network-level defense avoidance are testing and deployment of tools to rapidly change their protocols, awareness of existing defensive technologies, and access to legitimate Web services that, when used appropriately, make their tools difficult to distinguish from benign traffic.\n\nAdditionally, in the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_shortname":"command-and-control"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756","type":"x-mitre-tactic","created":"2020-01-27T14:00:49.089Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"TA0041","source_name":"mitre-attack","url":"https://attack.mitre.org/tactics/TA0041"}],"modified":"2020-01-27T14:00:49.089Z","name":"Execution","description":"The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a mobile device. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data.","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_shortname":"execution"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e","type":"x-mitre-tactic","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"TA0034","url":"https://attack.mitre.org/tactics/TA0034","source_name":"mitre-attack"}],"modified":"2020-01-27T16:09:15.308Z","name":"Impact","description":"The adversary is trying to manipulate, interrupt, or destroy your devices and data.\n\nThe impact tactic consists of techniques used by the adversary to execute his or her mission objectives but that do not cleanly fit into another category such as Collection. Mission objectives vary based on each adversary's goals, but examples include toll fraud, destruction of device data, or locking the user out of his or her device until a ransom is paid.","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_shortname":"impact"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10","type":"x-mitre-tactic","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"TA0031","url":"https://attack.mitre.org/tactics/TA0031","source_name":"mitre-attack"}],"modified":"2020-01-27T14:05:02.718Z","name":"Credential Access","description":"The adversary is trying to steal account names, passwords, or other secrets that enable access to resources.\n\nCredential access represents techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources. Credential access allows the adversary to assume the identity of an account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_shortname":"credential-access"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba","type":"x-mitre-tactic","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"TA0035","url":"https://attack.mitre.org/tactics/TA0035","source_name":"mitre-attack"}],"modified":"2020-01-27T14:06:10.915Z","name":"Collection","description":"The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_shortname":"collection"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f","type":"x-mitre-tactic","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"TA0033","url":"https://attack.mitre.org/tactics/TA0033","source_name":"mitre-attack"}],"modified":"2020-01-27T14:05:37.854Z","name":"Lateral Movement","description":"The adversary is trying to move through your environment.\n\nLateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_shortname":"lateral-movement"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df","type":"x-mitre-tactic","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"TA0030","url":"https://attack.mitre.org/tactics/TA0030","source_name":"mitre-attack"}],"modified":"2020-01-27T14:04:46.497Z","name":"Defense Evasion","description":" The adversary is trying to avoid being detected.\n\nDefense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. Defense evasion may be considered a set of attributes the adversary applies to all other phases of the operation.","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_shortname":"defense-evasion"},{"modified":"2022-11-07T21:01:17.781Z","name":"Network Effects","description":"The adversary is trying to intercept or manipulate network traffic to or from a device.\n\nThis category refers to network-based techniques that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself. These include techniques to intercept or manipulate network traffic to and from the mobile device.","x_mitre_deprecated":true,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_shortname":"network-effects","type":"x-mitre-tactic","id":"x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/tactics/TA0038","external_id":"TA0038"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.0.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1","type":"x-mitre-tactic","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"TA0032","url":"https://attack.mitre.org/tactics/TA0032","source_name":"mitre-attack"}],"modified":"2020-01-27T16:09:00.466Z","name":"Discovery","description":"The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques that allow the adversary to gain knowledge about the characteristics of the mobile device and potentially other networked systems. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system may provide capabilities that aid in this post-compromise information-gathering phase.","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_shortname":"discovery"},{"modified":"2022-11-07T21:01:36.112Z","name":"Remote Service Effects","description":"The adversary is trying to control or monitor the device using remote services.\n\nThis category refers to techniques involving remote services, such as vendor-provided cloud services (e.g. Google Drive, Google Find My Device, or Apple iCloud), or enterprise mobility management (EMM)/mobile device management (MDM) services that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself.","x_mitre_deprecated":true,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_shortname":"remote-service-effects","type":"x-mitre-tactic","id":"x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/tactics/TA0039","external_id":"TA0039"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.0.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Scheduled Task/Job","description":"Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.\n\nOn Android, the `WorkManager` API allows asynchronous tasks to be scheduled with the system. `WorkManager` was introduced to unify task scheduling on Android, using `JobScheduler`, `GcmNetworkManager`, and `AlarmManager` internally. `WorkManager` offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).(Citation: Android WorkManager)\n\nOn iOS, the `NSBackgroundActivityScheduler` API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.(Citation: Apple NSBackgroundActivityScheduler)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"execution"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"persistence"}],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_detection":"Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_contributors":["Lorin Wu, Trend Micro"],"x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d","created":"2020-11-04T16:43:31.619Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1603","external_id":"T1603"},{"source_name":"Android WorkManager","description":"Google. (n.d.). Schedule tasks with WorkManager. Retrieved November 4, 2020.","url":"https://developer.android.com/topic/libraries/architecture/workmanager"},{"source_name":"Apple NSBackgroundActivityScheduler","description":"Apple. (n.d.). NSBackgroundActivityScheduler. Retrieved November 4, 2020.","url":"https://developer.apple.com/documentation/foundation/nsbackgroundactivityscheduler"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_is_subtechnique":false},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa","created":"2019-10-30T15:37:55.029Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1540","url":"https://attack.mitre.org/techniques/T1540"},{"source_name":"Fadeev Code Injection Aug 2018","url":"https://fadeevab.com/shared-library-injection-on-android-8/","description":"Alexandr Fadeev. (2018, August 26). Shared Library Injection on Android 8.0. Retrieved October 30, 2019."},{"source_name":"Google Triada June 2019","url":"https://security.googleblog.com/2019/06/pha-family-highlights-triada.html","description":"Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."},{"source_name":"Shunix Code Injection Mar 2016","url":"https://shunix.com/shared-library-injection-in-android/","description":"Shunix . (2016, March 22). Shared Library Injection in Android. Retrieved October 30, 2019."}],"x_mitre_deprecated":false,"revoked":true,"description":"Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.\n\nWith root access, `ptrace` can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application’s process.(Citation: Google Triada June 2019)\n","modified":"2022-03-30T19:14:20.369Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Code Injection","x_mitre_detection":"Code injection can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"persistence"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"privilege-escalation"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-02-07T18:10:46.887Z","name":"Adversary-in-the-Middle","description":"Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642).  \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms. For example, a malicious application may register itself as a VPN client, effectively redirecting device traffic to adversary-owned resources. Registering as a VPN client requires user consent on both Android and iOS; additionally, a special entitlement granted by Apple is needed for iOS devices. Alternatively, a malicious application with escalation privileges may utilize those privileges to gain access to network traffic.   \n\n\n Specific to Android devices, adversary-in-the-disk is a type of AiTM attack where adversaries monitor and manipulate data that is exchanged between applications and external storage.(Citation: mitd_kaspersky)(Citation: mitd_checkpoint)(Citation: mitd_checkpoint_research) To accomplish this, a malicious application firsts requests for access to multimedia files on the device (`READ_EXTERNAL STORAGE` and `WRITE_EXTERNAL_STORAGE`), then the application reads data on the device and/or writes malware to the device. Though the request for access is common, when used maliciously, adversaries may access files and other sensitive data due to abusing the permission. Multiple applications were shown to be vulnerable against this attack; however, scrutiny of permissions and input validations may mitigate this attack.    \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as [ARP Cache Poisoning](https://attack.mitre.org/techniques/T1557/002) or [DHCP Spoofing](https://attack.mitre.org/techniques/T1557/003).  \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible to adversaries, depending on the point of capture. For example, properly implementing Apple’s Application Transport Security (ATS) and Android’s Network Security Configuration (NSC) may prevent sensitive data leaks.(Citation: NSC_Android)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. \n\n \n\nOn both Android and iOS, users must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. Users can see registered VPN services in the device settings. ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"2.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13","created":"2022-04-05T20:11:08.894Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1638","external_id":"T1638"},{"source_name":"mitd_checkpoint","description":"Check Point Research Team. (2018, August 12). Man-in-the-Disk: A New Attack Surface for Android Apps. Retrieved October 31, 2023.","url":"https://blog.checkpoint.com/security/man-in-the-disk-a-new-attack-surface-for-android-apps/"},{"source_name":"mitd_kaspersky","description":"Drozhzhin, A. (2018, August 27). Man-in-the-Disk: A new and dangerous way to hack Android. Retrieved October 31, 2023.","url":"https://usa.kaspersky.com/blog/man-in-the-disk/16089/"},{"source_name":"NSC_Android","description":"Lee, A., Ramirez, T. (2018, August 15). A Security Analyst’s Guide to Network Security Configuration in Android P . Retrieved February 7, 2024.","url":"https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/"},{"source_name":"mitd_checkpoint_research","description":"Makkaveev, S. (2018, August 12). Man-in-the-Disk: Android Apps Exposed via External Storage. Retrieved October 31, 2023.","url":"https://research.checkpoint.com/androids-man-in-the-disk/"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html","external_id":"CEL-3"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html","external_id":"APP-0"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html","external_id":"APP-1"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-8.html","external_id":"APP-8"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-12.html","external_id":"ECO-12"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-15T16:23:59.281Z","name":"Abuse Elevation Control Mechanism","description":"Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"privilege-escalation"}],"x_mitre_deprecated":false,"x_mitre_detection":"When an application requests administrator permission, users are presented with a popup and the option to grant or deny the request. Application vetting services can detect when an application requests administrator permission. Extra scrutiny could be applied to applications that do","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3","created":"2022-04-01T15:54:05.633Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1626","external_id":"T1626"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html","external_id":"APP-22"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-25T19:53:07.406Z","name":"Remote Access Software","description":"Adversaries may use legitimate remote access software, such as `VNC`, `TeamViewer`, `AirDroid`, `AirMirror`, etc., to establish an interactive command and control channel to target mobile devices.  \n\nRemote access applications may be installed and used post-compromise as an alternate communication channel for redundant access or as a way to establish an interactive remote session with the target device. They may also be used as a component of malware to establish a reverse connection to an adversary-controlled system or service. Installation of remote access tools may also include persistence.  ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"command-and-control"}],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c","created":"2023-09-25T19:53:07.406Z","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1663","external_id":"T1663"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"id":"attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d","type":"attack-pattern","created":"2017-10-25T14:48:08.155Z","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1454","external_id":"T1454"}],"modified":"2019-04-29T19:35:30.985Z","name":"Malicious SMS Message","description":"Test","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"}],"x_mitre_version":"1.0","x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_is_subtechnique":false},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d","created":"2017-10-25T14:48:18.237Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1470","url":"https://attack.mitre.org/techniques/T1470"},{"source_name":"Elcomsoft-EPPB","url":"https://www.elcomsoft.com/eppb.html","description":"Elcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016."},{"source_name":"Elcomsoft-WhatsApp","url":"https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/","description":"Oleg Afonin. (2017, July 20). Extract and Decrypt WhatsApp Backups from iCloud. Retrieved July 6, 2018."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html","source_name":"NIST Mobile Threat Catalogue","external_id":"ECO-0"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html","source_name":"NIST Mobile Threat Catalogue","external_id":"ECO-1"}],"x_mitre_deprecated":true,"revoked":false,"description":"An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.","modified":"2022-04-06T15:54:11.189Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Obtain Device Cloud Backups","x_mitre_detection":"Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"remote-service-effects"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Without Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:43:03.218Z","name":"Uninstall Malicious Application","description":"Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: \n \n* Abusing device owner permissions to perform silent uninstallation using device owner API calls. \n* Abusing root permissions to delete files from the filesystem. \n* Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of the accessibility service or features that typically require root access.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3","created":"2022-03-30T19:31:31.855Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1630/001","external_id":"T1630.001"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html","external_id":"APP-43"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:42:18.121Z","name":"Indicator Removal on Host","description":"Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["iOS","Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d","created":"2022-03-30T19:28:25.541Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1630","external_id":"T1630"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html","external_id":"APP-43"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:52:29.947Z","name":"Supply Chain Compromise","description":"Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.  Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"initial-access"}],"x_mitre_deprecated":false,"x_mitre_detection":"Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"2.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1474","external_id":"T1474"},{"source_name":"Grace-Advertisement","description":"M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.","url":"https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf"},{"source_name":"NowSecure-RemoteCode","description":"Ryan Welton. (2015, June 15). A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications. Retrieved December 22, 2016.","url":"https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html","external_id":"APP-6"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html","external_id":"SPC-0"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html","external_id":"SPC-1"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html","external_id":"SPC-2"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html","external_id":"SPC-3"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html","external_id":"SPC-4"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html","external_id":"SPC-5"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html","external_id":"SPC-6"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html","external_id":"SPC-7"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html","external_id":"SPC-8"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html","external_id":"SPC-9"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html","external_id":"SPC-10"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html","external_id":"SPC-11"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html","external_id":"SPC-12"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html","external_id":"SPC-13"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-14.html","external_id":"SPC-14"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html","external_id":"SPC-15"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html","external_id":"SPC-16"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html","external_id":"SPC-17"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html","external_id":"SPC-18"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-19.html","external_id":"SPC-19"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html","external_id":"SPC-20"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html","external_id":"SPC-21"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-15T15:06:03.427Z","name":"Impersonate SS7 Nodes","description":"Adversaries may exploit the lack of authentication in signaling system network nodes to track the to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim’s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device’s geographical cell area or nearest cell tower.(Citation: Engel-SS7)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"discovery"}],"x_mitre_deprecated":false,"x_mitre_detection":"Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","type":"attack-pattern","id":"attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7","created":"2022-04-05T19:49:58.938Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1430/002","external_id":"T1430.002"},{"source_name":"3GPP-Security","description":"3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.","url":"http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf"},{"source_name":"CSRIC5-WG10-FinalReport","description":"Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.","url":"https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"},{"source_name":"CSRIC-WG1-FinalReport","description":"CSRIC-WG1-FinalReport"},{"source_name":"Positive-SS7","description":"Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.","url":"https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf"},{"source_name":"Engel-SS7-2008","description":"Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.","url":"https://www.youtube.com/watch?v=q0n5ySqbfdI"},{"source_name":"Engel-SS7","description":"Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.","url":"https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html","external_id":"CEL-38"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-08T18:15:15.902Z","name":"Match Legitimate Name or Location","description":"Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`). \n\nAdversaries may also use the same icon of the file or application they are trying to mimic.\n","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_contributors":["Ford Qin, Trend Micro","Liran Ravich, CardinalOps"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","created":"2023-07-12T20:45:14.704Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1655/001","external_id":"T1655.001"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html","external_id":"APP-14"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html","external_id":"APP-31"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"id":"attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799","type":"attack-pattern","created":"2017-10-25T14:48:30.462Z","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1425","external_id":"T1425"}],"modified":"2018-10-17T01:05:10.699Z","name":"Insecure Third-Party Libraries","x_mitre_version":"1.0","x_mitre_is_subtechnique":false},{"modified":"2023-03-20T18:56:20.270Z","name":"Protected User Data","description":"Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application’s manifest. On iOS, they must be included in the application’s `Info.plist` file.  \n\n \n\nIn almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user’s knowledge or approval. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"}],"x_mitre_deprecated":false,"x_mitre_detection":"Users can view permissions granted to an application in device settings. Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e","created":"2022-04-01T12:36:41.507Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1636","external_id":"T1636"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html","external_id":"APP-13"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8","created":"2022-04-05T20:15:43.636Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1521.002","url":"https://attack.mitre.org/techniques/T1521/002"}],"x_mitre_deprecated":false,"revoked":false,"description":"Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1521/002).","modified":"2022-04-05T20:16:21.324Z","name":"Asymmetric Cryptography","x_mitre_detection":"Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.","kill_chain_phases":[{"phase_name":"command-and-control","kill_chain_name":"mitre-mobile-attack"}],"x_mitre_is_subtechnique":true,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:55:03.477Z","name":"Software Discovery","description":"Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. \n\n \n\nAdversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"discovery"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"2.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","created":"2017-10-25T14:48:28.067Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1418","external_id":"T1418"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html","external_id":"APP-12"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:55:23.702Z","name":"Process Discovery","description":"Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. \n\n \n\nRecent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the `hidepid` mount feature. Prior to Android 7, applications could utilize the `ps` command or examine the `/proc` directory on the device.(Citation: Android-SELinuxChanges) \n\n \n\nIn iOS, applications have previously been able to use the `sysctl` command to obtain a list of running processes. This functionality has been removed in later iOS versions. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"discovery"}],"x_mitre_deprecated":false,"x_mitre_detection":"Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"2.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19","created":"2017-10-25T14:48:33.926Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1424","external_id":"T1424"},{"source_name":"Android-SELinuxChanges","description":"Various. (2016, March 31). Overly restrictive SELinux filesystem permissions in Android N. Retrieved December 21, 2016.","url":"https://code.google.com/p/android/issues/detail?id=205565"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-16T18:32:30.150Z","name":"Call Log","description":"Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user’s knowledge or approval. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"}],"x_mitre_deprecated":false,"x_mitre_detection":"On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application’s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it.  ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","created":"2022-04-01T13:12:23.522Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1636/002","external_id":"T1636.002"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html","external_id":"APP-13"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:55:33.642Z","name":"Security Software Discovery","description":"Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"discovery"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e","created":"2022-03-31T19:50:45.752Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1418/001","external_id":"T1418.001"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html","external_id":"APP-12"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"id":"attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2","type":"attack-pattern","created":"2017-10-25T14:48:10.699Z","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1434","external_id":"T1434"}],"modified":"2018-10-17T01:05:10.699Z","name":"App Delivered via Email Attachment","x_mitre_version":"1.0","x_mitre_is_subtechnique":false},{"modified":"2023-03-20T18:57:40.571Z","name":"Ptrace System Calls","description":"Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.  \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018)  \n\nPtrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject)  \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"privilege-escalation"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services could look for misuse of dynamic libraries.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee","created":"2022-03-30T19:05:17.048Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1631/001","external_id":"T1631.001"},{"source_name":"BH Linux Inject","description":"Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.","url":"https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf"},{"source_name":"Medium Ptrace JUL 2018","description":"Jain, S. (2018, July 25). Code injection in running process using ptrace. Retrieved February 21, 2020.","url":"https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be"},{"source_name":"PTRACE man","description":"Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020.","url":"http://man7.org/linux/man-pages/man2/ptrace.2.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:59:55.849Z","name":"Impair Defenses","description":"Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running. Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a","created":"2022-04-01T18:42:22.117Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1629","external_id":"T1629"},{"source_name":"Samsung Knox Mobile Threat Defense","description":"Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.","url":"https://partner.samsungknox.com/mtd"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html","external_id":"APP-22"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_contributors":["Lukáš Štefanko, ESET"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a","type":"attack-pattern","created":"2017-10-25T14:48:08.613Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-mobile-attack","external_id":"T1453","url":"https://attack.mitre.org/techniques/T1453"},{"url":"https://www.skycure.com/blog/accessibility-clickjacking/","description":"Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.","source_name":"Skycure-Accessibility"},{"description":"Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.","url":"https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/","source_name":"android-trojan-steals-paypal-2fa"},{"source_name":"banking-trojans-google-play","url":"https://www.welivesecurity.com/2018/10/24/banking-trojans-continue-surface-google-play/","description":"Lukáš Štefanko. (2018, October 24). Banking Trojans continue to surface on Google Play. Retrieved July 11, 2019."}],"modified":"2020-03-30T14:03:43.761Z","name":"Abuse Accessibility Features","description":"**This technique has been deprecated. Please use [Input Capture](https://attack.mitre.org/techniques/T1417), [Input Injection](https://attack.mitre.org/techniques/T1516), and [Input Prompt](https://attack.mitre.org/techniques/T1411) where appropriate.**\n\nA malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions.(Citation: Skycure-Accessibility)\n\nAdversaries may abuse accessibility features on Android to emulate a user's clicks, for example to steal money from a user's bank account.(Citation: android-trojan-steals-paypal-2fa)(Citation: banking-trojans-google-play)\n\nAdversaries may abuse accessibility features on Android devices to evade defenses by repeatedly clicking the \"Back\" button when a targeted app manager or mobile security app is launched, or when strings suggesting uninstallation are detected in the foreground. This effectively prevents the malicious application from being uninstalled.(Citation: android-trojan-steals-paypal-2fa)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":true,"x_mitre_version":"2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_is_subtechnique":false},{"modified":"2023-03-20T18:51:07.651Z","name":"Exploitation of Remote Services","description":"Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device’s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. \n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nDepending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"lateral-movement"}],"x_mitre_deprecated":false,"x_mitre_detection":"Detecting software exploitation initiated by a mobile device may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.\n\nNetwork traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. \n\nApplication vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network. ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d","created":"2017-10-25T14:48:13.259Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1428","external_id":"T1428"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html","external_id":"APP-32"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","created":"2022-04-01T19:06:27.177Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1437.001","url":"https://attack.mitre.org/techniques/T1437/001"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-29"}],"x_mitre_deprecated":false,"revoked":false,"description":"Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. \n\nWeb protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device).  Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect. ","modified":"2022-04-06T13:07:45.661Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Web Protocols","x_mitre_detection":"Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. ","kill_chain_phases":[{"phase_name":"command-and-control","kill_chain_name":"mitre-mobile-attack"}],"x_mitre_is_subtechnique":true,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-12-26T19:17:13.294Z","name":"Steal Application Access Token","description":"Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system “Open With” dialogue.  \n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"}],"x_mitre_deprecated":false,"x_mitre_detection":"On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce","created":"2022-04-01T15:12:50.740Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1635","external_id":"T1635"},{"source_name":"Android-AppLinks","description":"Android. (n.d.). Handling App Links. Retrieved December 21, 2016.","url":"https://developer.android.com/training/app-links/index.html"},{"source_name":"Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019","description":"Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.","url":"https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/"},{"source_name":"Microsoft - OAuth Code Authorization flow - June 2019","description":"Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.","url":"https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow"},{"source_name":"Microsoft Identity Platform Protocols May 2019","description":"Microsoft. (n.d.). Retrieved September 12, 2019.","url":"https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols"},{"source_name":"IETF-OAuthNativeApps","description":"W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.","url":"https://tools.ietf.org/html/rfc8252"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08","created":"2022-04-11T20:05:56.069Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1628.002","url":"https://attack.mitre.org/techniques/T1628/002"}],"x_mitre_deprecated":false,"revoked":false,"description":"Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.","modified":"2022-04-11T20:05:56.069Z","name":"User Evasion","x_mitre_detection":"Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","kill_chain_phases":[{"phase_name":"defense-evasion","kill_chain_name":"mitre-mobile-attack"}],"x_mitre_is_subtechnique":true,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:37:57.884Z","name":"Virtualization/Sandbox Evasion","description":"Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors. \n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f","created":"2022-03-30T17:51:29.550Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1633","external_id":"T1633"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38","created":"2020-06-24T17:33:49.778Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1579","url":"https://attack.mitre.org/techniques/T1579"},{"source_name":"Apple Keychain Services","url":"https://developer.apple.com/documentation/security/keychain_services","description":"Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020."},{"source_name":"Elcomsoft Decrypt Keychain","url":"https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/","description":"V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html","source_name":"NIST Mobile Threat Catalogue","external_id":"AUT-11"}],"x_mitre_deprecated":false,"revoked":true,"description":"Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.\n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)","modified":"2022-04-01T15:02:43.470Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Keychain","x_mitre_detection":"Mobile security products can potentially detect jailbroken devices and perform further actions as necessary.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-28T15:36:11.282Z","name":"Application Versioning","description":"An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code.(Citation: android_app_breaking_bad)\n\nThis technique could also be accomplished by compromising a developer’s account. This would allow an adversary to take advantage of an existing userbase without having to establish the userbase themselves. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"initial-access"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_contributors":["Edward Stevens, BT Security","Adam Lichters"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.0","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258","created":"2023-09-21T22:16:38.002Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1661","external_id":"T1661"},{"source_name":"android_app_breaking_bad","description":"Stefanko, L. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved August 28, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html","external_id":"SPC-20"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3","created":"2017-10-25T14:48:17.176Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1413","url":"https://attack.mitre.org/techniques/T1413"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-3"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-13"}],"x_mitre_deprecated":true,"revoked":false,"description":"On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.","modified":"2022-04-06T15:37:34.463Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Access Sensitive Data in Device Logs","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-07T22:15:34.693Z","name":"Command and Scripting Interpreter","description":"Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java’s `Runtime` package.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"execution"}],"x_mitre_deprecated":false,"x_mitre_detection":"Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c","created":"2022-03-30T13:40:37.259Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1623","external_id":"T1623"},{"source_name":"Samsung Knox Mobile Threat Defense","description":"Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.","url":"https://partner.samsungknox.com/mtd"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:40:12.912Z","name":"Disable or Modify Tools","description":"Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"Users can view a list of active device administrators in the device settings.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","created":"2022-04-01T18:51:13.963Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1629/003","external_id":"T1629.003"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-14T16:21:05.728Z","name":"Ingress Tool Transfer","description":"Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel  or through alternate protocols with another tool such as FTP.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"command-and-control"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"2.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8","created":"2020-01-21T15:27:30.182Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1544","external_id":"T1544"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-14T16:19:34.225Z","name":"Dynamic Resolution","description":"Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"command-and-control"}],"x_mitre_deprecated":false,"x_mitre_detection":"Detecting dynamically generated domains can be challenging due to the number of different Domain Generation Algorithms (DGAs), constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names or rarely visited domains.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26","created":"2022-04-05T19:57:15.734Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1637","external_id":"T1637"},{"source_name":"Data Driven Security DGA","description":"Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.","url":"https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1477","url":"https://attack.mitre.org/techniques/T1477"},{"source_name":"Forbes-iPhoneSMS","url":"http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html","description":"Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016."},{"source_name":"Register-BaseStation","url":"http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/","description":"D. Pauli. (2015, November 12). Samsung S6 calls open to man-in-the-middle base station snooping. Retrieved December 23, 2016."},{"source_name":"ProjectZero-BroadcomWiFi","url":"https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html","description":"Gal Beniamini. (2017, April 4). Over The Air: Exploiting Broadcom's Wi-Fi Stack. Retrieved November 8, 2018."},{"source_name":"Weinmann-Baseband","url":"https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf","description":"R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016."},{"source_name":"SRLabs-SIMCard","url":"https://srlabs.de/bites/rooting-sim-cards/","description":"SRLabs. (n.d.). SIM cards are prone to remote hacking. Retrieved December 23, 2016."}],"x_mitre_deprecated":true,"revoked":false,"description":"The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.\n\n### Baseband Vulnerability Exploitation\n\nA message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband).\n\n### Malicious SMS Message\n\nAn SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).","modified":"2022-04-06T15:42:13.444Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Exploit via Radio Interfaces","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"initial-access"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790","created":"2017-10-25T14:48:26.890Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1423","url":"https://attack.mitre.org/techniques/T1423"}],"x_mitre_deprecated":false,"revoked":false,"description":"Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).","modified":"2022-04-11T19:12:38.451Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Network Service Scanning","x_mitre_detection":"Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","kill_chain_phases":[{"phase_name":"discovery","kill_chain_name":"mitre-mobile-attack"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d","created":"2021-09-30T18:18:52.285Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1618","url":"https://attack.mitre.org/techniques/T1618"}],"x_mitre_deprecated":false,"revoked":true,"description":"Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.","modified":"2022-04-11T20:06:56.032Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"User Evasion","x_mitre_detection":"Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-14T16:41:52.000Z","name":"Exfiltration Over C2 Channel","description":"Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"exfiltration"}],"x_mitre_deprecated":false,"x_mitre_detection":"[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","created":"2022-04-01T15:43:45.913Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1646","external_id":"T1646"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html","external_id":"APP-29"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-08T19:20:13.836Z","name":"Exploitation for Privilege Escalation","description":"Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"privilege-escalation"}],"x_mitre_deprecated":false,"x_mitre_detection":"Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken.  Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"2.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","created":"2017-10-25T14:48:29.405Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1404","external_id":"T1404"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html","external_id":"APP-26"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-10T21:57:52.009Z","name":"Call Control","description":"Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"command-and-control"}],"x_mitre_contributors":["Gaetan van Diemen, ThreatFabric"],"x_mitre_deprecated":false,"x_mitre_detection":"Users can view their default phone app in device settings. Users can review available call logs for irregularities, such as missing or unrecognized calls.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"1.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69","created":"2021-09-20T13:42:20.824Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1616","external_id":"T1616"},{"source_name":"Android Permissions","description":"Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.","url":"https://developer.android.com/reference/android/Manifest.permission"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-41.html","external_id":"APP-41"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-42.html","external_id":"CEL-42"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-36.html","external_id":"CEL-36"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-18.html","external_id":"CEL-18"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-14T16:40:40.166Z","name":"Exfiltration Over Unencrypted Non-C2 Protocol","description":"Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"exfiltration"}],"x_mitre_deprecated":false,"x_mitre_detection":"[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--37047267-3e56-453c-833e-d92b68118120","created":"2022-04-06T13:22:57.683Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1639/001","external_id":"T1639.001"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html","external_id":"APP-30"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-16T18:27:42.752Z","name":"Broadcast Receivers","description":"Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAn intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. \n\nIn addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. \n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts) ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"persistence"}],"x_mitre_contributors":["Alex Hinchliffe, Palo Alto Networks"],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","created":"2022-03-30T14:41:00.672Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1624/001","external_id":"T1624.001"},{"source_name":"Android Changes to System Broadcasts","description":"Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.","url":"https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad","created":"2017-10-25T14:48:16.650Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1436","url":"https://attack.mitre.org/techniques/T1436"}],"x_mitre_deprecated":true,"revoked":false,"description":"Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. \n\nThey may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.","modified":"2022-04-06T15:40:47.556Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Commonly Used Port","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"command-and-control"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"exfiltration"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--393e8c12-a416-4575-ba90-19cc85656796","created":"2017-10-25T14:48:26.104Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1439","url":"https://attack.mitre.org/techniques/T1439"},{"source_name":"mHealth","url":"https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps","description":"D. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-0"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-1"}],"x_mitre_deprecated":false,"revoked":true,"description":"If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)","modified":"2022-04-05T20:17:46.147Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Eavesdrop on Insecure Network Communication","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"network-effects"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Without Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-15T16:26:05.050Z","name":"Access Notifications","description":"Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass) ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. Users can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"1.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","created":"2019-09-15T15:26:08.183Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1517","external_id":"T1517"},{"source_name":"ESET 2FA Bypass","description":"Lukáš Štefanko. (2019, June 17). Malware sidesteps Google permissions policy with new 2FA bypass technique. Retrieved September 15, 2019.","url":"https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9","created":"2017-10-25T14:48:14.982Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1410","url":"https://attack.mitre.org/techniques/T1410"},{"source_name":"Skycure-Profiles","url":"https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/","description":"Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016."}],"x_mitre_deprecated":false,"revoked":true,"description":"An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.","modified":"2022-04-15T17:52:24.123Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Network Traffic Capture or Redirection","x_mitre_detection":"On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2","created":"2017-10-25T14:48:34.407Z","x_mitre_version":"2.1","external_references":[{"source_name":"mitre-attack","external_id":"T1411","url":"https://attack.mitre.org/techniques/T1411"},{"source_name":"Felt-PhishingOnMobileDevices","url":"http://w2spconf.com/2011/papers/felt-mobilephishing.pdf","description":"A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016."},{"source_name":"Android Background","url":"https://developer.android.com/guide/components/activities/background-starts","description":"Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019."},{"source_name":"Android-getRunningTasks","url":"https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29","description":"Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017."},{"source_name":"Cloak and Dagger","url":"http://cloak-and-dagger.org/","description":"Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019."},{"source_name":"Group IB Gustuff Mar 2019","url":"https://www.group-ib.com/blog/gustuff","description":"Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019."},{"source_name":"eset-finance","url":"https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/","description":"Lukáš Štefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018."},{"source_name":"Hassell-ExploitingAndroid","url":"https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf","description":"R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019."},{"source_name":"XDA Bubbles","url":"https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/","description":"Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019."},{"source_name":"NowSecure Android Overlay","url":"https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/","description":"Ramirez, T.. (2017, May 25). ‘SAW’-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019."},{"source_name":"ThreatFabric Cerberus","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html","description":"ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019."},{"source_name":"StackOverflow-getRunningAppProcesses","url":"http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag","description":"Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017."},{"source_name":"Skycure-Accessibility","url":"https://www.skycure.com/blog/accessibility-clickjacking/","description":"Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-31"}],"x_mitre_deprecated":false,"revoked":true,"description":"The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.\n\nCompared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices)\n\nSpecific approaches to this technique include:\n\n### Impersonate the identity of a legitimate application\n\nA malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance)\n\n### Display a prompt on top of a running legitimate application\n\nA malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include:\n\n* A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)\n\n### Fake device notifications\n\nA malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)","modified":"2022-04-05T19:52:32.190Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Input Prompt","x_mitre_detection":"The user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission to create overlay windows on top of other apps through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-14T16:39:22.707Z","name":"Exfiltration Over Alternative Protocol","description":"Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"exfiltration"}],"x_mitre_deprecated":false,"x_mitre_detection":"[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d","created":"2022-04-06T13:19:33.785Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1639","external_id":"T1639"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html","external_id":"APP-30"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-02-20T23:39:08.047Z","name":"Internet Connection Discovery","description":"Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using `adb shell netstat` for Android.(Citation: adb_commands)\n\nAdversaries may use the results and responses from these requests to determine if the mobile devices are capable of communicating with adversary-owned C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"discovery"}],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","created":"2024-02-20T23:39:08.047Z","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1422/001","external_id":"T1422.001"},{"source_name":"adb_commands","description":"Pulimet. (2017, September 11). AdbCommands. Retrieved December 14, 2023.","url":"https://gist.github.com/Pulimet/5013acf2cd5b28e55036c82c91bd56d8"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"id":"attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09","type":"attack-pattern","created":"2017-10-25T14:48:24.069Z","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1460","external_id":"T1460"}],"modified":"2018-10-17T01:05:10.703Z","name":"Biometric Spoofing","x_mitre_version":"1.0","x_mitre_is_subtechnique":false},{"modified":"2023-03-16T18:26:46.043Z","name":"Boot or Logon Initialization Scripts","description":"Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"persistence"}],"x_mitre_deprecated":false,"x_mitre_detection":"On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"2.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5","created":"2017-10-25T14:48:31.294Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1398","external_id":"T1398"},{"source_name":"Android-VerifiedBoot","description":"Android. (n.d.). Verified Boot. Retrieved December 21, 2016.","url":"https://source.android.com/security/verifiedboot/"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html","external_id":"APP-26"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html","external_id":"APP-27"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:44:26.317Z","name":"Execution Guardrails","description":"Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"Detecting the use of guardrails may be difficult depending on the implementation. Users can review which applications have location and sensitive phone information permissions in the operating system’s settings menu. Application vetting services can detect unnecessary and potentially permissions or API calls.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--498e7b81-238d-404c-aa5e-332904d63286","created":"2022-03-30T20:31:16.624Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1627","external_id":"T1627"},{"source_name":"SWB Exodus March 2019","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-09-12T15:20:41.834Z","name":"GUI Input Capture","description":"Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"}],"x_mitre_deprecated":false,"x_mitre_detection":"Android users can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). \n\nApplication vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","created":"2022-04-05T19:48:31.195Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1417/002","external_id":"T1417.002"},{"source_name":"Felt-PhishingOnMobileDevices","description":"A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.","url":"http://w2spconf.com/2011/papers/felt-mobilephishing.pdf"},{"source_name":"Android Background","description":"Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.","url":"https://developer.android.com/guide/components/activities/background-starts"},{"source_name":"Cloak and Dagger","description":"Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 12, 2024.","url":"https://cloak-and-dagger.org/"},{"source_name":"Group IB Gustuff Mar 2019","description":"Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.","url":"https://www.group-ib.com/blog/gustuff"},{"source_name":"eset-finance","description":"Lukáš Štefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.","url":"https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/"},{"source_name":"Hassell-ExploitingAndroid","description":"R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.","url":"https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf"},{"source_name":"XDA Bubbles","description":"Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.","url":"https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/"},{"source_name":"NowSecure Android Overlay","description":"Ramirez, T.. (2017, May 25). ‘SAW’-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.","url":"https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/"},{"source_name":"ThreatFabric Cerberus","description":"ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"},{"source_name":"Skycure-Accessibility","description":"Yair Amit. (2016, March 3). “Accessibility Clickjacking” – The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.","url":"https://www.skycure.com/blog/accessibility-clickjacking/"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html","external_id":"APP-31"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce","created":"2017-10-25T14:48:11.535Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1432","url":"https://attack.mitre.org/techniques/T1432"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-13"}],"x_mitre_deprecated":false,"revoked":true,"description":"An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.","modified":"2022-04-01T13:19:41.180Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Access Contact List","x_mitre_detection":"On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.","kill_chain_phases":[{"phase_name":"collection","kill_chain_name":"mitre-mobile-attack"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T15:20:11.752Z","name":"Compromise Client Software Binary","description":"Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. \n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"persistence"}],"x_mitre_deprecated":false,"x_mitre_detection":"Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android’s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. Application vetting services could detect applications trying to modify files in protected parts of the operating system.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf","created":"2022-03-30T19:53:27.791Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1645","external_id":"T1645"},{"source_name":"Android-VerifiedBoot","description":"Android. (n.d.). Verified Boot. Retrieved December 21, 2016.","url":"https://source.android.com/security/verifiedboot/"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html","external_id":"APP-27"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:54:40.501Z","name":"Software Packing","description":"Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. \n\nUtilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["iOS","Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--51636761-2e35-44bf-9e56-e337adf97174","created":"2022-03-30T19:20:37.864Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1406/002","external_id":"T1406.002"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"id":"attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac","type":"attack-pattern","created":"2017-10-25T14:48:16.288Z","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1445","external_id":"T1445"}],"modified":"2018-10-17T01:05:10.701Z","name":"Abuse of iOS Enterprise App Signing Key","x_mitre_version":"1.0","x_mitre_is_subtechnique":false},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5","created":"2017-10-25T14:48:09.864Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1450","url":"https://attack.mitre.org/techniques/T1450"},{"source_name":"3GPP-Security","url":"http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf","description":"3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016."},{"source_name":"CSRIC5-WG10-FinalReport","url":"https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf","description":"Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017."},{"source_name":"CSRIC-WG1-FinalReport","description":"CSRIC-WG1-FinalReport"},{"source_name":"Positive-SS7","url":"https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf","description":"Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016."},{"source_name":"Engel-SS7-2008","url":"https://www.youtube.com/watch?v=q0n5ySqbfdI","description":"Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016."},{"source_name":"Engel-SS7","url":"https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf","description":"Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html","source_name":"NIST Mobile Threat Catalogue","external_id":"CEL-38"}],"x_mitre_deprecated":false,"revoked":true,"description":"An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)","modified":"2022-04-05T19:54:12.657Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Exploit SS7 to Track Device Location","x_mitre_detection":"Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"network-effects"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Without Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb","created":"2020-04-28T14:35:37.309Z","x_mitre_version":"2.0","external_references":[{"source_name":"mitre-attack","external_id":"T1575","url":"https://attack.mitre.org/techniques/T1575"},{"source_name":"Google NDK Getting Started","url":"https://developer.android.com/ndk/guides","description":"Google. (2019, December 27). Getting Started with the NDK. Retrieved April 28, 2020."},{"source_name":"MITRE App Vetting Effectiveness","url":"https://www.mitre.org/sites/default/files/publications/pr-16-4772-analyzing-effectiveness-mobile-app-vetting-tools-report.pdf","description":"M. Peck, C. Northern. (2016, August 22). Analyzing the Effectiveness of App Vetting Tools in the Enterprise. Retrieved April 28, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"Adversaries may use Android’s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.\n\nThe NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)\n\nAdversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)","modified":"2022-04-08T15:46:24.495Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Native API","x_mitre_detection":"This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"execution"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.2","external_references":[{"source_name":"mitre-attack","external_id":"T1476","url":"https://attack.mitre.org/techniques/T1476"},{"source_name":"IBTimes-ThirdParty","url":"https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861","description":"A Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018."},{"source_name":"TrendMicro-RootingMalware","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/","description":"Jordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018."},{"source_name":"android-trojan-steals-paypal-2fa","url":"https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/","description":"Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019."},{"source_name":"TrendMicro-FlappyBird","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/","description":"Veo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html","source_name":"NIST Mobile Threat Catalogue","external_id":"AUT-9"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html","source_name":"NIST Mobile Threat Catalogue","external_id":"ECO-13"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html","source_name":"NIST Mobile Threat Catalogue","external_id":"ECO-21"}],"x_mitre_deprecated":true,"revoked":false,"description":"Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nSome Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)","modified":"2022-04-06T15:41:16.863Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Deliver Malicious App via Other Means","x_mitre_detection":"* An EMM/MDM or mobile threat defense solution may be able to identify the presence of apps installed from sources other than an authorized app store. \n* An EMM/MDM or mobile threat defense solution may be able to identify Android devices configured to allow apps to be installed from \"Unknown Sources\".\n* Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"initial-access"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067","created":"2017-10-25T14:48:07.827Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1469","url":"https://attack.mitre.org/techniques/T1469"},{"source_name":"Honan-Hacking","url":"https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/","description":"Mat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html","source_name":"NIST Mobile Threat Catalogue","external_id":"ECO-5"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html","source_name":"NIST Mobile Threat Catalogue","external_id":"EMM-7"}],"x_mitre_deprecated":true,"revoked":false,"description":"An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).","modified":"2022-04-06T15:54:28.187Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Remotely Wipe Data Without Authorization","x_mitre_detection":"Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"remote-service-effects"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Without Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-28T17:02:58.893Z","name":"Exploitation for Client Execution","description":"Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries may take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. \n\nAdversaries may use device-based zero-click exploits for code execution. These exploits are powerful because there is no user interaction required for code execution. \n\n### SMS/iMessage Delivery  \n\nSMS and iMessage in iOS are common targets through [Drive-By Compromise](https://attack.mitre.org/techniques/T1456), [Phishing](https://attack.mitre.org/techniques/T1660), etc. Adversaries may use embed malicious links, files, etc. in SMS messages or iMessages. Mobile devices may be compromised through one-click exploits, where the victim must interact with a text message, or zero-click exploits, where no user interaction is required. \n\n### AirDrop \n\nUnique to iOS, AirDrop is a network protocol that allows iOS users to transfer files between iOS devices. Before patches from Apple were released, on iOS 13.4 and earlier, adversaries may force the Apple Wireless Direct Link (AWDL) interface to activate, then exploit a buffer overflow to gain access to the device and run as root without interaction from the user.  ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"execution"}],"x_mitre_contributors":["Giorgi Gurgenidze, ISAC"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.0","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b","created":"2023-08-23T22:13:27.313Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1658","external_id":"T1658"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:57:14.285Z","name":"Proxy Through Victim","description":"Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary’s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.(Citation: Threat Fabric Exobot)\n\nThe most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the `Proxy` API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a","created":"2020-11-30T14:26:07.728Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1604","external_id":"T1604"},{"source_name":"Threat Fabric Exobot","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de","created":"2019-09-23T13:11:43.694Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1520","url":"https://attack.mitre.org/techniques/T1520"},{"source_name":"Data Driven Security DGA","url":"https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/","description":"Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019."},{"source_name":"securelist rotexy 2018","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/","description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019."}],"x_mitre_deprecated":false,"revoked":true,"description":"Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.","modified":"2022-04-05T20:03:46.788Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Domain Generation Algorithms","x_mitre_detection":"Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"command-and-control"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--62adb627-f647-498e-b4cc-41499361bacb","created":"2017-10-25T14:48:20.727Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1435","url":"https://attack.mitre.org/techniques/T1435"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-13"}],"x_mitre_deprecated":false,"revoked":true,"description":"An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.","modified":"2022-04-01T12:50:48.453Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Access Calendar Entries","x_mitre_detection":"On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.","kill_chain_phases":[{"phase_name":"collection","kill_chain_name":"mitre-mobile-attack"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3","created":"2017-10-25T14:48:21.354Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1465","url":"https://attack.mitre.org/techniques/T1465"},{"source_name":"Kaspersky-DarkHotel","url":"https://blog.kaspersky.com/darkhotel-apt/6613/","description":"Alex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016."},{"source_name":"NIST-SP800153","url":"http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf","description":"M. Souppaya and K. Scarfone. (2012, February). NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs). Retrieved December 24, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html","source_name":"NIST Mobile Threat Catalogue","external_id":"LPN-0"}],"x_mitre_deprecated":false,"revoked":true,"description":"An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).","modified":"2022-04-06T15:51:11.938Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Rogue Wi-Fi Access Points","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"network-effects"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Without Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:54:25.564Z","name":"Foreground Persistence","description":"Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android’s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)\n\nMalicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device’s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)\n\nMalicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"persistence"}],"x_mitre_contributors":["Lorin Wu, Trend Micro"],"x_mitre_deprecated":false,"x_mitre_detection":"Users can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong. Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"2.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e","created":"2019-11-19T17:32:20.373Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1541","external_id":"T1541"},{"source_name":"Android-SensorsOverview","description":"Google. (n.d.). Sensors Overview. Retrieved November 19, 2019.","url":"https://developer.android.com/guide/topics/sensors/sensors_overview#sensors-practices"},{"source_name":"Android-ForegroundServices","description":"Google. (n.d.). Services overview. Retrieved November 19, 2019.","url":"https://developer.android.com/guide/components/services.html#Foreground"},{"source_name":"TrendMicro-Yellow Camera","description":"Song Wang. (2019, October 18). Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing. Retrieved November 19, 2019.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/"},{"source_name":"BlackHat Sutter Android Foreground 2019","description":"Thomas Sutter. (2019, December). Simple Spyware Androids Invisible Foreground Services and How to (Ab)use Them. Retrieved December 26, 2019.","url":"https://i.blackhat.com/eu-19/Thursday/eu-19-Sutter-Simple-Spyware-Androids-Invisible-Foreground-Services-And-How-To-Abuse-Them.pdf"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html","external_id":"APP-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-07T17:13:04.396Z","name":"Replication Through Removable Media","description":"Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include: \n \n* Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB) \n* Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal) \n* Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking) ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"initial-access"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"lateral-movement"}],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"2.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d","created":"2017-10-25T14:48:23.233Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1458","external_id":"T1458"},{"source_name":"Krebs-JuiceJacking","description":"Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016.","url":"http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/"},{"source_name":"GoogleProjectZero-OATmeal","description":"Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018.","url":"https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html"},{"source_name":"Lau-Mactans","description":"Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016.","url":"https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf"},{"source_name":"Computerworld-iPhoneCracking","description":"Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology – and police are buying. Retrieved September 21, 2018.","url":"https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html"},{"source_name":"IBM-NexusUSB","description":"Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017.","url":"https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html","external_id":"PHY-1"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html","external_id":"PHY-2"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-6.html","external_id":"STA-6"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-16T13:31:29.924Z","name":"Audio Capture","description":"Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. \n\n \n\nAndroid and iOS, by default, require that applications request device microphone access from the user.  \n\n \n\nOn Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) \n\n \n\nOn iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"}],"x_mitre_deprecated":false,"x_mitre_detection":"In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)\n \n\nAndroid applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized. \n\n \n\nIn both Android (6.0 and up) and iOS, users can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"3.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","created":"2017-10-25T14:48:12.913Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1429","external_id":"T1429"},{"source_name":"Manifest.permission","description":"Android Developers. (2022, March 17). Voice Call. Retrieved April 1, 2022.","url":"https://developer.android.com/reference/android/media/MediaRecorder.AudioSource#VOICE_CALL"},{"source_name":"Requesting Auth-Media Capture","description":"Apple Developers. (n.d.). Requesting Authorization for Media Capture on iOS. Retrieved April 1, 2022.","url":"https://developer.apple.com/documentation/avfoundation/cameras_and_media_capture/requesting_authorization_for_media_capture_on_ios"},{"source_name":"Android Permissions","description":"Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.","url":"https://developer.android.com/reference/android/Manifest.permission"},{"source_name":"Android Privacy Indicators","description":"Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.","url":"https://source.android.com/devices/tech/config/privacy-indicators"},{"source_name":"iOS Mic Spyware","description":"ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.","url":"https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html","external_id":"APP-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:59:46.686Z","name":"Hijack Execution Flow","description":"Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. \n\nThere are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"persistence"}],"x_mitre_deprecated":false,"x_mitre_detection":"Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd","created":"2022-03-30T14:49:18.650Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1625","external_id":"T1625"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html","external_id":"APP-27"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-07T22:48:30.418Z","name":"Unix Shell","description":"Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. \n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. \n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. \n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.  ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"execution"}],"x_mitre_deprecated":false,"x_mitre_detection":"Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","created":"2022-03-30T13:59:50.479Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1623/001","external_id":"T1623.001"},{"source_name":"Samsung Knox Mobile Threat Defense","description":"Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.","url":"https://partner.samsungknox.com/mtd"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673","created":"2017-10-25T14:48:33.158Z","x_mitre_version":"1.2","external_references":[{"source_name":"mitre-attack","external_id":"T1437","url":"https://attack.mitre.org/techniques/T1437"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-29"}],"x_mitre_deprecated":false,"revoked":false,"description":"Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.","modified":"2022-04-19T20:03:51.831Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Application Layer Protocol","x_mitre_detection":"Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.","kill_chain_phases":[{"phase_name":"command-and-control","kill_chain_name":"mitre-mobile-attack"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"id":"attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2","type":"attack-pattern","created":"2017-10-25T14:48:11.861Z","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1431","external_id":"T1431"}],"modified":"2018-10-17T01:05:10.699Z","name":"App Delivered via Web Download","x_mitre_version":"1.0","x_mitre_is_subtechnique":false},{"modified":"2023-08-08T16:23:41.271Z","name":"Download New Code at Runtime","description":"Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView’s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"Existing network infrastructure may detect network calls to known malicious domains or the transfer of malicious payloads over the network. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques. These techniques are often used without malicious intent, and  applications may employ other techniques to hide their use of these techniques.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.5","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","created":"2017-10-25T14:48:14.460Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1407","external_id":"T1407"},{"source_name":"FireEye-JSPatch","description":"Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.","url":"https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html","external_id":"APP-20"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-12-05T22:14:54.813Z","name":"Exploitation for Initial Access","description":"Adversaries may exploit software vulnerabilities to gain initial access to a mobile device. \n\nThis can be accomplished in a variety of ways. Vulnerabilities may be present in applications, services, the underlying operating system, or in the kernel itself. Several well-known mobile device exploits exist, including FORCEDENTRY, StageFright, and BlueBorne. Further, some exploits may be possible to exploit without any user interaction (zero-click), making them particularly dangerous. Mobile operating system vendors are typically very quick to patch such critical bugs, ensuring only a small window where they can be exploited. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"initial-access"}],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe","created":"2023-12-05T22:14:54.813Z","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1664","external_id":"T1664"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a","created":"2017-10-25T14:48:21.023Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1468","url":"https://attack.mitre.org/techniques/T1468"},{"source_name":"Krebs-Location","url":"https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/","description":"Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html","source_name":"NIST Mobile Threat Catalogue","external_id":"ECO-5"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html","source_name":"NIST Mobile Threat Catalogue","external_id":"EMM-7"}],"x_mitre_deprecated":false,"revoked":true,"description":"An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)","modified":"2022-04-05T19:40:25.068Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Remotely Track Device Without Authorization","x_mitre_detection":"Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"remote-service-effects"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Without Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:51:04.432Z","name":"System Checks","description":"Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware’s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nHardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","created":"2022-03-30T17:53:35.582Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1633/001","external_id":"T1633.001"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:53:16.029Z","name":"Stored Application Data","description":"Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"3.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","created":"2017-10-25T14:48:15.402Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1409","external_id":"T1409"},{"source_name":"SWB Exodus March 2019","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html","external_id":"AUT-0"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:57:43.022Z","name":"Screen Capture","description":"Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"}],"x_mitre_deprecated":false,"x_mitre_detection":"The user can view a list of apps with accessibility service privileges in the device settings. Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"1.3","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","created":"2019-08-08T18:34:14.178Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1513","external_id":"T1513"},{"source_name":"Android ScreenCap2 2019","description":"Android Developers. (n.d.). Android Debug Bridge (adb). Retrieved August 8, 2019.","url":"https://developer.android.com/studio/command-line/adb"},{"source_name":"Android ScreenCap1 2019","description":"Android Developers. (n.d.). Android MediaProjectionManager. Retrieved August 8, 2019.","url":"https://developer.android.com/reference/android/media/projection/MediaProjectionManager"},{"source_name":"Lookout-Monokle","description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"},{"source_name":"Fortinet screencap July 2019","description":"Dario Durando. (2019, July 3). BianLian: A New Wave Emerges. Retrieved September 4, 2019.","url":"https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html"},{"source_name":"Trend Micro ScreenCap July 2015","description":"Zhang, V. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved August 8, 2019.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html","external_id":"APP-40"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:44:26.748Z","name":"Transmitted Data Manipulation","description":"Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.\n\nOne method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.\n\nAdversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"}],"x_mitre_deprecated":false,"x_mitre_detection":"Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6","created":"2022-04-06T13:39:39.779Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1641/001","external_id":"T1641.001"},{"source_name":"ESET Clipboard Modification February 2019","description":"ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019.","url":"https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69","created":"2017-10-25T14:48:07.460Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1452","url":"https://attack.mitre.org/techniques/T1452"}],"x_mitre_deprecated":false,"revoked":true,"description":"An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).","modified":"2022-04-06T13:57:24.726Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Manipulate App Store Rankings or Ratings","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58","created":"2017-10-25T14:48:32.008Z","x_mitre_version":"2.0","external_references":[{"source_name":"mitre-attack","external_id":"T1416","url":"https://attack.mitre.org/techniques/T1416"},{"source_name":"Trend Micro iOS URL Hijacking","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/","description":"L. Wu, Y. Zhou, M. Li. (2019, July 12).  iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020."},{"source_name":"IETF-PKCE","url":"https://tools.ietf.org/html/rfc7636","description":"N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016."}],"x_mitre_deprecated":false,"revoked":true,"description":"Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)","modified":"2022-04-01T15:17:21.508Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"URI Hijacking","x_mitre_detection":"On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T15:28:54.940Z","name":"Compromise Software Dependencies and Development Tools","description":"Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"initial-access"}],"x_mitre_deprecated":false,"x_mitre_detection":"Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3","created":"2022-03-28T19:31:51.978Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1474/001","external_id":"T1474.001"},{"source_name":"Grace-Advertisement","description":"M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved December 22, 2016.","url":"https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html","external_id":"APP-6"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html","external_id":"SPC-0"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html","external_id":"SPC-3"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html","external_id":"SPC-9"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html","external_id":"SPC-10"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html","external_id":"SPC-15"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b","created":"2019-10-02T14:46:43.632Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1523","url":"https://attack.mitre.org/techniques/T1523"},{"source_name":"Sophos Anti-emulation","url":"https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/","description":"Chen Yu et al. . (2017, April 13). Android malware anti-emulation techniques. Retrieved October 2, 2019."},{"source_name":"Xiao-ZergHelper","url":"http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/","description":"Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016."},{"source_name":"Cyberscoop Evade Analysis January 2019","url":"https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/","description":"Jeff Stone. (2019, January 18). Sneaky motion-detection feature found on Android malware. Retrieved October 2, 2019."},{"source_name":"ThreatFabric Cerberus","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html","description":"ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019."},{"source_name":"Github Anti-emulator","url":"https://github.com/strazzere/anti-emulator","description":"Tim Strazzere. (n.d.). Android Anti-Emulator. Retrieved October 2, 2019."},{"source_name":"Talos Gustuff Apr 2019","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html","description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."}],"x_mitre_deprecated":false,"revoked":true,"description":"Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. \nAdversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)\n","modified":"2022-03-30T17:54:56.590Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Evade Analysis Environment","x_mitre_detection":"Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"discovery"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:43:49.443Z","name":"URI Hijacking","description":"Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. \n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE) ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"}],"x_mitre_contributors":["Leo Zhang, Trend Micro","Steven Du, Trend Micro"],"x_mitre_deprecated":false,"x_mitre_detection":"On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5","created":"2022-04-01T15:15:35.640Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1635/001","external_id":"T1635.001"},{"source_name":"Android-AppLinks","description":"Android. (n.d.). Handling App Links. Retrieved December 21, 2016.","url":"https://developer.android.com/training/app-links/index.html"},{"source_name":"Trend Micro iOS URL Hijacking","description":"L. Wu, Y. Zhou, M. Li. (2019, July 12).  iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"},{"source_name":"IETF-PKCE","description":"N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.","url":"https://tools.ietf.org/html/rfc7636"},{"source_name":"IETF-OAuthNativeApps","description":"W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.","url":"https://tools.ietf.org/html/rfc8252"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:52:52.097Z","name":"Subvert Trust Controls","description":"Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1","created":"2022-03-30T18:05:46.795Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1632","external_id":"T1632"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html","external_id":"STA-7"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44","created":"2017-10-25T14:48:11.116Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1433","url":"https://attack.mitre.org/techniques/T1433"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-13"}],"x_mitre_deprecated":false,"revoked":true,"description":"On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.","modified":"2022-04-01T13:14:43.174Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Access Call Log","x_mitre_detection":"On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31","created":"2020-09-11T15:04:14.532Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1581","url":"https://attack.mitre.org/techniques/T1581"},{"source_name":"Lookout eSurv","url":"https://blog.lookout.com/esurv-research","description":"A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."},{"source_name":"Apple Location Services","url":"https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services","description":"Apple. (n.d.). Requesting Authorization for Location Services. Retrieved September 11, 2020."},{"source_name":"Android Geofencing API","url":"https://developer.android.com/training/location/geofencing","description":"Google. (n.d.). Create and monitor geofences. Retrieved September 11, 2020."}],"x_mitre_deprecated":false,"revoked":true,"description":"Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.\n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include “Allow only while using the app”, which will effectively prohibit background location collection.(Citation: Android Geofencing API)\n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.","modified":"2022-03-30T20:43:31.244Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Geofencing","x_mitre_detection":"Users can review which applications have location permissions in the operating system’s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483","created":"2017-10-25T14:48:29.774Z","x_mitre_version":"2.0","external_references":[{"source_name":"mitre-attack","external_id":"T1401","url":"https://attack.mitre.org/techniques/T1401"},{"source_name":"Android DeviceAdminInfo","url":"https://developer.android.com/reference/android/app/admin/DeviceAdminInfo","description":"Google. (n.d.). DeviceAdminInfo. Retrieved November 20, 2020."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-22"}],"x_mitre_deprecated":false,"revoked":true,"description":"Adversaries may request device administrator permissions to perform malicious actions.\n\nBy abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Device Lockout](https://attack.mitre.org/techniques/T1446), factory resetting the device to [Delete Device Data](https://attack.mitre.org/techniques/T1447) and any traces of the malware, disabling all of the device’s cameras, or make it more difficult to uninstall the app.(Citation: Android DeviceAdminInfo)\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.","modified":"2022-04-01T16:52:36.965Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Device Administrator Permissions","x_mitre_detection":"Users can see when an app requests device administrator permissions. Users can also view which apps have device administrator permissions in the settings menu.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"privilege-escalation"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"id":"attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16","type":"attack-pattern","created":"2017-10-25T14:48:34.830Z","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1443","external_id":"T1443"}],"modified":"2018-10-17T01:05:10.701Z","name":"Remotely Install Application","x_mitre_version":"1.0","x_mitre_is_subtechnique":false},{"modified":"2023-03-20T18:45:39.362Z","name":"Keychain","description":"Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. \n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain) ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"}],"x_mitre_deprecated":false,"x_mitre_detection":"Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66","created":"2022-04-01T15:01:32.169Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1634/001","external_id":"T1634.001"},{"source_name":"Apple Keychain Services","description":"Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020.","url":"https://developer.apple.com/documentation/security/keychain_services"},{"source_name":"Elcomsoft Decrypt Keychain","description":"V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020.","url":"https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html","external_id":"AUT-11"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6","created":"2017-10-25T14:48:29.092Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1403","url":"https://attack.mitre.org/techniques/T1403"},{"source_name":"Sabanal-ART","url":"https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf","description":"Paul Sabanal. (2015). Hiding Behind ART. Retrieved December 21, 2016."}],"x_mitre_deprecated":true,"revoked":false,"description":"ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)","modified":"2022-04-06T15:46:29.338Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Modify Cached Executable Code","x_mitre_detection":"Modifications to cached executable code can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"persistence"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05","type":"attack-pattern","created":"2017-10-25T14:48:28.456Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":true,"external_references":[{"external_id":"T1419","url":"https://attack.mitre.org/techniques/T1419","source_name":"mitre-mobile-attack"},{"url":"https://developer.android.com/reference/android/os/Build","description":"Android. (n.d.). Build. Retrieved December 21, 2016.","source_name":"Android-Build"}],"modified":"2019-10-16T13:24:48.936Z","name":"Device Type Discovery","description":"On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.","kill_chain_phases":[{"phase_name":"discovery","kill_chain_name":"mitre-mobile-attack"}],"x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_is_subtechnique":false},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5","created":"2020-05-04T13:49:34.706Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1576","url":"https://attack.mitre.org/techniques/T1576"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-43"}],"x_mitre_deprecated":false,"revoked":true,"description":"Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:\n\n* Abusing device owner permissions to perform silent uninstallation using device owner API calls.\n* Abusing root permissions to delete files from the filesystem.\n* Abusing the accessibility service. This requires an intent be sent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.","modified":"2022-03-30T19:34:09.371Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Uninstall Malicious Application","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--8e27551a-5080-4148-a584-c64348212e4f","created":"2017-10-25T14:48:31.694Z","x_mitre_version":"2.1","external_references":[{"source_name":"mitre-attack","external_id":"T1447","url":"https://attack.mitre.org/techniques/T1447"},{"source_name":"Android DevicePolicyManager 2019","url":"https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html","description":"Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019."}],"x_mitre_deprecated":false,"revoked":true,"description":"Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.","modified":"2022-03-30T19:50:37.727Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Delete Device Data","x_mitre_detection":"Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274","created":"2017-10-25T14:48:09.082Z","x_mitre_version":"2.0","external_references":[{"source_name":"mitre-attack","external_id":"T1448","url":"https://attack.mitre.org/techniques/T1448"},{"source_name":"Google Bread","url":"https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html","description":"A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."},{"source_name":"AndroidSecurity2014","url":"https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf","description":"Google. (2014). Android Security 2014 Year in Review. Retrieved December 12, 2016."}],"x_mitre_deprecated":false,"revoked":true,"description":"A malicious app may trigger fraudulent charges on a victim’s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.\n\nPerforming SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.(Citation: Google Bread)\n\nMalicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.(Citation: Google Bread)\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the `SEND_SMS` permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).","modified":"2022-04-06T13:57:38.841Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Carrier Billing Fraud","x_mitre_detection":"Starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.(Citation: AndroidSecurity2014)\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e","type":"attack-pattern","created":"2017-10-25T14:48:17.533Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1415","external_id":"T1415"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html","source_name":"NIST Mobile Threat Catalogue","external_id":"AUT-10"},{"source_name":"FireEye-Masque2","description":"Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016.","url":"https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html"},{"source_name":"Dhanjani-URLScheme","description":"Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple’s iOS. Retrieved December 21, 2016.","url":"http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html"},{"source_name":"IETF-PKCE","description":"N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.","url":"https://tools.ietf.org/html/rfc7636"},{"source_name":"MobileIron-XARA","description":"Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.","url":"https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures"}],"modified":"2020-10-23T15:05:40.674Z","name":"URL Scheme Hijacking","description":"An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"}],"x_mitre_version":"1.1","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_is_subtechnique":false},{"modified":"2023-08-14T16:34:55.968Z","name":"Bidirectional Communication","description":"Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"command-and-control"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee","created":"2022-04-06T15:47:06.071Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1481/002","external_id":"T1481.002"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-08T19:21:40.736Z","name":"Non-Standard Port","description":"Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"command-and-control"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"2.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5","created":"2019-08-01T13:44:09.368Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1509","external_id":"T1509"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T15:32:37.109Z","name":"Compromise Software Supply Chain","description":"Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"initial-access"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services can detect malicious code in applications. System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc","created":"2022-03-28T19:25:17.596Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1474/003","external_id":"T1474.003"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html","external_id":"SPC-4"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html","external_id":"SPC-11"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html","external_id":"SPC-12"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html","external_id":"SPC-18"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html","external_id":"SPC-20"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-14T16:33:56.861Z","name":"Dead Drop Resolver","description":"Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"command-and-control"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5","created":"2022-04-06T15:41:03.914Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1481/001","external_id":"T1481.001"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:50:21.363Z","name":"Location Tracking","description":"Adversaries may track a device’s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. \n\n \n\nOn Android, applications holding the `ACCESS_COAURSE_LOCATION` or `ACCESS_FINE_LOCATION` permissions provide access to the device’s physical location. On Android 10 and up, declaration of the `ACCESS_BACKGROUND_LOCATION` permission in an application’s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox) \n\n \n\nOn iOS, applications must include the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call `requestWhenInUseAuthorization()` to request access to location information when the application is in use or `requestAlwaysAuthorization()` to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the `com.apple.locationd.preauthorized` entitlement key.(Citation: Google Project Zero Insomnia)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"discovery"}],"x_mitre_deprecated":false,"x_mitre_detection":"Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. \n\n \n\nIn both Android (6.0 and up) and iOS, users can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary.  ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","created":"2017-10-25T14:48:12.267Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1430","external_id":"T1430"},{"source_name":"Palo Alto HenBox","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"},{"source_name":"Android Request Location Permissions","description":"Android Developers. (2022, March 24). Request Location Permissions. Retrieved April 1, 2022.","url":"https://developer.android.com/training/location/permissions"},{"source_name":"Apple Requesting Authorization for Location Services","description":"Apple Developers. (n.d.). Requesting Authorization for Location Services. Retrieved April 1, 2022.","url":"https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services"},{"source_name":"Google Project Zero Insomnia","description":"I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.","url":"https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"},{"source_name":"PaloAlto-SpyDealer","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.","url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html","external_id":"APP-24"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T15:56:34.537Z","name":"Device Administrator Permissions","description":"Adversaries may abuse Android’s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device’s cameras, or to make it more difficult to uninstall the app.\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"privilege-escalation"}],"x_mitre_deprecated":false,"x_mitre_detection":"Users are prompted for approval when an application requests device administrator permissions. Users can see which applications are registered as device administrators in the device settings. Application vetting services can check for the string `BIND_DEVICE_ADMIN` in the application’s manifest. This indicates it can prompt the user for device administrator permissions.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","created":"2022-04-01T15:59:05.830Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1626/001","external_id":"T1626.001"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html","external_id":"APP-22"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1","created":"2017-10-25T14:48:17.886Z","x_mitre_version":"2.0","external_references":[{"source_name":"mitre-attack","external_id":"T1446","url":"https://attack.mitre.org/techniques/T1446"},{"source_name":"Xiao-KeyRaider","url":"http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/","description":"Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016."},{"source_name":"Android resetPassword","url":"https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)","description":"Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-28"}],"x_mitre_deprecated":false,"revoked":true,"description":"An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)","modified":"2022-04-01T18:49:51.039Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Device Lockout","x_mitre_detection":"On Android, users can review which applications have device administrator access in the device settings, and revoke permission where appropriate.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:58:20.113Z","name":"Remote Device Management Services","description":"An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location) ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"discovery"}],"x_mitre_deprecated":false,"x_mitre_detection":"Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f","created":"2022-04-05T19:37:15.984Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1430/001","external_id":"T1430.001"},{"source_name":"Krebs-Location","description":"Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018.","url":"https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html","external_id":"ECO-5"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html","external_id":"EMM-7"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-27T21:09:27.288Z","name":"Data Destruction","description":"Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.  \n\nTo achieve data destruction, adversaries may use the `pm uninstall` command to uninstall packages or the `rm` command to remove specific files. For example, adversaries may first use `pm uninstall` to uninstall non-system apps, and then use `rm (-f) <file(s)>` to delete specific files, further hiding malicious activity.(Citation: rootnik_rooting_tool)(Citation: abuse_native_linux_tools)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"}],"x_mitre_contributors":["Liran Ravich, CardinalOps"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"1.0","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242","created":"2023-09-22T19:09:15.698Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1662","external_id":"T1662"},{"source_name":"rootnik_rooting_tool","description":"Hu, W., et al. (2015, December 4). Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information. Retrieved September 26, 2023.","url":"https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/"},{"source_name":"abuse_native_linux_tools","description":"Surana, N., et al. (2022, September 8). How Malicious Actors Abuse Native Linux Tools in Attacks. Retrieved September 26, 2023.","url":"https://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--a0464539-e1b7-4455-a355-12495987c300","created":"2017-10-25T14:48:13.625Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1427","url":"https://attack.mitre.org/techniques/T1427"},{"source_name":"ArsTechnica-PoisonTap","url":"http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/","description":"Dan Goodin. (2016, November 16). Meet PoisonTap, the $5 tool that ransacks password-protected computers. Retrieved December 22, 2016."},{"source_name":"Wang-ExploitingUSB","url":"http://dl.acm.org/citation.cfm?id=1920314","description":"Z. Wang and A. Stavrou. (2010, December 6-10). Exploiting smart-phone USB connectivity for fun and profit. Retrieved December 22, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html","source_name":"NIST Mobile Threat Catalogue","external_id":"PHY-2"}],"x_mitre_deprecated":true,"revoked":false,"description":"With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.","modified":"2022-04-06T15:39:14.695Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Attack PC via USB Connection","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"lateral-movement"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"id":"attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881","type":"attack-pattern","created":"2017-10-25T14:48:05.928Z","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1441","external_id":"T1441"}],"modified":"2018-10-17T01:05:10.700Z","name":"Stolen Developer Credentials or Signing Keys","x_mitre_version":"1.0","x_mitre_is_subtechnique":false},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed","created":"2017-10-25T14:48:22.296Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1467","url":"https://attack.mitre.org/techniques/T1467"},{"source_name":"Computerworld-Femtocell","url":"http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html","description":"Jaikumar Vijayan. (2013, August 1). Researchers exploit cellular tech flaws to intercept phone calls. Retrieved December 24, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html","source_name":"NIST Mobile Threat Catalogue","external_id":"CEL-7"}],"x_mitre_deprecated":false,"revoked":true,"description":"An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).","modified":"2022-04-06T15:52:41.578Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Rogue Cellular Base Station","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"network-effects"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Without Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"x_mitre_contributors":["Karim Hasanen, @_karimhasanen"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5","created":"2017-10-25T14:48:20.329Z","x_mitre_version":"1.2","external_references":[{"source_name":"mitre-attack","external_id":"T1451","url":"https://attack.mitre.org/techniques/T1451"},{"source_name":"Betanews-Simswap","url":"http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/","description":"Alex Cambell. (2016, February 12). Everything you need to know about SIM swap scams. Retrieved December 12, 2016."},{"source_name":"Krebs-SimSwap","url":"https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/","description":"Brian Krebs. (2018, May 18). T-Mobile Employee Made Unauthorized ‘SIM Swap’ to Steal Instagram Account. Retrieved November 8, 2018."},{"source_name":"TechCrunch-SimSwap","url":"https://techcrunch.com/2017/08/23/i-was-hacked/","description":"John Biggs. (2017, August 23). I was hacked. Retrieved November 8, 2018."},{"source_name":"Motherboard-Simswap2","url":"https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam","description":"Lorenzo Franceschi-Bicchierai. (2018, August 3). How Criminals Recruit Telecom Employees to Help Them Hijack SIM Cards. Retrieved August 11, 2018."},{"source_name":"Motherboard-Simswap1","url":"https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin","description":"Lorenzo Franceschi-Bicchierai. (2018, July 17). The SIM Hijackers. Retrieved August 11, 2018."},{"source_name":"Guardian-Simswap","url":"https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters","description":"Miles Brignall. (2016, April 16). Sim-swap fraud claims another mobile banking victim. Retrieved December 12, 2016."},{"source_name":"NYGov-Simswap","url":"http://www.dos.ny.gov/consumerprotection/scams/att-sim.html","description":"New York Department of State. (2016, February 12). AT&T SIM-Card Switch Scam. Retrieved August 23, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html","source_name":"NIST Mobile Threat Catalogue","external_id":"STA-22"}],"x_mitre_deprecated":true,"revoked":false,"description":"An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account.(Citation: NYGov-Simswap)(Citation: Motherboard-Simswap2) The adversary could then obtain SMS messages or hijack phone calls intended for someone else.(Citation: Betanews-Simswap)\n\nOne use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account.(Citation: Guardian-Simswap)(Citation: Motherboard-Simswap1)(Citation: Krebs-SimSwap)(Citation: TechCrunch-SimSwap)","modified":"2022-04-06T15:53:54.872Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"SIM Card Swap","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"network-effects"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Without Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:44:36.145Z","name":"Input Capture","description":"Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)).","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. Users can view and manage installed third-party keyboards.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"2.3","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad","created":"2017-10-25T14:48:27.660Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1417","external_id":"T1417"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html","external_id":"APP-31"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html","external_id":"AUT-13"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:57:17.144Z","name":"Generate Traffic from Victim","description":"Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.\n\nIf done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"}],"x_mitre_deprecated":false,"x_mitre_detection":"On Android, users can review which applications can use premium SMS features in the “Special access” page within application settings. Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","created":"2022-04-06T13:55:14.390Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1643","external_id":"T1643"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html","external_id":"APP-16"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:18:29.556Z","name":"Disguise Root/Jailbreak Indicators","description":"An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"Mobile security products can use attestation to detect compromised devices.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9","created":"2022-04-08T16:29:30.087Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1630/003","external_id":"T1630.003"},{"source_name":"Brodie","description":"Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016.","url":"https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf"},{"source_name":"Rastogi","description":"Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.","url":"http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf"},{"source_name":"Tan","description":"Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017.","url":"http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html","external_id":"EMM-5"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"x_mitre_contributors":["Alex Hinchliffe, Palo Alto Networks"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f","created":"2017-10-25T14:48:35.247Z","x_mitre_version":"2.1","external_references":[{"source_name":"mitre-attack","external_id":"T1444","url":"https://attack.mitre.org/techniques/T1444"},{"source_name":"Palo Alto HenBox","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."},{"source_name":"Zhou","url":"http://ieeexplore.ieee.org/document/6234407","description":"Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-31"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-14"}],"x_mitre_deprecated":true,"revoked":false,"description":"An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.\n\nEmbedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.(Citation: Zhou) The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method.\n\nPretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.(Citation: Palo Alto HenBox)\n\nMalicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.","modified":"2022-04-06T15:45:52.558Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Masquerade as Legitimate Application","x_mitre_detection":"Users can detect malicious applications by watching for nuances that could indicate the application is not the intended one when it is being installed.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"initial-access"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"id":"attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431","type":"attack-pattern","created":"2017-10-25T14:48:19.682Z","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1457","external_id":"T1457"}],"modified":"2018-10-17T01:05:10.703Z","name":"Malicious Media Content","x_mitre_version":"1.0","x_mitre_is_subtechnique":false},{"modified":"2023-03-16T18:28:28.234Z","name":"Calendar Entries","description":"Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user’s knowledge or approval. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"}],"x_mitre_deprecated":false,"x_mitre_detection":"On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application’s manifest, or `NSCalendarsUsageDescription` in an iOS application’s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","type":"attack-pattern","id":"attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922","created":"2022-04-01T12:48:27.021Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1636/001","external_id":"T1636.001"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html","external_id":"APP-13"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:52:24.758Z","name":"File Deletion","description":"Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019) \n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Application vetting services could be extra scrutinous of applications that request device administrator permissions.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","created":"2022-03-30T19:36:09.691Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1630/002","external_id":"T1630.002"},{"source_name":"Android DevicePolicyManager 2019","description":"Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019.","url":"https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:39:10.201Z","name":"Device Lockout","description":"An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted “call” notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018)\n\nPrior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device’s passcode.(Citation: Android resetPassword)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"Users can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591","created":"2022-04-01T18:49:03.892Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1629/002","external_id":"T1629.002"},{"source_name":"Microsoft MalLockerB","description":"D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.","url":"https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"},{"source_name":"Android resetPassword","description":"Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019.","url":"https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)"},{"source_name":"securelist rotexy 2018","description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"},{"source_name":"Talos GPlayed","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html","external_id":"APP-22"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:48:39.936Z","name":"Keylogging","description":"Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.\n\nSome methods of keylogging include:\n\n* Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n* Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. \n*Additional methods of keylogging may be possible if root access is available. \n","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"}],"x_mitre_deprecated":false,"x_mitre_detection":"On Android, users can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, users can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. \n\nApplication vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, users can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","created":"2022-04-05T19:45:03.000Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1417/001","external_id":"T1417.001"},{"source_name":"Zeltser-Keyboard","description":"Lenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016.","url":"https://zeltser.com/third-party-keyboards-security/"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html","external_id":"AUT-13"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:58:57.001Z","name":"SMS Control","description":"Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.\n\nThis can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"}],"x_mitre_deprecated":false,"x_mitre_detection":"Users can view the default SMS handler in system settings.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","created":"2020-09-11T15:14:33.730Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1582","external_id":"T1582"},{"source_name":"Android SmsProvider","description":"Google. (n.d.). SmsProvider.java. Retrieved September 11, 2020.","url":"https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/7e7c274/src/com/android/providers/telephony/SmsProvider.java"},{"source_name":"SMS KitKat","description":"S.Main, D. Braun. (2013, October 14).  Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020.","url":"https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html","external_id":"APP-16"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-41.html","external_id":"CEL-41"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6","created":"2017-10-25T14:48:14.003Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1408","url":"https://attack.mitre.org/techniques/T1408"},{"source_name":"Brodie","url":"https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf","description":"Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016."},{"source_name":"Rastogi","url":"http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf","description":"Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016."},{"source_name":"Tan","url":"http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions","description":"Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html","source_name":"NIST Mobile Threat Catalogue","external_id":"EMM-5"}],"x_mitre_deprecated":false,"revoked":true,"description":"An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).","modified":"2022-04-08T16:29:55.321Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Disguise Root/Jailbreak Indicators","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a","created":"2017-10-25T14:48:27.307Z","x_mitre_version":"2.0","external_references":[{"source_name":"mitre-attack","external_id":"T1438","url":"https://attack.mitre.org/techniques/T1438"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-30"}],"x_mitre_deprecated":false,"revoked":true,"description":"Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel. \n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. ","modified":"2022-04-18T19:46:02.529Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Exfiltration Over Other Network Medium","x_mitre_detection":"Exfiltration over other network mediums can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","kill_chain_phases":[{"phase_name":"command-and-control","kill_chain_name":"mitre-mobile-attack"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"id":"attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b","type":"attack-pattern","created":"2017-10-25T14:48:26.473Z","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1440","external_id":"T1440"}],"modified":"2018-10-17T01:05:10.700Z","name":"Detect App Analysis Environment","x_mitre_version":"1.0","x_mitre_is_subtechnique":false},{"modified":"2023-03-20T18:55:54.442Z","name":"Process Injection","description":"Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nBoth Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"privilege-escalation"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services could look for misuse of dynamic libraries.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff","created":"2022-03-30T18:50:43.393Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1631","external_id":"T1631"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"id":"attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc","type":"attack-pattern","created":"2017-10-25T14:48:24.905Z","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1462","external_id":"T1462"}],"modified":"2018-10-17T01:05:10.704Z","name":"Malicious Software Development Tools","x_mitre_version":"1.0","x_mitre_is_subtechnique":false},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303","created":"2022-04-05T20:14:17.310Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1521.001","url":"https://attack.mitre.org/techniques/T1521/001"}],"x_mitre_deprecated":false,"revoked":false,"description":"Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.","modified":"2022-04-05T20:14:17.310Z","name":"Symmetric Cryptography","x_mitre_detection":"Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.","kill_chain_phases":[{"phase_name":"command-and-control","kill_chain_name":"mitre-mobile-attack"}],"x_mitre_is_subtechnique":true,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69","created":"2017-10-25T14:48:30.127Z","x_mitre_version":"2.0","external_references":[{"source_name":"mitre-attack","external_id":"T1402","url":"https://attack.mitre.org/techniques/T1402"},{"source_name":"Android Changes to System Broadcasts","url":"https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts","description":"Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020."}],"x_mitre_deprecated":false,"revoked":true,"description":"An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.\n\nFurther, malicious applications can register for intents broadcasted by other applications in addition to the Android system itself. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications.\n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)","modified":"2022-03-30T14:43:46.019Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Broadcast Receivers","x_mitre_detection":"Broadcast intent receivers are part of standard OS-level APIs and are therefore typically undetectable to the end user.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"persistence"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"execution"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-02-21T20:44:44.404Z","name":"Wi-Fi Discovery","description":"Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Discovery](https://attack.mitre.org/tactics/TA0032) or [Credential Access](https://attack.mitre.org/tactics/TA0031) activity to support both ongoing and future campaigns. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"discovery"}],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80","created":"2024-02-21T20:44:44.404Z","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1422/002","external_id":"T1422.002"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T15:21:12.603Z","name":"Compromise Hardware Supply Chain","description":"Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"initial-access"}],"x_mitre_deprecated":false,"x_mitre_detection":"Integrity checking mechanisms can potentially detect unauthorized hardware modifications.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da","created":"2022-03-28T19:30:15.556Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1474/002","external_id":"T1474.002"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html","external_id":"SPC-1"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html","external_id":"SPC-2"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html","external_id":"SPC-4"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html","external_id":"SPC-5"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html","external_id":"SPC-6"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html","external_id":"SPC-7"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html","external_id":"SPC-8"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html","external_id":"SPC-13"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html","external_id":"SPC-16"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html","external_id":"SPC-17"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html","external_id":"SPC-21"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-09-12T15:17:00.569Z","name":"Clipboard Data","description":"Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.(Citation: Fahl-Clipboard) \n\n \n\nOn Android, applications can use the `ClipboardManager.OnPrimaryClipChangedListener()` API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device’s default input method editor (IME).(Citation: Github Capture Clipboard 2019)(Citation: Android 10 Privacy Changes) \n\n \n\nOn iOS, this can be accomplished by accessing the `UIPasteboard.general.string` field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read “application_name has pasted from Messages” when the text was pasted in a different application.(Citation: UIPPasteboard)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services could detect usage of standard clipboard APIs.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"3.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692","created":"2017-10-25T14:48:19.996Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1414","external_id":"T1414"},{"source_name":"Android 10 Privacy Changes","description":"Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.","url":"https://developer.android.com/about/versions/10/privacy/changes#clipboard-data"},{"source_name":"UIPPasteboard","description":"Apple Developer. (n.d.). UIPasteboard. Retrieved April 1, 2022.","url":"https://developer.apple.com/documentation/uikit/uipasteboard"},{"source_name":"Fahl-Clipboard","description":"Fahl, S, et al.. (2013). Hey, You, Get Off of My Clipboard. Retrieved September 12, 2024.","url":"https://saschafahl.de/static/paper/pwmanagers2013.pdf"},{"source_name":"Github Capture Clipboard 2019","description":"Pearce, G. (, January). Retrieved August 8, 2019.","url":"https://github.com/grepx/android-clipboard-security"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html","external_id":"APP-35"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0","created":"2017-10-25T14:48:30.890Z","x_mitre_version":"1.2","external_references":[{"source_name":"mitre-attack","external_id":"T1400","url":"https://attack.mitre.org/techniques/T1400"},{"source_name":"Android-VerifiedBoot","url":"https://source.android.com/security/verifiedboot/","description":"Android. (n.d.). Verified Boot. Retrieved December 21, 2016."},{"source_name":"Apple-iOSSecurityGuide","url":"https://www.apple.com/business/docs/iOS_Security_Guide.pdf","description":"Apple. (2016, May). iOS Security. Retrieved December 21, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-27"}],"x_mitre_deprecated":false,"revoked":true,"description":"If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.","modified":"2022-03-30T15:18:21.242Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Modify System Partition","x_mitre_detection":"Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\niOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.(Citation: Apple-iOSSecurityGuide)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"persistence"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T15:55:32.497Z","name":"Data Manipulation","description":"Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application, process, and the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36","created":"2022-04-06T13:34:46.021Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1641","external_id":"T1641"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:58:33.873Z","name":"SMS Messages","description":"Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user’s knowledge or approval. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"}],"x_mitre_deprecated":false,"x_mitre_detection":"On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_SMS` in an Android application’s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","type":"attack-pattern","id":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","created":"2022-04-01T13:25:30.923Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1636/004","external_id":"T1636.004"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html","external_id":"APP-13"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-14T16:31:37.317Z","name":"Web Service","description":"Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). \n\n ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"command-and-control"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.3","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380","created":"2019-02-01T17:29:43.503Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1481","external_id":"T1481"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-08T19:20:51.220Z","name":"System Runtime API Hijacking","description":"Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \n\n\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary’s code will be executed every time the overwritten API function is called by an app on the infected device.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"persistence"}],"x_mitre_deprecated":false,"x_mitre_detection":"Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831","created":"2022-03-30T15:07:51.646Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1625/001","external_id":"T1625.001"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html","external_id":"APP-27"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"id":"attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f","type":"attack-pattern","created":"2017-10-25T14:48:07.149Z","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1455","external_id":"T1455"}],"modified":"2018-10-17T01:05:10.702Z","name":"Exploit Baseband Vulnerability","x_mitre_version":"1.0","x_mitre_is_subtechnique":false},{"modified":"2023-09-08T19:19:37.927Z","name":"Credentials from Password Store","description":"Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"}],"x_mitre_deprecated":false,"x_mitre_detection":"Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3","created":"2022-04-01T14:55:10.494Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1634","external_id":"T1634"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html","external_id":"AUT-11"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Hooking","description":"Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_detection":"Hooking can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_contributors":["Jörg Abraham, EclecticIQ"],"x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea","created":"2021-09-24T14:47:34.182Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1617","external_id":"T1617"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_is_subtechnique":false},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1478","url":"https://attack.mitre.org/techniques/T1478"},{"source_name":"Talos-MDM","url":"https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html","description":"Warren Mercer, Paul Rascagneres, Andrew Williams. (2018, July 12). Advanced Mobile Malware Campaign in India uses Malicious MDM. Retrieved September 24, 2018."},{"source_name":"Symantec-iOSProfile","url":"https://www.symantec.com/connect/blogs/malicious-profiles-sleeping-giant-ios-security","description":"Yair Amit. (2013, March 12). Malicious Profiles – The Sleeping Giant of iOS Security. Retrieved September 24, 2018."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html","source_name":"NIST Mobile Threat Catalogue","external_id":"STA-7"}],"x_mitre_deprecated":false,"revoked":true,"description":"An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile).\n\nFor example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to adversary-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)).\n\nOn iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).","modified":"2022-03-30T18:18:15.903Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Install Insecure or Malicious Configuration","x_mitre_detection":"On Android, the user can view trusted CA certificates through the device settings and look for unexpected certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies.\n\nOn iOS, the user can view installed Configuration Profiles through the device settings and look for unexpected profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.","kill_chain_phases":[{"phase_name":"defense-evasion","kill_chain_name":"mitre-mobile-attack"},{"phase_name":"initial-access","kill_chain_name":"mitre-mobile-attack"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:53:35.087Z","name":"File and Directory Discovery","description":"Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. \n\nOn Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) without use of escalated privileges. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"discovery"}],"x_mitre_deprecated":false,"x_mitre_detection":"On Android, users are presented with a permissions popup when an application requests access to external device storage.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","created":"2017-10-25T14:48:21.965Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1420","external_id":"T1420"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html","external_id":"STA-41"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-09T14:38:34.859Z","name":"Obfuscated Files or Information","description":"Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n \nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB) ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"3.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","created":"2017-10-25T14:48:32.328Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1406","external_id":"T1406"},{"source_name":"Microsoft MalLockerB","description":"D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.","url":"https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html","external_id":"APP-21"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-08T22:50:32.775Z","name":"Input Injection","description":"A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.\n\n[Input Injection](https://attack.mitre.org/techniques/T1516) can be achieved using any of the following methods:\n\n* Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.(Citation: android-trojan-steals-paypal-2fa)\n* Injecting global actions, such as `GLOBAL_ACTION_BACK` (programatically mimicking a physical back button press), to trigger actions on behalf of the user.(Citation: Talos Gustuff Apr 2019)\n* Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.(Citation: bitwarden autofill logins)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"}],"x_mitre_contributors":["Lukáš Štefanko, ESET"],"x_mitre_deprecated":false,"x_mitre_detection":"Users can view applications that have registered accessibility services in the accessibility menu within the device settings.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"1.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","created":"2019-09-15T15:26:22.356Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1516","external_id":"T1516"},{"source_name":"bitwarden autofill logins","description":"Bitwarden. (n.d.).  Auto-fill logins on Android . Retrieved September 15, 2019.","url":"https://help.bitwarden.com/article/auto-fill-android/"},{"source_name":"android-trojan-steals-paypal-2fa","description":"Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.","url":"https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/"},{"source_name":"Talos Gustuff Apr 2019","description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:51:23.109Z","name":"Network Denial of Service","description":"Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices. \n\nA Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer’s operational range.(Citation: NIST-SP800187) \n\nUsage of cellular jamming has been documented in several arrests reported in the news.(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"}],"x_mitre_deprecated":false,"x_mitre_detection":"Unexpected loss of radio signal could indicate that a device is being actively jammed.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.3","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d","created":"2017-10-25T14:48:25.740Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1464","external_id":"T1464"},{"source_name":"CNET-Celljammer","description":"Chris Matyszczyk. (2014, May 1). FCC: Man used device to jam drivers' cell phone calls. Retrieved November 8, 2018.","url":"https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/"},{"source_name":"Arstechnica-Celljam","description":"David Kravets. (2016, March 10). Man accused of jamming passengers’ cell phones on Chicago subway. Retrieved November 8, 2018.","url":"https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/"},{"source_name":"NIST-SP800187","description":"Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.","url":"http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf"},{"source_name":"NYTimes-Celljam","description":"Matt Richtel. (2007, November 4). Devices Enforce Silence of Cellphones, Illegally. Retrieved November 8, 2018.","url":"https://www.nytimes.com/2007/11/04/technology/04jammer.html"},{"source_name":"Digitaltrends-Celljam","description":"Trevor Mogg. (2015, June 5). Florida teacher punished after signal-jamming his students’ cell phones. Retrieved November 8, 2018.","url":"https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html","external_id":"CEL-7"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html","external_id":"CEL-8"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html","external_id":"LPN-5"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html","external_id":"GPS-0"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-24T15:09:07.609Z","name":"Compromise Application Executable","description":"Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.\n\nThere are multiple ways an adversary can inject malicious code into applications. One method is by taking advantages of device vulnerabilities, the most well-known being Janus, an Android vulnerability that allows adversaries to add extra bytes to APK (application) and DEX (executable) files without affecting the file's signature. By being able to add arbitrary bytes to valid applications, attackers can seamlessly inject code into genuine executables without the user's knowledge.(Citation: Guardsquare Janus)\n\nAdversaries may also rebuild applications to include malicious modifications. This can be achieved by decompiling the genuine application, merging it with the malicious code, and recompiling it.(Citation: CheckPoint Agent Smith)\n\nAdversaries may also take action to conceal modifications to application executables and bypass user consent. These actions include altering modifications to appear as an update or exploiting vulnerabilities that allow activities of the malicious application to run inside a system application.(Citation: CheckPoint Agent Smith)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"persistence"}],"x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_detection":"This behavior is seamless to the user and is typically undetectable.","x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c","created":"2020-05-07T15:24:49.068Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1577","external_id":"T1577"},{"source_name":"Guardsquare Janus","description":"Guarsquare. (2017, November 13). New Android vulnerability allows attackers to modify apps without affecting their signatures. Retrieved May 7, 2020.","url":"https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures"},{"source_name":"CheckPoint Agent Smith","description":"A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.","url":"https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_is_subtechnique":false},{"modified":"2023-03-20T18:43:46.177Z","name":"Event Triggered Execution","description":"Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim’s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"persistence"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14","created":"2022-03-30T14:25:41.721Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1624","external_id":"T1624"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-02-20T23:35:22.949Z","name":"System Network Configuration Discovery","description":"Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems. \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. \n\nOn Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) \n\n \n\nOn iOS, gathering network configuration information is not possible without root access. \n\n \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"discovery"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"2.4","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","created":"2017-10-25T14:48:32.740Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1422","external_id":"T1422"},{"source_name":"NetworkInterface","description":"Android. (n.d.). NetworkInterface. Retrieved December 21, 2016.","url":"https://developer.android.com/reference/java/net/NetworkInterface.html"},{"source_name":"TelephonyManager","description":"Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.","url":"https://developer.android.com/reference/android/telephony/TelephonyManager.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63","created":"2017-10-25T14:48:25.322Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1463","url":"https://attack.mitre.org/techniques/T1463"},{"source_name":"FireEye-SSL","url":"https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html","description":"Adrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-1"}],"x_mitre_deprecated":false,"revoked":true,"description":"If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to adversary-in-the-middle attacks (Citation: FireEye-SSL).","modified":"2022-04-06T15:44:48.421Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Manipulate Device Communication","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"network-effects"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Without Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:38:27.848Z","name":"Video Capture","description":"An adversary can leverage a device’s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files.  \n\n \n\nMalware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1513) due to use of the device’s cameras for video recording rather than capturing the victim’s screen. \n\n \n\nIn Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user.  ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"}],"x_mitre_deprecated":false,"x_mitre_detection":"The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions. During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"2.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","created":"2019-08-09T16:14:58.254Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1512","external_id":"T1512"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html","external_id":"APP-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-14T16:35:55.739Z","name":"One-Way Communication","description":"Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"command-and-control"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e","created":"2022-04-06T15:52:07.711Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1481/003","external_id":"T1481.003"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1475","url":"https://attack.mitre.org/techniques/T1475"},{"source_name":"Oberheide-Bouncer","url":"https://jon.oberheide.org/files/summercon12-bouncer.pdf","description":"Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016."},{"source_name":"Oberheide-RemoteInstall","url":"https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/","description":"Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016."},{"source_name":"Percoco-Bouncer","url":"https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf","description":"Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016."},{"source_name":"Konoth","url":"http://www.vvdveen.com/publications/BAndroid.pdf","description":"Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016."},{"source_name":"Petsas","url":"http://dl.acm.org/citation.cfm?id=2592796","description":"Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016."},{"source_name":"Wang","url":"https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei","description":"Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html","source_name":"NIST Mobile Threat Catalogue","external_id":"ECO-4"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html","source_name":"NIST Mobile Threat Catalogue","external_id":"ECO-16"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html","source_name":"NIST Mobile Threat Catalogue","external_id":"ECO-17"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-20"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-21"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html","source_name":"NIST Mobile Threat Catalogue","external_id":"ECO-22"}],"x_mitre_deprecated":true,"revoked":false,"description":"Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)","modified":"2022-04-06T15:41:33.827Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Deliver Malicious App via Authorized App Store","x_mitre_detection":"* An EMM/MDM or mobile threat defense solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n* Developers can scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"initial-access"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T15:55:09.397Z","name":"Data Encrypted for Impact","description":"An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"3.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4","created":"2017-10-25T14:48:10.285Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1471","external_id":"T1471"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html","external_id":"APP-28"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-28T15:38:41.106Z","name":"Prevent Application Removal","description":"Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\n\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.\n\n* Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen \n\n* Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_contributors":["Shankar Raman, Gen Digital and Abhinand, Amrita University"],"x_mitre_deprecated":false,"x_mitre_detection":"Users can view a list of device administrators and applications that have registered accessibility services in device settings. Users can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android"],"x_mitre_version":"1.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9","created":"2022-04-01T18:44:32.808Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1629/001","external_id":"T1629.001"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html","external_id":"APP-22"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb","created":"2017-10-25T14:48:33.574Z","x_mitre_version":"2.1","external_references":[{"source_name":"mitre-attack","external_id":"T1421","url":"https://attack.mitre.org/techniques/T1421"}],"x_mitre_deprecated":false,"revoked":false,"description":"Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. \n\n \n\nThis is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs: \n\n \n\n* `WifiInfo` for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the `WiFiInfo` API requires the application to hold the `ACCESS_FINE_LOCATION` permission. \n\n* `BluetoothAdapter` for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime. \n\n* For Android versions prior to Q, applications can use the `TelephonyManager.getNeighboringCellInfo()` method. For Q and later, applications can use the `TelephonyManager.getAllCellInfo()` method. Both methods require the application hold the `ACCESS_FINE_LOCATION` permission.","modified":"2022-03-31T16:31:12.821Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"System Network Connections Discovery","x_mitre_detection":"System Network Connections Discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","kill_chain_phases":[{"phase_name":"discovery","kill_chain_name":"mitre-mobile-attack"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-29T19:45:39.608Z","name":"Phishing","description":"Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as “spearphishing”.  Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.\n\nMobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms.  \n\nMobile devices are a particularly attractive target for adversaries executing phishing campaigns.  Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as: \n\n- SMS messages: Adversaries may send SMS messages (known as “smishing”) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.\n- Quick Response (QR) Codes: Adversaries may use QR codes (known as “quishing”) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user’s desktop computer to their mobile device.\n- Phone Calls: Adversaries may call victims (known as “vishing”) to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. This could also be used as a technique to perform the initial access on a mobile device, but then pivot to a computer/other network by having the victim perform an action on a desktop computer.\n","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"initial-access"}],"x_mitre_contributors":["Vijay Lalwani","Will Thomas, Equinix","Adam Mashinchi","Sam Seabrook, Duke Energy","Naveen Devaraja, bolttech","Brian Donohue"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.0","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df","created":"2023-09-21T19:35:15.552Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1660","external_id":"T1660"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html","external_id":"AUT-9"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-16T20:24:13.854Z","name":"SSL Pinning","description":"Adversaries may use [SSL Pinning](https://attack.mitre.org/techniques/T1521/003)  to protect the C2 traffic from being intercepted and analyzed.\n\n[SSL Pinning](https://attack.mitre.org/techniques/T1521/003)  is a technique commonly utilized by legitimate websites to ensure that encrypted communications are only allowed with a pre-defined certificate. If another certificate is presented, it could indicate device compromise, traffic interception, or another upstream issue. While benign usages are common, it is also possible for adversaries to abuse this technology to protect malicious C2 traffic.\n\nIn normal, not pinned SSL validation, when a client connects to a server using HTTPS, it typically checks whether the server’s SSL/TLS certificate is signed by a trusted Certificate Authority (CA) in the device’s trust store. If the certificate is valid and signed by a trusted CA, the connection is established. However, with [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) , the client is configured to trust a specific SSL/TLS certificate or public key, rather than relying on the device’s trust store. This means that even if the server’s certificate is signed by a trusted CA, the client will only establish the connection of the certificate or key is pinned.\n\nThere are two types of [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) :\n\n1.\tCertificate Pinning: The client stores a copy of the server’s certificate and compares it with the certificate received during the SSL handshake. If the certificates match, then the client proceeds with the connection. This approach also works with self-signed certificates.\n\n2.\tPublic Key Pinning: Instead of pinning the entire certificate, the client pins just the public key extracted from the certificate. This is often more flexible, as it allows the server to renew its certificate without having to update the pinned certificate or breaking the SSL connection.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"command-and-control"}],"x_mitre_contributors":["Takahashi Wataru, NEC Corporation","Manikantan Srinivasan, NEC Corporation India","Pooja Natarajan, NEC Corporation India"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.0","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002","created":"2024-03-29T15:04:38.566Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1521/003","external_id":"T1521.003"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-10-16T16:23:05.146Z","name":"Lockscreen Bypass","description":"An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen. Several methods exist to accomplish this, including:\n\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device’s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\n* Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (“shoulder surfing”) the device owner’s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\n","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"initial-access"}],"x_mitre_deprecated":false,"x_mitre_detection":"Users can see if someone is watching them type in their device passcode.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.3","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd","created":"2017-10-25T14:48:24.488Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1461","external_id":"T1461"},{"source_name":"Wired-AndroidBypass","description":"Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016.","url":"https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/"},{"source_name":"Kaspersky-iOSBypass","description":"Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016.","url":"https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/"},{"source_name":"TheSun-FaceID","description":"Sean Keach. (2018, February 15). Brit mates BREAK Apple’s face unlock and vow to never buy iPhone again. Retrieved September 18, 2018.","url":"https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/"},{"source_name":"SRLabs-Fingerprint","description":"SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016.","url":"https://srlabs.de/bites/spoofing-fingerprints/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe","created":"2020-12-16T20:16:07.673Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1605","url":"https://attack.mitre.org/techniques/T1605"}],"x_mitre_deprecated":false,"revoked":true,"description":"Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java’s `Runtime` package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken.\n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.","modified":"2022-03-30T14:00:45.099Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Command-Line Interface","x_mitre_detection":"Command-Line Interface execution can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"execution"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T15:40:11.937Z","name":"Contact List","description":"Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user’s knowledge or approval. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"}],"x_mitre_deprecated":false,"x_mitre_detection":"On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application’s manifest, or `NSContactsUsageDescription` in an iOS application’s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["iOS","Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","created":"2022-04-01T13:17:52.740Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1636/003","external_id":"T1636.003"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html","external_id":"APP-13"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","created":"2019-10-10T15:12:42.790Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1533","url":"https://attack.mitre.org/techniques/T1533"},{"url":"https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html","source_name":"NIST Mobile Threat Catalogue","external_id":"STA-41"}],"x_mitre_deprecated":false,"revoked":false,"description":"Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration.  \n\n \n\nAccess to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions. \n\n ","modified":"2022-04-01T16:53:27.576Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Data from Local System","x_mitre_detection":"Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-15T16:34:51.917Z","name":"Account Access Removal","description":"Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"}],"x_mitre_deprecated":false,"x_mitre_detection":"Application vetting services could closely scrutinize applications that request Device Administrator permissions.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2","created":"2022-04-06T13:29:47.590Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1640","external_id":"T1640"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","created":"2017-10-25T14:48:19.265Z","x_mitre_version":"1.2","external_references":[{"source_name":"mitre-attack","external_id":"T1426","url":"https://attack.mitre.org/techniques/T1426"},{"source_name":"Android-Build","url":"https://developer.android.com/reference/android/os/Build","description":"Android. (n.d.). Build. Retrieved December 21, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-12"}],"x_mitre_deprecated":false,"revoked":false,"description":"Adversaries may attempt to get detailed information about a device’s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. \n\n \n\nOn Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. (Citation: Android-Build) iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running. ","modified":"2022-04-11T19:21:34.776Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"System Information Discovery","x_mitre_detection":"System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","kill_chain_phases":[{"phase_name":"discovery","kill_chain_name":"mitre-mobile-attack"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"id":"attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9","type":"attack-pattern","created":"2017-10-25T14:48:28.786Z","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1442","external_id":"T1442"}],"modified":"2018-10-17T01:05:10.701Z","name":"Fake Developer Accounts","x_mitre_version":"1.0","x_mitre_is_subtechnique":false},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb","created":"2019-07-26T14:15:31.451Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1510","url":"https://attack.mitre.org/techniques/T1510"},{"source_name":"Android 10 Privacy Changes","url":"https://developer.android.com/about/versions/10/privacy/changes#clipboard-data","description":"Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019."},{"source_name":"Dr.Webb Clipboard Modification origin August 2018","url":"https://vms.drweb.com/virus/?i=17517750","description":"Dr.Webb. (2018, August 8). Android.Clipper.1.origin. Retrieved July 26, 2019."},{"source_name":"Dr.Webb Clipboard Modification origin2 August 2018","url":"https://vms.drweb.com/virus/?i=17517761","description":"Dr.Webb. (2018, August 8). Android.Clipper.2.origin. Retrieved July 26, 2019."},{"source_name":"ESET Clipboard Modification February 2019","url":"https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/","description":"ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019."},{"source_name":"Welivesecurity Clipboard Modification February 2019","url":"https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/","description":"Lukáš Štefanko. (2019, February 8). First clipper malware discovered on Google Play. Retrieved July 26, 2019."},{"source_name":"Syracuse Clipboard Modification 2014","url":"http://www.cis.syr.edu/~wedu/Research/paper/clipboard_attack_dimva2014.pdf","description":"Zhang, X; Du, W. (2014, January). Attacks on Android Clipboard. Retrieved July 26, 2019."}],"x_mitre_deprecated":false,"revoked":true,"description":"Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the <code>ClipboardManager.OnPrimaryClipChangedListener</code> interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes)\n\nAdversaries may use [Clipboard Modification](https://attack.mitre.org/techniques/T1510) to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Clipboard Modification](https://attack.mitre.org/techniques/T1510) had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)","modified":"2022-04-06T13:41:17.512Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Clipboard Modification","x_mitre_detection":"Modifying clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--e3b936a4-6321-4172-9114-038a866362ec","created":"2019-10-10T15:00:44.181Z","x_mitre_version":"2.0","external_references":[{"source_name":"mitre-attack","external_id":"T1532","url":"https://attack.mitre.org/techniques/T1532"}],"x_mitre_deprecated":false,"revoked":false,"description":"Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. \n\n \n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm.  ","modified":"2022-04-01T15:01:02.140Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Archive Collected Data","x_mitre_detection":"Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.","kill_chain_phases":[{"phase_name":"collection","kill_chain_name":"mitre-mobile-attack"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:58:14.240Z","name":"Geofencing","description":"Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. \n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1627/001) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to  other [Geofencing](https://attack.mitre.org/techniques/T1627/001) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \"Allow only while using the app\", which will effectively prohibit background location collection.  \n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground.  \n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific input prompts and/or advertisements.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"Users can review which applications have location permissions in the operating system’s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background. Application vetting services can detect unnecessary and potentially abused location permissions or API calls.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780","created":"2022-03-30T20:36:03.177Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1627/001","external_id":"T1627.001"},{"source_name":"Lookout eSurv","description":"A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.","url":"https://blog.lookout.com/esurv-research"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2","created":"2019-07-10T15:18:16.753Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1507","url":"https://attack.mitre.org/techniques/T1507"}],"x_mitre_deprecated":false,"revoked":true,"description":"Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.","modified":"2022-03-31T16:33:55.068Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Network Information Discovery","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060","created":"2017-10-25T14:48:15.920Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1412","url":"https://attack.mitre.org/techniques/T1412"}],"x_mitre_deprecated":false,"revoked":true,"description":"A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.","modified":"2022-04-01T13:27:29.880Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Capture SMS Messages","x_mitre_detection":"On Android, the user can view which applications have permission to access SMS messages through the device settings, and the user can choose to revoke the permission.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"collection"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-17T16:50:41.414Z","name":"Conceal Multimedia Files","description":"Adversaries may attempt to hide multimedia files from the user. By doing so, adversaries may conceal captured files, such as pictures, videos and/or screenshots, then later exfiltrate those files.  \n\nSpecific to Android devices, if the `.nomedia` file is present in a folder, multimedia files in that folder will not be visible to the user in the Gallery application. Additionally, other applications are asked not to scan the folder with the `.nomedia` file, effectively making the folder appear invisible to the user.  \n\nThis technique is often used by stalkerware and spyware applications.  ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_contributors":["Shankar Raman, Amrita University, Gen Digital, Traboda"],"x_mitre_deprecated":false,"x_mitre_detection":"","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android"],"x_mitre_version":"1.0","type":"attack-pattern","id":"attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3","created":"2024-02-20T21:44:32.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1628/003","external_id":"T1628.003"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:41:56.376Z","name":"Endpoint Denial of Service","description":"Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"}],"x_mitre_deprecated":false,"x_mitre_detection":"On Android, users can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3","created":"2022-04-06T13:52:05.619Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1642","external_id":"T1642"},{"source_name":"Xiao-KeyRaider","description":"Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.","url":"http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"},{"source_name":"Android resetPassword","description":"Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019.","url":"https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:53:59.025Z","name":"Out of Band Data","description":"Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. \n\n \n\nOn Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there. \n\n \n\nOn iOS, there is no way to programmatically read push notifications. ","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"command-and-control"}],"x_mitre_deprecated":false,"x_mitre_detection":"If a user sees a notification with text they do not recognize, they should review their list of installed applications.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"2.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","created":"2022-04-06T15:27:34.300Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1644","external_id":"T1644"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84","created":"2019-10-01T14:18:47.762Z","x_mitre_version":"2.0","external_references":[{"source_name":"mitre-attack","external_id":"T1521","url":"https://attack.mitre.org/techniques/T1521"}],"x_mitre_deprecated":false,"revoked":false,"description":"Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.","modified":"2022-04-05T20:11:35.852Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Encrypted Channel","x_mitre_detection":"Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"command-and-control"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884","created":"2017-10-25T14:48:22.716Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1405","url":"https://attack.mitre.org/techniques/T1405"},{"source_name":"EkbergTEE","url":"https://usmile.at/symposium/program/2015/ekberg","description":"Jan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016."},{"source_name":"Thomas-TrustZone","url":"https://usmile.at/symposium/program/2015/thomas-holmes","description":"Josh Thomas and Charles Holmes. (2015, September). An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture. Retrieved December 9, 2016."},{"source_name":"QualcommKeyMaster","url":"https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html","description":"laginimaineb. (2016, June). Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption. Retrieved December 9, 2016."},{"source_name":"laginimaineb-TEE","url":"http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html","description":"laginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-27"}],"x_mitre_deprecated":true,"revoked":false,"description":"A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).","modified":"2022-04-06T15:41:57.666Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Exploit TEE Vulnerability","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"credential-access"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"privilege-escalation"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-09-12T19:47:06.884Z","name":"Suppress Application Icon","description":"A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. \n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker) \n\nBeginning in Android 10, changes were introduced to inhibit malicious applications’ ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application’s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app’s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application’s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_contributors":["Emily Ratliff, IBM"],"x_mitre_deprecated":false,"x_mitre_detection":"The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application’s icon, they should inspect the application to ensure it is genuine. Application vetting services could potentially detect the usage of APIs intended for suppressing the application’s icon.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","created":"2022-03-30T20:06:22.194Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1628/001","external_id":"T1628.001"},{"source_name":"Android 10 Limitations to Hiding App Icons","description":"Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022.","url":"https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons"},{"source_name":"LauncherApps getActivityList","description":"Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022.","url":"https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist"},{"source_name":"sunny-stolen-credentials","description":"Lukáš Štefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019.","url":"https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/"},{"source_name":"android-trojan-steals-paypal-2fa","description":"Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.","url":"https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/"},{"source_name":"bankbot-spybanker","description":"NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved September 12, 2024.","url":"https://www.cyber.nj.gov/threat-landscape/malware/trojans/bankbot-spy-banker"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468","created":"2017-10-25T14:48:18.583Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1399","url":"https://attack.mitre.org/techniques/T1399"},{"source_name":"Apple-iOSSecurityGuide","url":"https://www.apple.com/business/docs/iOS_Security_Guide.pdf","description":"Apple. (2016, May). iOS Security. Retrieved December 21, 2016."},{"source_name":"Roth-Rootkits","url":"https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf","description":"Thomas Roth. (2013). Next generation mobile rootkits. Retrieved December 21, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html","source_name":"NIST Mobile Threat Catalogue","external_id":"APP-27"}],"x_mitre_deprecated":true,"revoked":false,"description":"If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)","modified":"2022-04-06T15:48:41.647Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Modify Trusted Execution Environment","x_mitre_detection":"Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\niOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.(Citation: Apple-iOSSecurityGuide)","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"},{"kill_chain_name":"mitre-mobile-attack","phase_name":"persistence"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"id":"attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a","type":"attack-pattern","created":"2017-10-25T14:48:23.652Z","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1459","external_id":"T1459"}],"modified":"2018-10-17T01:05:10.703Z","name":"Device Unlock Code Guessing or Brute Force","x_mitre_version":"1.0","x_mitre_is_subtechnique":false},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34","created":"2017-10-25T14:48:21.667Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1466","url":"https://attack.mitre.org/techniques/T1466"},{"source_name":"NIST-SP800187","url":"http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf","description":"Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html","source_name":"NIST Mobile Threat Catalogue","external_id":"CEL-3"}],"x_mitre_deprecated":false,"revoked":true,"description":"An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.","modified":"2022-04-06T15:50:42.480Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Downgrade to Insecure Protocols","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"network-effects"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Without Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-08T18:14:46.081Z","name":"Masquerading","description":"Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1655)\n","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"\n","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.0","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc","created":"2023-07-12T20:29:48.758Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1655","external_id":"T1655"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html","external_id":"APP-14"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html","external_id":"APP-31"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf","created":"2017-10-25T14:48:18.937Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1472","url":"https://attack.mitre.org/techniques/T1472"}],"x_mitre_deprecated":false,"revoked":true,"description":"An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.","modified":"2022-04-06T13:57:49.177Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Generate Fraudulent Advertising Revenue","x_mitre_detection":"","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"impact"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_domains":["mobile-attack"],"id":"attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df","type":"attack-pattern","created":"2017-10-25T14:48:09.446Z","revoked":true,"external_references":[{"source_name":"mitre-mobile-attack","url":"https://attack.mitre.org/techniques/T1473","external_id":"T1473"}],"modified":"2018-10-17T01:05:10.704Z","name":"Malicious or Vulnerable Built-in Device Functionality","x_mitre_version":"1.0","x_mitre_is_subtechnique":false},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df","created":"2022-03-30T19:19:23.777Z","x_mitre_version":"1.0","external_references":[{"source_name":"mitre-attack","external_id":"T1406.001","url":"https://attack.mitre.org/techniques/T1406/001"}],"x_mitre_deprecated":false,"revoked":false,"description":"Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.","modified":"2022-04-21T17:30:16.229Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Steganography","x_mitre_detection":"Detection of steganography is difficult unless detectable artifacts with a known signature are left behind by the obfuscation process. Look for strings are other signatures left in system artifacts related to decoding steganography.","kill_chain_phases":[{"phase_name":"defense-evasion","kill_chain_name":"mitre-mobile-attack"}],"x_mitre_is_subtechnique":true,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android","iOS"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d","created":"2017-10-25T14:48:06.524Z","x_mitre_version":"1.2","external_references":[{"source_name":"mitre-attack","external_id":"T1449","url":"https://attack.mitre.org/techniques/T1449"},{"source_name":"3GPP-Security","url":"http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf","description":"3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016."},{"source_name":"CSRIC5-WG10-FinalReport","url":"https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf","description":"Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017."},{"source_name":"TheRegister-SS7","url":"https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/","description":"Iain Thomson. (2017, May 3). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts. Retrieved November 8, 2018."},{"source_name":"Positive-SS7","url":"https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf","description":"Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016."},{"source_name":"Engel-SS7-2008","url":"https://www.youtube.com/watch?v=q0n5ySqbfdI","description":"Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016."},{"source_name":"Engel-SS7","url":"https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf","description":"Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016."},{"url":"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html","source_name":"NIST Mobile Threat Catalogue","external_id":"CEL-37"}],"x_mitre_deprecated":true,"revoked":false,"description":"An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).","modified":"2022-04-06T15:53:27.032Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Exploit SS7 to Redirect Phone Calls/SMS","x_mitre_detection":"Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the Communications, Security, Reliability, and Interoperability Council (CSRIC). (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"network-effects"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Without Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-20T18:59:57.485Z","name":"Hide Artifacts","description":"Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application’s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"The user can examine the list of all installed applications in the device settings. Application vetting services could potentially detect the usage of APIs intended for artifact hiding.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f","created":"2022-03-30T20:00:12.654Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1628","external_id":"T1628"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-16T18:37:55.822Z","name":"Code Signing Policy Modification","description":"Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. \n\nMobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_deprecated":false,"x_mitre_detection":"On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","created":"2022-03-30T18:13:26.003Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1632/001","external_id":"T1632.001"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html","external_id":"STA-7"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-14T16:19:54.832Z","name":"Domain Generation Algorithms","description":"Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication   or malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"command-and-control"}],"x_mitre_deprecated":false,"x_mitre_detection":"Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names ","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":true,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"1.1","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--fd211238-f767-4599-8c0d-9dca36624626","created":"2022-04-05T19:59:03.161Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1637/001","external_id":"T1637.001"},{"source_name":"Data Driven Security DGA","description":"Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.","url":"https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"},{"source_name":"securelist rotexy 2018","description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-08-07T17:12:07.620Z","name":"Drive-By Compromise","description":"Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n    * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n    * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"initial-access"}],"x_mitre_deprecated":false,"x_mitre_detection":"Mobile security products can often alert the user if their device is vulnerable to known exploits.","x_mitre_domains":["mobile-attack"],"x_mitre_is_subtechnique":false,"x_mitre_platforms":["Android","iOS"],"x_mitre_version":"2.2","x_mitre_tactic_type":["Post-Adversary Device Access"],"type":"attack-pattern","id":"attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57","created":"2017-10-25T14:48:06.822Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/techniques/T1456","external_id":"T1456"},{"source_name":"Lookout-StealthMango","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"},{"source_name":"NIST Mobile Threat Catalogue","url":"https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html","external_id":"CEL-22"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"x_mitre_platforms":["Android"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"attack-pattern","id":"attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2","created":"2019-07-11T18:09:42.039Z","x_mitre_version":"1.1","external_references":[{"source_name":"mitre-attack","external_id":"T1508","url":"https://attack.mitre.org/techniques/T1508"},{"source_name":"sunny-stolen-credentials","url":"https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/","description":"Lukáš Štefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019."},{"source_name":"android-trojan-steals-paypal-2fa","url":"https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/","description":"Lukáš Štefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019."},{"source_name":"bankbot-spybanker","url":"https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker","description":"NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved July 11, 2019."}],"x_mitre_deprecated":false,"revoked":true,"description":"A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.\n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)","modified":"2022-03-30T20:07:33.279Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","name":"Suppress Application Icon","x_mitre_detection":"The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings.","kill_chain_phases":[{"kill_chain_name":"mitre-mobile-attack","phase_name":"defense-evasion"}],"x_mitre_is_subtechnique":false,"x_mitre_tactic_type":["Post-Adversary Device Access"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0008005f-ca51-47c3-8369-55ee5de1c65a","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Zscaler-SpyNote","description":"Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.","url":"https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:43:54.975Z","description":"[SpyNote RAT](https://attack.mitre.org/software/S0305) uses an Android broadcast receiver to automatically start when the device boots.(Citation: Zscaler-SpyNote)","relationship_type":"uses","source_ref":"malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308","created":"2023-02-06T19:04:33.224Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:06:11.934Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can monitor notifications.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341","type":"relationship","created":"2019-07-16T14:33:12.085Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Google Triada June 2019","url":"https://security.googleblog.com/2019/06/pha-family-highlights-triada.html","description":"Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."}],"modified":"2020-04-27T16:52:49.480Z","description":"[Triada](https://attack.mitre.org/software/S0424) utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.(Citation: Google Triada June 2019)","relationship_type":"uses","source_ref":"malware--f082fc59-0317-49cf-971f-a1b6296ebb52","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0100020b-97d4-4657-bc71-c6a1774055a6","created":"2022-04-20T17:36:25.707Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:39:23.114Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has exfiltrated data via both SMTP and HTTP.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--01965668-d033-4aca-a8e5-71a07070e266","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2018-10-17T00:14:20.652Z","relationship_type":"revoked-by","source_ref":"attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09","target_ref":"attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--01fd0686-d67f-4396-8812-3533063dd6b4","created":"2023-08-16T16:38:47.766Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:38:47.766Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can remove artifacts of its presence and uninstall itself.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2","type":"relationship","created":"2020-09-15T15:18:12.398Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Cybereason FakeSpy","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."}],"modified":"2020-09-15T15:18:12.398Z","description":"[FakeSpy](https://attack.mitre.org/software/S0509) can collect device networking information, including phone number, IMEI, and IMSI.(Citation: Cybereason FakeSpy)","relationship_type":"uses","source_ref":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80","type":"relationship","created":"2020-07-20T13:49:03.692Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro-XLoader-FakeSpy","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/","description":"Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."}],"modified":"2020-09-24T15:12:24.191Z","description":"[XLoader for Android](https://attack.mitre.org/software/S0318) collects the device’s Android ID and serial number.(Citation: TrendMicro-XLoader-FakeSpy)","relationship_type":"uses","source_ref":"malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3","created":"2023-02-06T18:50:12.251Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-14T14:40:57.100Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can check device system properties to potentially avoid running while under analysis.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--022e941f-30c3-45a9-9f6f-36e704b80060","created":"2020-04-24T17:46:31.574Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecurityIntelligence TrickMo","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:44:13.361Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) registers for the `SCREEN_ON` and `SMS_DELIVER` intents to perform actions when the device is unlocked and when the device receives an SMS message.(Citation: SecurityIntelligence TrickMo)","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c","created":"2017-10-25T14:48:53.747Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"Android 7 and later iOS versions introduced changes that prevent applications from performing Process Discovery without elevated privileges.  ","modified":"2022-03-30T20:32:46.334Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f","type":"relationship","created":"2020-09-11T14:54:16.640Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Desert Scorpion","url":"https://blog.lookout.com/desert-scorpion-google-play","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."}],"modified":"2020-09-11T14:54:16.640Z","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) can encrypt exfiltrated data.(Citation: Lookout Desert Scorpion)","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--e3b936a4-6321-4172-9114-038a866362ec","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0291c9d5-8977-420d-8374-b786e3095a73","created":"2023-03-20T18:49:53.204Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T15:34:15.917Z","description":"Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken.","relationship_type":"detects","source_ref":"x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-BrainTest","description":"Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.","url":"https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"}],"modified":"2018-10-17T00:14:20.652Z","description":"Some original variants of [BrainTest](https://attack.mitre.org/software/S0293) had the capability to automatically root some devices, but that behavior was not observed in later samples.(Citation: Lookout-BrainTest)","relationship_type":"uses","source_ref":"malware--e13d084c-382f-40fd-aa9a-98d69e20301e","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc","created":"2021-10-01T14:42:49.174Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecureList BusyGasper","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:26:41.762Z","description":"[BusyGasper](https://attack.mitre.org/software/S0655) can abuse existing root access to copy components into the system partition.(Citation: SecureList BusyGasper)","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--02e4aedc-0674-4598-948b-0a32758af9ca","created":"2022-04-01T13:14:43.195Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-01T13:14:43.195Z","relationship_type":"revoked-by","source_ref":"attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b","type":"relationship","created":"2020-12-24T22:04:27.914Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T22:04:27.914Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--03172b09-4f97-4fb8-95f0-92b2d8957408","created":"2020-06-26T14:55:13.349Z","x_mitre_version":"1.0","external_references":[{"source_name":"Cybereason EventBot","url":"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born","description":"D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[EventBot](https://attack.mitre.org/software/S0478) has encrypted base64-encoded payload data using RC4 and Curve25519.(Citation: Cybereason EventBot)","modified":"2022-04-18T15:57:14.375Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--aecc0097-c9f8-4786-9b39-e891ff173f54","target_ref":"attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0330db55-06e0-45a2-85a6-17617a37fdaf","created":"2022-04-06T13:57:49.186Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T13:57:49.186Z","relationship_type":"revoked-by","source_ref":"attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8","created":"2019-11-21T16:42:48.437Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecureList - ViceLeaker 2019","description":"GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.","url":"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:22:18.013Z","description":"[ViceLeaker](https://attack.mitre.org/software/S0418) can collect SMS messages.(Citation: SecureList - ViceLeaker 2019)","relationship_type":"uses","source_ref":"malware--6fcaf9b0-b509-4644-9f93-556222c81ed2","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--03ff6271-d7bc-40f3-b83d-25c541333694","type":"relationship","created":"2019-11-19T17:32:20.701Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2019-12-26T16:14:33.468Z","description":"If a user sees a persistent notification they do not recognize, they should uninstall the source application and look for other unwanted applications or anomalies.","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71","created":"2022-04-18T15:49:00.561Z","x_mitre_version":"0.1","external_references":[{"source_name":"SecureList BusyGasper","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021."}],"x_mitre_deprecated":false,"revoked":false,"description":"[BusyGasper](https://attack.mitre.org/software/S0655) can download text files with commands from an FTP server and exfiltrate data via email.(Citation: SecureList BusyGasper)","modified":"2022-04-18T15:49:00.561Z","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--37047267-3e56-453c-833e-d92b68118120","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--04530307-22d8-4a06-9056-55eea225fabb","type":"relationship","created":"2019-07-10T15:35:43.710Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","source_name":"Lookout Dark Caracal Jan 2018"}],"modified":"2019-08-09T18:06:11.842Z","description":"[Pallas](https://attack.mitre.org/software/S0399) retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--046acda0-91de-4385-bcfb-157570d8e51d","created":"2023-03-30T15:25:00.442Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cleafy_sova_1122","description":"Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.","url":"https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T15:26:46.611Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) can search for installed applications that match a list of targets.(Citation: cleafy_sova_1122)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--049a5149-00c9-492a-8ffb-463f3d0cd910","created":"2022-03-30T20:13:28.442Z","x_mitre_version":"0.1","external_references":[{"source_name":"Android 10 Limitations to Hiding App Icons","url":"https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons","description":"Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022."},{"source_name":"LauncherApps getActivityList","url":"https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist","description":"Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022."}],"x_mitre_deprecated":false,"revoked":false,"description":"Android 10 introduced changes to prevent malicious applications from fully suppressing their icon in the launcher.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)","modified":"2022-05-20T17:16:08.998Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--049b0c71-63e3-47ce-bb0b-149df0344b15","created":"2020-12-24T21:45:56.965Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:15:59.861Z","description":"[SilkBean](https://attack.mitre.org/software/S0549) can access device contacts.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--049c39ab-c036-457a-9b8f-4318416658b8","created":"2022-03-30T19:54:24.468Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"A locked bootloader could prevent unauthorized modifications of protected operating system files. ","modified":"2022-03-30T19:55:15.724Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58","target_ref":"attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112","created":"2022-04-05T19:59:03.285Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T19:59:03.285Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--fd211238-f767-4599-8c0d-9dca36624626","target_ref":"attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc","created":"2023-03-20T18:37:57.767Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T14:53:48.653Z","description":"Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe","type":"relationship","created":"2019-12-10T16:07:41.093Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList DVMap June 2017","url":"https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/","description":"R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019."}],"modified":"2019-12-10T16:07:41.093Z","description":"[Dvmap](https://attack.mitre.org/software/S0420) can download code and binaries from the C2 server to execute on the device as root.(Citation: SecureList DVMap June 2017)","relationship_type":"uses","source_ref":"malware--22b596a6-d288-4409-8520-5f2846f85514","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--05243ccb-0aeb-4db4-bb03-51a65fb715ab","created":"2020-09-11T14:54:16.589Z","x_mitre_version":"1.0","external_references":[{"source_name":"Lookout Desert Scorpion","url":"https://blog.lookout.com/desert-scorpion-google-play","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) can be controlled using SMS messages.(Citation: Lookout Desert Scorpion)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--05563777-5771-4bd6-a1af-3e244cf42372","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Xiao-KeyRaider","description":"Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.","url":"http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"}],"modified":"2018-10-17T00:14:20.652Z","description":"Most [KeyRaider](https://attack.mitre.org/software/S0288) samples search to find the Apple account's username, password and device's GUID in data being transferred.(Citation: Xiao-KeyRaider)","relationship_type":"uses","source_ref":"malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-StealthMango","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:22:32.033Z","description":"[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather SMS messages.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--35aae10a-97c5-471a-9c67-02c231a7a31a","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--05c36a8c-1526-4d5d-93c1-331fd132c30b","created":"2023-09-21T19:38:21.735Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-21T19:38:21.735Z","description":"Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76","created":"2020-12-17T20:15:22.441Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Palo Alto HenBox","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:35:41.700Z","description":"[HenBox](https://attack.mitre.org/software/S0544) has collected all outgoing phone numbers that start with “86”.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--06348e22-9a06-4e4c-a57c-e438462e7fce","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/","description":"Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.","source_name":"Kaspersky-Skygofree"}],"modified":"2019-08-09T18:08:07.173Z","description":"[Skygofree](https://attack.mitre.org/software/S0327) can record audio via the microphone when an infected device is in a specified location.(Citation: Kaspersky-Skygofree)","relationship_type":"uses","source_ref":"malware--3a913bac-4fae-4d0e-bca8-cae452f1599b","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--068c3d23-8aa2-48e9-acb3-c72651c94f0b","created":"2024-03-28T18:03:23.922Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"trendmicro_strongpity","description":"Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023.","url":"https://www.trendmicro.com/en_za/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T20:29:39.488Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) on a compromised website to distribute a malicious version of a legitimate application.(Citation: trendmicro_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--069b2328-442b-491e-962d-d3fe01f0549e","created":"2019-09-04T14:28:15.479Z","x_mitre_version":"1.0","external_references":[{"source_name":"Lookout-Monokle","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf","description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Monokle](https://attack.mitre.org/software/S0407) can be controlled via email and SMS from a set of \"control phones.\"(Citation: Lookout-Monokle)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--06e2e07f-7835-4ef8-bcc0-bb5e2886839d","created":"2023-08-16T16:40:14.482Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:40:14.482Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can gather basic device information such as version, model, root status, and country.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85","type":"relationship","created":"2020-11-20T16:37:28.547Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Symantec GoldenCup","url":"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans","description":"R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."}],"modified":"2020-11-20T16:37:28.547Z","description":"[Golden Cup](https://attack.mitre.org/software/S0535) can collect various pieces of device information, such as serial number and product information.(Citation: Symantec GoldenCup)","relationship_type":"uses","source_ref":"malware--f3975cc0-72bc-4308-836e-ac701b83860e","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0727ac06-5b46-4f79-abe9-63c1b923d383","created":"2023-02-06T19:05:56.974Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:07:11.541Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) has included encoded shell scripts to potentially aid in the rooting process.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--076d8c54-e6f6-47c4-9f61-52964d4f1c35","created":"2024-03-28T18:32:59.357Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T20:29:50.603Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to encrypt C2 communication using AES.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--078653a6-3613-4923-ae5a-1bccb8552e67","type":"relationship","created":"2020-09-11T16:22:03.250Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout ViperRAT","url":"https://blog.lookout.com/viperrat-mobile-apt","description":"M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."}],"modified":"2020-09-11T16:22:03.250Z","description":"[ViperRAT](https://attack.mitre.org/software/S0506) has been installed in two stages and can secretly install new applications.(Citation: Lookout ViperRAT)","relationship_type":"uses","source_ref":"malware--f666e17c-b290-43b3-8947-b96bd5148fbb","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"PaloAlto-WireLurker","description":"Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.","url":"https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[WireLurker](https://attack.mitre.org/software/S0312) monitors for iOS devices connected via USB to an infected OSX computer and installs downloaded third-party applications or automatically generated malicious applications onto the device.(Citation: PaloAlto-WireLurker)","relationship_type":"uses","source_ref":"malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb","target_ref":"attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--079911c5-0db9-4eb2-ab85-6ed6e118fbbc","created":"2022-03-30T19:36:20.304Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.","modified":"2022-03-30T19:36:20.304Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--07c727a6-6323-477a-bb55-34e130959b4e","created":"2023-10-10T15:33:57.556Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Bitdefender Mandrake","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:57.556Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can mimic an app called “Storage Settings” if it cannot hide its icon.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--07dd3318-2965-4085-be64-a8e956c7b8da","type":"relationship","created":"2020-12-18T20:14:47.319Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"WhiteOps TERRACOTTA","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."}],"modified":"2020-12-18T20:14:47.319Z","description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) has stored encoded strings.(Citation: WhiteOps TERRACOTTA)","relationship_type":"uses","source_ref":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e","created":"2022-03-30T18:15:03.625Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T18:15:03.625Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","target_ref":"attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f","created":"2023-03-20T15:55:32.395Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:45:55.097Z","description":"Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--084786ee-9384-4a00-9e1b-48f94ea70126","created":"2019-09-03T19:45:48.517Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SWB Exodus March 2019","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:09:45.426Z","description":"[Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate calendar events.(Citation: SWB Exodus March 2019) ","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--085f8397-0233-42d7-855e-3dbd709f2eca","created":"2023-01-18T21:39:27.823Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:30:43.093Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) can use the Android “Direct Reply” feature to spread the malware to other devices. It can also download the full version of the malware after initial device compromise.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f","created":"2023-03-20T18:58:33.787Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T22:15:45.239Z","description":"Application vetting services could look for `android.permission.READ_SMS` in an Android application’s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. ","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8","created":"2022-04-01T15:16:02.324Z","x_mitre_version":"0.1","external_references":[{"source_name":"iOS Universal Links","url":"https://developer.apple.com/ios/universal-links/","description":"Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020."},{"source_name":"Android App Links","url":"https://developer.android.com/training/app-links/verify-site-associations","description":"Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020."},{"source_name":"IETF-PKCE","url":"https://tools.ietf.org/html/rfc7636","description":"N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"Developers should use Android App Links(Citation: Android App Links) and iOS Universal Links(Citation: iOS Universal Links) to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE(Citation: IETF-PKCE) should be used to prevent use of stolen authorization codes. ","modified":"2022-04-01T15:16:02.324Z","relationship_type":"mitigates","source_ref":"course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1","target_ref":"attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--088c74f5-4b43-48aa-a2be-275f0c02ffc8","created":"2023-07-21T19:38:06.254Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:38:06.254Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can retrieve account information for third party services, such as Google, Telegram, WeChat, or WhatsApp.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0891421a-8476-4d37-b274-645b90f139c7","created":"2024-03-28T18:31:38.715Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"trendmicro_strongpity","description":"Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023.","url":"https://www.trendmicro.com/en_za/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T20:30:02.657Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect information regarding available Wi-Fi networks.(Citation: trendmicro_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--08a43019-d393-451f-a23c-2dfa17ec40b2","created":"2023-01-18T19:15:24.775Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_drinik_1022","description":"Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.","url":"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:51:07.963Z","description":"[Drinik](https://attack.mitre.org/software/S1054) can steal incoming SMS messages and send SMS messages from compromised devices. (Citation: cyble_drinik_1022)","relationship_type":"uses","source_ref":"malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--08c81253-975c-4780-8e85-c72bc6a90c88","created":"2020-10-29T19:21:23.225Z","x_mitre_version":"1.0","external_references":[{"source_name":"WeLiveSecurity AdDisplayAshas","url":"https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/","description":"L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can generate revenue by automatically displaying ads.(Citation: WeLiveSecurity AdDisplayAshas)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--f7e7b736-2cff-4c2a-9232-352cd383463a","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b","created":"2019-12-10T16:07:41.081Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecureList DVMap June 2017","description":"R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.","url":"https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:47:53.438Z","description":"[Dvmap](https://attack.mitre.org/software/S0420) replaces `/system/bin/ip` with a malicious version. [Dvmap](https://attack.mitre.org/software/S0420) can inject code by patching `libdmv.so` or `libandroid_runtime.so`, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call `/system/bin/ip`, which was replaced with the malicious version.(Citation: SecureList DVMap June 2017)","relationship_type":"uses","source_ref":"malware--22b596a6-d288-4409-8520-5f2846f85514","target_ref":"attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--09059576-658b-4944-9f7b-df003319fdaa","created":"2024-02-21T00:00:40.770Z","revoked":false,"external_references":[{"source_name":"SecurityIntelligence TrickMo","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T00:00:40.770Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956","created":"2020-11-24T17:55:12.873Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos GPlayed","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:21:56.899Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) has communicated with the C2 using HTTP requests or WebSockets as a backup.(Citation: Talos GPlayed) ","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--0993769f-63fb-4720-bbcf-e6f37f71515e","type":"relationship","created":"2020-06-02T14:32:31.875Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Google Project Zero Insomnia","url":"https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html","description":"I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."}],"modified":"2020-06-02T14:32:31.875Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device’s name, serial number, iOS version, total disk space, and free disk space.(Citation: Google Project Zero Insomnia) ","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--09ad7d9f-d618-46c2-a9f3-e4a943245a72","created":"2023-09-21T19:37:48.020Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-21T19:37:48.020Z","description":"Users can be trained to identify social engineering techniques and phishing emails.","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca","created":"2022-04-06T13:22:57.754Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T13:22:57.754Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--37047267-3e56-453c-833e-d92b68118120","target_ref":"attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--09c6bbd4-9058-4657-9d8e-656439637ac6","created":"2023-03-16T18:32:47.895Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T22:15:16.326Z","description":"Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application’s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. ","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d","created":"2023-02-06T19:01:08.265Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:07:32.636Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) has encoded files, such as exploit binaries, to potentially use during and after the rooting process.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2018-10-17T00:14:20.652Z","relationship_type":"revoked-by","source_ref":"attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a","target_ref":"attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb","type":"relationship","created":"2020-12-18T20:14:47.412Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"WhiteOps TERRACOTTA","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."}],"modified":"2020-12-18T20:14:47.412Z","description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) has included native modules.(Citation: WhiteOps TERRACOTTA)","relationship_type":"uses","source_ref":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","target_ref":"attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--0a610208-06af-425f-a9af-cd0899261e33","type":"relationship","created":"2020-09-11T15:45:38.450Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro Coronavirus Updates","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."}],"modified":"2020-09-11T15:45:38.450Z","description":"[Corona Updates](https://attack.mitre.org/software/S0425) can send SMS messages.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--0a737289-c62d-4c0a-a857-6d116f774864","type":"relationship","created":"2020-06-26T15:12:40.077Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"ESET DEFENSOR ID","url":"https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/","description":"L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020."}],"modified":"2020-06-26T15:12:40.077Z","description":"[DEFENSOR ID](https://attack.mitre.org/software/S0479) can abuse the accessibility service to read any text displayed on the screen.(Citation: ESET DEFENSOR ID)","relationship_type":"uses","source_ref":"malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0ae94053-1963-45ba-a3a9-62e508281c8e","created":"2023-01-19T18:06:36.986Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"trendmicro_tianyspy_0122","description":"Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.","url":"https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:21:58.318Z","description":"[TianySpy](https://attack.mitre.org/software/S1056) can install malicious configurations on iPhones to allow malware to be installed via Ad Hoc distribution.(Citation: trendmicro_tianyspy_0122) ","relationship_type":"uses","source_ref":"malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6","target_ref":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070","created":"2022-04-15T17:18:44.185Z","x_mitre_version":"0.1","external_references":[{"source_name":"Talos Gustuff Apr 2019","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html","description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Gustuff](https://attack.mitre.org/software/S0406) obfuscated command information using a custom base85-based encoding.(Citation: Talos Gustuff Apr 2019)","modified":"2022-04-15T17:18:44.185Z","relationship_type":"uses","source_ref":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d","created":"2020-05-04T14:04:56.179Z","x_mitre_version":"1.0","external_references":[{"source_name":"Google Bread","url":"https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html","description":"A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Bread](https://attack.mitre.org/software/S0432) payloads have used several commercially available packers.(Citation: Google Bread)","modified":"2022-04-15T17:20:54.552Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--108b2817-bc01-404e-8e1b-8cdeec846326","target_ref":"attack-pattern--51636761-2e35-44bf-9e56-e337adf97174","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651","created":"2023-04-11T19:54:52.711Z","revoked":false,"external_references":[{"source_name":"cleafy_sova_1122","description":"Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.","url":"https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-11T19:54:52.711Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) can programmatically tap the screen or swipe.(Citation: cleafy_sova_1122)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2","created":"2023-03-20T15:28:54.837Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T17:15:34.376Z","description":"Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1","type":"relationship","created":"2020-09-11T14:54:16.650Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Desert Scorpion","url":"https://blog.lookout.com/desert-scorpion-google-play","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."}],"modified":"2020-09-11T14:54:16.650Z","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) has been distributed in multiple stages.(Citation: Lookout Desert Scorpion)","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253","type":"relationship","created":"2020-12-31T18:25:05.178Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CYBERWARCON CHEMISTGAMES","url":"https://www.youtube.com/watch?v=xoNSbm1aX_w","description":"B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."}],"modified":"2020-12-31T18:25:05.178Z","description":"[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has fingerprinted devices to uniquely identify them.(Citation: CYBERWARCON CHEMISTGAMES)","relationship_type":"uses","source_ref":"malware--a0d774e4-bafc-4292-8651-3ec899391341","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--0bb6f851-4302-4936-a98e-d23feecb234d","type":"relationship","created":"2020-06-02T14:32:31.777Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Volexity Insomnia","url":"https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/","description":"A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."}],"modified":"2020-06-02T14:32:31.777Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) exploits a WebKit vulnerability to achieve root access on the device.(Citation: Volexity Insomnia)","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349","created":"2020-10-29T19:01:13.826Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Microsoft MalLockerB","description":"D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.","url":"https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:44:31.187Z","description":"[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has registered to receive 14 different broadcast intents for automatically triggering malware payloads. (Citation: Microsoft MalLockerB)","relationship_type":"uses","source_ref":"malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0bc73d69-e769-4d0f-9d44-368c94225b6e","created":"2020-07-15T20:20:59.200Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Bitdefender Mandrake","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:50:39.124Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can access the device’s contact list.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0bc73eaf-a771-4ed0-b1f9-081ff4ca73ad","created":"2023-03-20T18:55:03.385Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T16:44:01.271Z","description":"Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db","type":"relationship","created":"2019-08-09T17:59:48.988Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","source_name":"Lookout-StealthMango"}],"modified":"2019-08-09T17:59:48.988Z","description":"[Stealth Mango](https://attack.mitre.org/software/S0328) can record and take pictures using the front and back cameras.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--085eb36d-697d-4d9a-bac3-96eb879fe73c","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0c417238-738d-4bda-8359-d37d39414ebe","created":"2023-08-04T18:30:41.599Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T18:30:41.599Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate phone number and IMEI.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0c49a6e0-9837-424d-877b-4e232f5fe250","created":"2024-03-28T18:33:46.367Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T20:30:13.417Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to communicate with the C2 server using HTTPS.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0c558826-5cea-422e-8e67-83e53c04d409","created":"2020-06-26T15:32:25.146Z","x_mitre_version":"1.0","external_references":[{"source_name":"CheckPoint Cerberus","url":"https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/","description":"A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 using HTTP requests over port 8888.(Citation: CheckPoint Cerberus)","modified":"2022-04-20T16:37:46.192Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--0cabc5f9-045e-490c-a97f-efe00dbade86","type":"relationship","created":"2020-01-27T17:05:58.276Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/","source_name":"Trend Micro Bouncing Golf 2019"}],"modified":"2020-01-27T17:05:58.276Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) can record video.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--0cae6859-d7d1-483b-b473-4f32084938a9","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-PegasusAndroid","description":"Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.","url":"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}],"modified":"2019-08-09T17:52:31.818Z","description":"[Pegasus for Android](https://attack.mitre.org/software/S0316) has the ability to record device audio.(Citation: Lookout-PegasusAndroid)","relationship_type":"uses","source_ref":"malware--93799a9d-3537-43d8-b6f4-17215de1657c","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0ce5bf43-39e1-4afb-a939-1984cc2d235c","created":"2022-04-01T18:51:44.595Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.","modified":"2022-04-01T18:51:44.595Z","relationship_type":"mitigates","source_ref":"course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0cf39d51-2d80-4576-b088-e787b113513e","created":"2023-09-28T17:39:48.745Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Zimperium FlyTrap","description":"A. Yaswant. (2021, August 9). FlyTrap Android Malware Compromises Thousands of Facebook Accounts. Retrieved September 28, 2023.","url":"https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-30T21:05:31.625Z","description":"[FlyTrap](https://attack.mitre.org/software/S1093) can use HTTP to communicate with the C2 server.(Citation: Zimperium FlyTrap)","relationship_type":"uses","source_ref":"malware--8338393c-cb2e-4ee6-b944-34672499c785","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0cfbea52-d6ab-467f-97e5-8c74b332b16f","created":"2020-12-24T21:55:56.749Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:41:52.454Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has hidden its app icon.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0d12ee41-9ac0-4083-bc28-6568be4b9d5b","created":"2023-03-20T18:41:56.287Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:50:42.655Z","description":"On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. ","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a","type":"relationship","created":"2021-02-17T20:43:52.333Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout FrozenCell","url":"https://blog.lookout.com/frozencell-mobile-threat","description":"Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."}],"modified":"2021-02-17T20:43:52.333Z","description":"[FrozenCell](https://attack.mitre.org/software/S0577) has used an online cell tower geolocation service to track targets.(Citation: Lookout FrozenCell)","relationship_type":"uses","source_ref":"malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0d305e1e-df8f-4028-bf6f-1d7fed9e6184","created":"2022-03-30T17:53:56.805Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T17:53:56.805Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","target_ref":"attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0d82a9ed-4184-4f95-99f4-5ee467fe6594","created":"2022-04-05T17:14:08.267Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T17:14:08.267Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","target_ref":"attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0e8607f6-daab-44df-b167-105403a4ef41","created":"2023-01-18T19:57:33.986Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:39:39.355Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) can use the “Direct Reply” feature of Android to automatically reply to notifications with a message provided by C2.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0e9968b7-ad1e-440d-9fe3-2599a1571f39","created":"2020-06-26T14:55:13.387Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cybereason EventBot","description":"D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.","url":"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:59:55.854Z","description":"[EventBot](https://attack.mitre.org/software/S0478) communicates with the C2 using HTTP requests.(Citation: Cybereason EventBot)","relationship_type":"uses","source_ref":"malware--aecc0097-c9f8-4786-9b39-e891ff173f54","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-BrainTest","description":"Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.","url":"https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:25:52.381Z","description":"[BrainTest](https://attack.mitre.org/software/S0293) uses root privileges (if available) to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.(Citation: Lookout-BrainTest)","relationship_type":"uses","source_ref":"malware--e13d084c-382f-40fd-aa9a-98d69e20301e","target_ref":"attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4","type":"relationship","created":"2020-06-02T14:32:31.885Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Google Project Zero Insomnia","url":"https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html","description":"I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."}],"modified":"2020-06-02T14:32:31.885Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) can track the device’s location.(Citation: Google Project Zero Insomnia)","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0efe4125-504f-4eea-b19f-a44c81ee31dd","created":"2021-01-05T20:16:20.488Z","x_mitre_version":"1.0","external_references":[{"source_name":"Zscaler TikTok Spyware","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can launch a fake Facebook login page.(Citation: Zscaler TikTok Spyware)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0f116d99-9ce4-4790-aeda-ad9199d8bf7b","created":"2023-02-28T20:31:03.379Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"proofpoint_flubot_0421","description":"Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.","url":"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"},{"source_name":"bitdefender_flubot_0524","description":"Filip TRUȚĂ, Răzvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.","url":"https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-31T22:06:56.734Z","description":"[FluBot](https://attack.mitre.org/software/S1067) can send SMS phishing messages to other contacts on an infected device.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)","relationship_type":"uses","source_ref":"malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0f70bdf1-a6a7-406c-a4c0-cee509ff8369","created":"2023-02-02T17:46:27.077Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:43:17.131Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) can exfiltrate captured user credentials and event logs back to the C2 server. (Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Zscaler-SpyNote","description":"Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.","url":"https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"}],"modified":"2019-10-10T15:24:09.248Z","description":"[SpyNote RAT](https://attack.mitre.org/software/S0305) collects the device's location.(Citation: Zscaler-SpyNote)","relationship_type":"uses","source_ref":"malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--0f949bc5-9f6a-4ec8-a29a-87e309aa08a2","created":"2020-12-24T22:04:28.027Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:20:48.937Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has modified or configured proxy information.(Citation: Lookout Uyghur Campaign) ","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--0fd34764-8a5d-43da-9bdf-5a0b7e436936","created":"2019-08-29T18:57:55.926Z","x_mitre_version":"1.0","external_references":[{"source_name":"Samsung Keyboards","url":"https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-","description":"Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved September 1, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.(Citation: Samsung Keyboards) An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features. ","modified":"2022-04-05T19:41:57.905Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--10560632-6449-4579-90eb-20fc46dcca08","created":"2020-10-29T19:21:23.200Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"WeLiveSecurity AdDisplayAshas","description":"L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.","url":"https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:49:16.886Z","description":"[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.(Citation: WeLiveSecurity AdDisplayAshas)","relationship_type":"uses","source_ref":"malware--f7e7b736-2cff-4c2a-9232-352cd383463a","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--10c07066-df05-4dff-bb95-c76be02ea4ef","created":"2020-09-14T14:13:45.291Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout eSurv","description":"A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.","url":"https://blog.lookout.com/esurv-research"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:30:00.975Z","description":"[eSurv](https://attack.mitre.org/software/S0507) imposes geo-restrictions when delivering the second stage.(Citation: Lookout eSurv)","relationship_type":"uses","source_ref":"malware--680f680c-eef9-4f8a-b5f5-f451bf47e403","target_ref":"attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451","type":"relationship","created":"2019-10-10T15:03:27.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SWB Exodus March 2019","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."}],"modified":"2019-10-10T15:03:27.682Z","description":"[Exodus](https://attack.mitre.org/software/S0405) One encrypts data using XOR prior to exfiltration.(Citation: SWB Exodus March 2019) ","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--e3b936a4-6321-4172-9114-038a866362ec","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--11113fa5-150e-4574-89fc-5db66479e268","created":"2023-12-18T18:13:28.074Z","revoked":false,"external_references":[{"source_name":"cleafy_brata_0122","description":"Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.","url":"https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"},{"source_name":"mcafee_brata_0421","description":"Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:13:28.074Z","description":"[BRATA](https://attack.mitre.org/software/S1094) has used an initial dropper to download an additional malicious application, and downloads its configuration file from the C2 server.(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--112966ab-6e28-482b-8bea-ed9f4ed17064","created":"2024-02-20T23:44:07.210Z","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:44:07.210Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device IP address and SIM information.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--114f4334-16f4-402e-981a-902b2c9be6fb","created":"2024-04-17T16:42:31.778Z","revoked":false,"external_references":[{"source_name":"trendmicro_strongpity","description":"Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023.","url":"https://www.trendmicro.com/en_za/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-17T16:42:31.778Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) distributed [StrongPity](https://attack.mitre.org/software/S0491) through the compromised official Syrian E-Gov website.(Citation: trendmicro_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--117a7e1e-d5dc-451d-ab79-f29bdfec40ae","created":"2023-10-10T15:33:59.743Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CrowdStrike-Android","description":"CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.","url":"https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:59.743Z","description":"[X-Agent for Android](https://attack.mitre.org/software/S0314) was placed in a repackaged version of an application used by Ukrainian artillery forces.(Citation: CrowdStrike-Android)","relationship_type":"uses","source_ref":"malware--56660521-6db4-4e5a-a927-464f22954b7c","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--119b848b-84b4-4f86-a265-0c9eb8680072","created":"2021-10-01T14:42:49.171Z","x_mitre_version":"1.0","external_references":[{"source_name":"SecureList BusyGasper","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021."}],"x_mitre_deprecated":false,"revoked":false,"description":"[BusyGasper](https://attack.mitre.org/software/S0655) can be controlled via IRC using freenode.net servers.(Citation: SecureList BusyGasper)","modified":"2022-04-18T19:01:58.546Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--11a1da8f-f0db-4abe-88bb-1ab06f271f3f","created":"2023-10-10T15:33:57.223Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout ViperRAT","description":"M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.","url":"https://blog.lookout.com/viperrat-mobile-apt"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:57.223Z","description":"[ViperRAT](https://attack.mitre.org/software/S0506)’s second stage has masqueraded as “System Updates”, “Viber Update”, and “WhatsApp Update”.(Citation: Lookout ViperRAT)","relationship_type":"uses","source_ref":"malware--f666e17c-b290-43b3-8947-b96bd5148fbb","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--11a992e7-83a3-4dc3-b391-fbd79e518943","created":"2023-07-21T19:40:08.668Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:40:08.668Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can encrypt its data before exfiltration.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--e3b936a4-6321-4172-9114-038a866362ec","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879","type":"relationship","created":"2019-09-04T14:28:16.426Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf","source_name":"Lookout-Monokle"}],"modified":"2019-09-04T14:32:13.000Z","description":"[Monokle](https://attack.mitre.org/software/S0407) uses XOR to obfuscate its second stage binary.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"PaloAlto-Xbot","description":"Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.","url":"http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:17:40.860Z","description":"[Xbot](https://attack.mitre.org/software/S0298) can remotely lock infected Android devices and ask for a ransom.(Citation: PaloAlto-Xbot)","relationship_type":"uses","source_ref":"tool--da21929e-40c0-443d-bdf4-6b60d15448b4","target_ref":"attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--1250f91c-723d-4b4c-afea-b3a71101951f","type":"relationship","created":"2019-08-07T15:57:13.415Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Kaspersky Riltok June 2019","url":"https://securelist.com/mobile-banker-riltok/91374/","description":"Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."}],"modified":"2019-09-15T15:36:42.339Z","description":"[Riltok](https://attack.mitre.org/software/S0403) can query the device's IMEI.(Citation: Kaspersky Riltok June 2019)","relationship_type":"uses","source_ref":"malware--c0efbaae-9e7d-4716-a92d-68373aac7424","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--127e6672-d16a-4370-b277-4d04874a4cfe","created":"2023-02-06T19:37:24.358Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-11T19:29:31.138Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) can use overlays capture banking credentials and credit card information, and can open arbitrary WebViews from the C2.(Citation: threatfabric_sova_0921)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1284ba4a-c48c-4533-ac35-664828616ee3","created":"2023-07-21T19:52:46.863Z","revoked":false,"external_references":[{"source_name":"kaspersky_fakecalls_0422","description":"Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.","url":"https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:52:46.863Z","description":"[Fakecalls](https://attack.mitre.org/software/S1080) can access and exfiltrate files, such as photos or video.(Citation: kaspersky_fakecalls_0422)","relationship_type":"uses","source_ref":"malware--429e1526-6293-495b-8808-af7f9a66c4be","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--1284f6fe-d352-415c-9479-82141524380a","created":"2022-03-30T18:06:48.250Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). ","modified":"2022-03-30T18:06:48.250Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--12852406-87df-4892-a177-e15e81739000","created":"2023-03-20T18:50:14.139Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T15:34:56.071Z","description":"Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--12d14048-793c-456c-a2b8-d812de547ca7","created":"2023-09-28T17:19:38.041Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:19:38.041Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can read SMS messages on the device.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--12d61e7d-7fa6-422d-9817-901decf6b650","created":"2019-07-10T15:35:43.663Z","x_mitre_version":"1.0","external_references":[{"source_name":"Lookout Dark Caracal Jan 2018","url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Pallas](https://attack.mitre.org/software/S0399) uses phishing popups to harvest user credentials.(Citation: Lookout Dark Caracal Jan 2018)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--12de5aeb-9427-4665-81a0-257c76d6f188","created":"2023-03-03T16:20:48.781Z","revoked":false,"external_references":[{"source_name":"paloalto_yispecter_1015","description":"Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.","url":"https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-03T16:20:48.781Z","description":"[YiSpecter](https://attack.mitre.org/software/S0311) has replaced device apps with ones it has downloaded.(Citation: paloalto_yispecter_1015)","relationship_type":"uses","source_ref":"malware--a15c9357-2be0-4836-beec-594f28b9b4a9","target_ref":"attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--13078a96-2cda-4d0b-99f8-693a65a4b63d","created":"2020-12-18T20:14:47.297Z","x_mitre_version":"1.0","external_references":[{"source_name":"WhiteOps TERRACOTTA","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) has generated non-human advertising impressions.(Citation: WhiteOps TERRACOTTA)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--1317fb3d-ded3-4b84-8007-147f3b02948a","created":"2022-04-05T19:52:38.539Z","x_mitre_version":"0.1","external_references":[{"source_name":"CSRIC-WG1-FinalReport","description":"CSRIC-WG1-FinalReport"}],"x_mitre_deprecated":false,"revoked":false,"description":"Filtering requests by checking request origin information may provide some defense against spurious operators.(Citation: CSRIC-WG1-FinalReport) ","modified":"2022-04-05T19:52:38.539Z","relationship_type":"mitigates","source_ref":"course-of-action--e829ee51-1caf-4665-ba15-7f8979634124","target_ref":"attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1329a866-0f6b-4660-b537-a6d208352502","created":"2023-06-09T19:11:12.827Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-22T20:48:55.333Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1343f1a3-0f03-4bcf-a9e6-4f5697ae35dd","created":"2023-08-04T18:35:25.381Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T18:35:25.381Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can try to run arbitrary commands as root.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1348c744-3127-4a55-a5b4-2f439f41e941","created":"2020-07-27T14:14:56.994Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Google Security Zen","description":"Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.","url":"https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:48:16.775Z","description":"[Zen](https://attack.mitre.org/software/S0494) can install itself on the system partition to achieve persistence. [Zen](https://attack.mitre.org/software/S0494) can also replace `framework.jar`, which allows it to intercept and modify the behavior of the standard Android API.(Citation: Google Security Zen)","relationship_type":"uses","source_ref":"malware--22faaa56-a8ac-4292-9be6-b571b255ee40","target_ref":"attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--13495d9c-6877-4bc9-888a-7d92362bcb40","created":"2023-06-09T19:10:19.108Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T19:13:50.488Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can collect device contacts.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--13518e48-bb32-4ee3-9cd0-e5f367a2fb2d","created":"2019-10-18T14:50:57.491Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"Security updates often contain patches for vulnerabilities.","modified":"2022-03-30T15:52:58.256Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--13aba849-5004-4457-9f3b-49e470b589e0","created":"2023-03-20T18:43:44.617Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:21:05.598Z","description":"Application vetting services could look for connections to unknown domains or IP addresses. ","relationship_type":"detects","source_ref":"x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0","target_ref":"attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--13e69c40-1511-4fac-b4c3-d31fc4b6c579","created":"2023-07-21T19:40:25.197Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:40:25.197Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can download and run code obtained from the C2.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--13efc415-5e17-4a16-81c2-64e74815907f","created":"2017-12-14T16:46:06.044Z","x_mitre_version":"1.0","external_references":[{"source_name":"PaloAlto-XcodeGhost","url":"http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/","description":"Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"[XcodeGhost](https://attack.mitre.org/software/S0297) can prompt a fake alert dialog to phish user credentials.(Citation: PaloAlto-XcodeGhost)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--d9e07aea-baad-4b68-bdca-90c77647d7f9","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--14143e21-51bf-4fa7-a949-d22a8271f590","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/","description":"Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.","source_name":"TrendMicro-RCSAndroid"}],"modified":"2019-08-09T17:53:48.780Z","description":"[RCSAndroid](https://attack.mitre.org/software/S0295) can record audio using the device microphone.(Citation: TrendMicro-RCSAndroid)","relationship_type":"uses","source_ref":"malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--1417d832-3fa5-4a87-a40b-5ca2d4ee5d1c","created":"2022-04-01T14:59:39.294Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Apple regularly provides security updates for known OS vulnerabilities.","modified":"2022-04-01T14:59:39.294Z","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--142532a6-bf7c-4b25-be23-16f01160f3c5","type":"relationship","created":"2020-09-15T15:18:12.417Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Cybereason FakeSpy","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."}],"modified":"2020-09-15T15:18:12.417Z","description":"[FakeSpy](https://attack.mitre.org/software/S0509) can collect account information stored on the device, as well as data in external storage.(Citation: Cybereason FakeSpy)","relationship_type":"uses","source_ref":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--143833fb-8034-4e75-a030-d8e47f9bebef","created":"2023-12-18T18:10:56.540Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cleafy_brata_0122","description":"Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.","url":"https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-16T15:49:06.103Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can track the device's location.(Citation: cleafy_brata_0122)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--14474366-938a-4359-bf24-e2c718adfaf5","type":"relationship","created":"2020-06-26T14:55:13.382Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Cybereason EventBot","url":"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born","description":"D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."}],"modified":"2020-06-26T14:55:13.382Z","description":"[EventBot](https://attack.mitre.org/software/S0478) can download new libraries when instructed to.(Citation: Cybereason EventBot)","relationship_type":"uses","source_ref":"malware--aecc0097-c9f8-4786-9b39-e891ff173f54","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--146275c0-b6dd-4700-bded-bc361a67d023","type":"relationship","created":"2020-09-14T14:13:45.253Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout eSurv","url":"https://blog.lookout.com/esurv-research","description":"A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."}],"modified":"2020-09-14T14:13:45.253Z","description":"[eSurv](https://attack.mitre.org/software/S0507) can record audio.(Citation: Lookout eSurv)","relationship_type":"uses","source_ref":"malware--680f680c-eef9-4f8a-b5f5-f451bf47e403","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--147d82a6-a61a-41d0-8eef-b6193bdd92d6","created":"2022-03-30T15:18:21.256Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T15:18:21.256Z","relationship_type":"revoked-by","source_ref":"attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0","target_ref":"attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--148703c5-6d07-439c-a4ff-d77119c70857","created":"2023-03-20T18:52:21.767Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:23:41.266Z","description":"Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--15065492-1aef-4cf8-af3c-cc763eee5daf","created":"2020-09-24T15:34:51.213Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-Dendroid","description":"Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.","url":"https://blog.lookout.com/blog/2014/03/06/dendroid/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:49:32.064Z","description":"[Dendroid](https://attack.mitre.org/software/S0301) can detect if it is being ran on an emulator.(Citation: Lookout-Dendroid)","relationship_type":"uses","source_ref":"malware--317a2c10-d489-431e-b6b2-f0251fddc88e","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd","type":"relationship","created":"2020-06-26T15:12:40.094Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"ESET DEFENSOR ID","url":"https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/","description":"L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020."}],"modified":"2020-06-26T15:12:40.094Z","description":"[DEFENSOR ID](https://attack.mitre.org/software/S0479) can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.(Citation: ESET DEFENSOR ID)","relationship_type":"uses","source_ref":"malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663","target_ref":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--158f71f5-e24a-4c5b-95d9-6f7e03257052","created":"2024-03-28T18:29:23.881Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T20:30:25.144Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect SMS messages.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--15d83ba8-be89-4151-9c6e-35d14df4fa80","created":"2022-03-30T19:33:05.375Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Security updates typically provide patches for vulnerabilities that enable device rooting.","modified":"2022-03-30T19:33:05.375Z","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9","type":"relationship","created":"2020-04-24T17:46:31.582Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecurityIntelligence TrickMo","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."}],"modified":"2020-04-24T17:46:31.582Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d","type":"relationship","created":"2021-10-01T14:42:48.740Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList BusyGasper","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021."}],"modified":"2021-10-12T13:51:41.045Z","description":"[BusyGasper](https://attack.mitre.org/software/S0655) can collect images stored on the device and browser history.(Citation: SecureList BusyGasper)","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--16d969ca-59ae-4c87-888f-fa231ad863d1","created":"2024-03-28T18:27:18.259Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T20:30:37.287Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect message notifications from 17 applications.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--17141729-226d-40d4-928d-ffbd2eed7d11","created":"2022-04-05T19:37:16.086Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T19:37:16.086Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--173c0c41-c7e3-48e9-b785-d9e0232d85ca","created":"2020-09-11T16:22:03.285Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout ViperRAT","description":"M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.","url":"https://blog.lookout.com/viperrat-mobile-apt"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:50:52.737Z","description":"[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device’s contact list.(Citation: Lookout ViperRAT)","relationship_type":"uses","source_ref":"malware--f666e17c-b290-43b3-8947-b96bd5148fbb","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--17558571-7352-470b-b728-0511fb3f699d","type":"relationship","created":"2019-10-18T15:51:48.484Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2020-06-24T15:02:13.534Z","description":"Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission.","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--17697784-f6e0-4062-adaa-7779e44e2d62","created":"2024-02-20T23:57:03.657Z","revoked":false,"external_references":[{"source_name":"Lookout-Monokle","description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:57:03.657Z","description":"[Monokle](https://attack.mitre.org/software/S0407) checks if the device is connected via Wi-Fi or mobile data.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--17adf4c2-e278-41fc-9183-cda5c8b74de7","created":"2022-03-31T19:53:01.320Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-31T19:53:01.320Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--17e94f34-e367-491c-9f9f-79294e124b4f","created":"2020-12-17T20:15:22.501Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Palo Alto HenBox","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:22:48.246Z","description":"[HenBox](https://attack.mitre.org/software/S0544) can intercept SMS messages.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1822e616-ae33-487c-8aa6-4fa81e724184","created":"2021-02-08T16:36:20.785Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"BlackBerry Bahamut","description":"The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:06:22.576Z","description":"[Windshift](https://attack.mitre.org/groups/G0112) has included contact list exfiltration in the malicious apps deployed as part of Operation BULL.(Citation: BlackBerry Bahamut)","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--185764e3-b559-4a65-818e-1cad4db6d105","created":"2024-04-04T17:42:29.902Z","revoked":false,"external_references":[{"source_name":"forcepoint_bitter","description":"Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.","url":"https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-04T17:42:29.902Z","description":"[AndroRAT](https://attack.mitre.org/software/S0292) can send SMS messages.(Citation: forcepoint_bitter) ","relationship_type":"uses","source_ref":"malware--a3dad2be-ce62-4440-953b-00fbce7aba93","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--188c09ee-ca3b-4bac-ad69-36489c50b5bd","created":"2022-04-01T18:50:00.027Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-01T18:50:00.027Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591","target_ref":"attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--18905da3-a92e-4b1b-ae5c-1de1e4d35495","created":"2024-02-20T23:52:29.033Z","revoked":false,"external_references":[{"source_name":"Cybereason FakeSpy","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:52:29.033Z","description":"[FakeSpy](https://attack.mitre.org/software/S0509) can collect device networking information, including phone number, IMEI, and IMSI.(Citation: Cybereason FakeSpy)","relationship_type":"uses","source_ref":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--18a6020d-8fea-4a6e-84ab-a18343f2acea","created":"2022-04-06T13:40:14.515Z","x_mitre_version":"0.1","external_references":[{"source_name":"Android 10 Privacy Changes","url":"https://developer.android.com/about/versions/10/privacy/changes#clipboard-data","description":"Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).(Citation: Android 10 Privacy Changes)","modified":"2022-04-06T13:40:14.515Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-Adware","description":"Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.","url":"https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:26:05.199Z","description":"[ShiftyBug](https://attack.mitre.org/software/S0294) is auto-rooting adware that embeds itself as a system application, making it nearly impossible to remove.(Citation: Lookout-Adware)","relationship_type":"uses","source_ref":"malware--c80a6bef-b3ce-44d0-b113-946e93124898","target_ref":"attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"NYTimes-BackDoor","description":"Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.","url":"https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:23:04.150Z","description":"[Adups](https://attack.mitre.org/software/S0309) transmitted the full contents of text messages.(Citation: NYTimes-BackDoor)","relationship_type":"uses","source_ref":"malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--1987b242-c868-40b2-993d-9dbeea311d4b","created":"2022-03-30T14:08:09.882Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T14:08:09.882Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","target_ref":"attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--198b99e6-3954-4c93-90bc-4227b45270a4","created":"2023-08-04T19:03:55.638Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T19:03:55.638Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can delete locally gathered files after uploading them to the C2 to avoid suspicion.(Citation: lookout_hornbill_sunbird_0221) ","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--19b95b83-bac0-455f-882f-0209abddb76f","created":"2022-04-05T20:11:35.619Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Applications that properly encrypt network traffic may evade some forms of AiTM behavior. ","modified":"2022-04-05T20:11:35.619Z","relationship_type":"mitigates","source_ref":"course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8","target_ref":"attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--19df76ee-fa85-43cf-96ce-422d46f29a13","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-PegasusAndroid","description":"Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.","url":"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:12:48.998Z","description":"[Pegasus for Android](https://attack.mitre.org/software/S0316) listens for the `BOOT_COMPLETED` broadcast intent in order to maintain persistence and activate its functionality at device boot time.(Citation: Lookout-PegasusAndroid)","relationship_type":"uses","source_ref":"malware--93799a9d-3537-43d8-b6f4-17215de1657c","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--19f220fd-94e8-4c8f-971d-ad37d7eeee80","created":"2022-03-31T19:51:41.431Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.","modified":"2022-03-31T19:51:41.431Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1a2f6cdc-7c52-4f6e-9182-bc5b16a638dd","created":"2020-07-15T20:20:59.289Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Bitdefender Mandrake","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:49:47.110Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1a5bde32-aaa9-42d0-ab70-c9f11b0ae81e","created":"2020-09-14T14:13:45.299Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout eSurv","description":"A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.","url":"https://blog.lookout.com/esurv-research"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-29T15:07:37.877Z","description":"[eSurv](https://attack.mitre.org/software/S0507)’s Android version has used public key encryption for C2 communication.(Citation: Lookout eSurv)","relationship_type":"uses","source_ref":"malware--680f680c-eef9-4f8a-b5f5-f451bf47e403","target_ref":"attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--1b633efc-762f-47f9-96c3-d08ba92e0e3e","created":"2022-04-01T17:05:56.046Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"On Android 11 and up, users are not prompted with the option to select “Allow all the time” and must navigate to the settings page to manually select this option. On iOS 14 and up, users can select whether to provide Precise Location for each installed application. ","modified":"2022-04-01T17:05:56.046Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9","type":"relationship","created":"2020-09-11T14:54:16.548Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Desert Scorpion","url":"https://blog.lookout.com/desert-scorpion-google-play","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."}],"modified":"2020-09-11T14:54:16.548Z","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) can obtain a list of installed applications.(Citation: Lookout Desert Scorpion)","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1b9b145c-ce80-4d0e-99f2-d756b806745b","created":"2023-07-21T19:35:17.565Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:35:17.565Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can access a device’s microphone to record audio, as well as cell and VoIP application calls.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--1bcd4b25-a1e0-4511-b0bf-3923a1e74c4e","created":"2020-12-31T18:25:05.165Z","x_mitre_version":"1.0","external_references":[{"source_name":"CYBERWARCON CHEMISTGAMES","url":"https://www.youtube.com/watch?v=xoNSbm1aX_w","description":"B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has used HTTPS for C2 communication.(Citation: CYBERWARCON CHEMISTGAMES) ","modified":"2022-04-18T16:00:57.320Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--a0d774e4-bafc-4292-8651-3ec899391341","target_ref":"attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1be8aca9-d5a6-4cc5-9fbe-7625f7ff8d6a","created":"2023-08-16T16:36:59.360Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:36:59.360Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can gather cookies and device logs.(Citation: cyble_chameleon_0423) ","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--1c180c0e-c789-4176-b568-789ada9487bb","type":"relationship","created":"2020-10-29T19:21:23.162Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"WeLiveSecurity AdDisplayAshas","url":"https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/","description":"L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020."}],"modified":"2020-10-29T19:21:23.162Z","description":"[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if *developer mode* is enabled.(Citation: WeLiveSecurity AdDisplayAshas)","relationship_type":"uses","source_ref":"malware--f7e7b736-2cff-4c2a-9232-352cd383463a","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","external_references":[{"source_name":"CheckPoint-Judy","url":"https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/","description":"CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Judy](https://attack.mitre.org/software/S0325) uses infected devices to generate fraudulent clicks on advertisements to generate revenue.(Citation: CheckPoint-Judy)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--172444ab-97fc-4d94-b142-179452bfb760","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1c67b72f-7389-4c21-9347-2b1bba07aaaf","created":"2023-02-06T18:59:46.976Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:12:28.993Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device IP address and SIM information.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73","type":"relationship","created":"2020-07-20T14:12:15.566Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Check Point-Joker","url":"https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/","description":"Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020."}],"modified":"2020-07-20T14:12:15.566Z","description":"[Bread](https://attack.mitre.org/software/S0432) can collect device notifications.(Citation: Check Point-Joker)","relationship_type":"uses","source_ref":"malware--108b2817-bc01-404e-8e1b-8cdeec846326","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1cc71849-142f-4097-9546-7946b0b546a6","created":"2020-04-08T15:51:25.125Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ThreatFabric Ginp","description":"ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.","url":"https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:29:22.884Z","description":"[Ginp](https://attack.mitre.org/software/S0423) can determine if it is running in an emulator.(Citation: ThreatFabric Ginp)","relationship_type":"uses","source_ref":"malware--6146be90-470c-4049-bb3a-9986b8ffb65b","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--1cca5e17-80ae-4b6e-8919-2768153aa966","created":"2017-12-14T16:46:06.044Z","x_mitre_version":"1.0","external_references":[{"source_name":"PaloAlto-Xbot","url":"http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/","description":"Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Xbot](https://attack.mitre.org/software/S0298) uses phishing pages mimicking Google Play's payment interface as well as bank login pages.(Citation: PaloAlto-Xbot)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"tool--da21929e-40c0-443d-bdf4-6b60d15448b4","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1d027925-7d63-459c-b5a5-48ffb49ba1de","created":"2023-03-20T15:57:00.953Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T15:30:59.104Z","description":"The user is prompted for approval when an application requests device administrator permissions.","relationship_type":"detects","source_ref":"x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456","target_ref":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1d2daf8f-ce51-47b5-b985-63ae4edfad4b","created":"2023-08-07T22:15:34.550Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T22:46:12.263Z","description":"Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1d828f51-1c04-466c-beaf-2d4de741a544","created":"2020-05-04T14:04:56.184Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Google Bread","description":"A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.","url":"https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:03:18.675Z","description":"[Bread](https://attack.mitre.org/software/S0432) can access SMS messages in order to complete carrier billing fraud.(Citation: Google Bread)","relationship_type":"uses","source_ref":"malware--108b2817-bc01-404e-8e1b-8cdeec846326","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--1db350b2-1e8b-4d58-9086-eac41de1b110","created":"2022-04-05T17:13:56.584Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T17:13:56.584Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922","target_ref":"attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--1e286a4a-63cd-47df-a034-11a5d92daceb","created":"2022-04-06T15:41:03.981Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T15:41:03.981Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5","target_ref":"attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1e29a9ce-ed11-44ae-b66e-8b90ee79de6a","created":"2020-06-26T15:32:24.962Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Threat Fabric Cerberus","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:42:04.769Z","description":"[Cerberus](https://attack.mitre.org/software/S0480) hides its icon from the application drawer after being launched for the first time.(Citation: Threat Fabric Cerberus)","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1e822ff0-b1e1-4d80-b1a2-956919511809","created":"2023-12-18T19:06:20.411Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-17T13:09:31.942Z","description":"[AhRat](https://attack.mitre.org/software/S1095) can communicate with the C2 using HTTPS requests.(Citation: welivesecurity_ahrat_0523)","relationship_type":"uses","source_ref":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e","type":"relationship","created":"2019-09-03T19:45:48.496Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SWB Exodus March 2019","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."}],"modified":"2019-10-14T16:47:53.226Z","description":"[Exodus](https://attack.mitre.org/software/S0405) Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat.(Citation: SWB Exodus March 2019)","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--1f027bab-76d9-4f5f-a73e-ea733a1ab223","type":"relationship","created":"2020-11-20T16:37:28.610Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Symantec GoldenCup","url":"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans","description":"R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."}],"modified":"2020-11-20T16:37:28.610Z","description":"[Golden Cup](https://attack.mitre.org/software/S0535) has been distributed in two stages.(Citation: Symantec GoldenCup)","relationship_type":"uses","source_ref":"malware--f3975cc0-72bc-4308-836e-ac701b83860e","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1f31e348-a4ee-4874-891f-393c65a7640a","created":"2023-07-21T19:34:13.200Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:34:13.200Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can exfiltrate a device’s contacts.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1f32e107-aef9-42f8-84d1-4c4fcd863b7f","created":"2023-02-28T20:39:57.194Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"proofpoint_flubot_0421","description":"Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.","url":"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-31T22:07:21.417Z","description":"[FluBot](https://attack.mitre.org/software/S1067) can use Domain Generation Algorithms to connect to the C2 server.(Citation: proofpoint_flubot_0421)","relationship_type":"uses","source_ref":"malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc","target_ref":"attack-pattern--fd211238-f767-4599-8c0d-9dca36624626","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--1f44936e-b84c-404f-a92e-6fb7e24b5435","created":"2022-04-05T19:51:08.770Z","x_mitre_version":"0.1","external_references":[{"source_name":"Android 12 Features","url":"https://developer.android.com/about/versions/12/features","description":"Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022."}],"x_mitre_deprecated":false,"revoked":false,"description":"The `HIDE_OVERLAY_WINDOWS` permission was introduced in Android 12 allowing apps to hide overlay windows of type `TYPE_APPLICATION_OVERLAY` drawn by other apps with the `SYSTEM_ALERT_WINDOW` permission, preventing other applications from creating overlay windows on top of the current application.(Citation: Android 12 Features)","modified":"2022-04-05T19:51:08.770Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1f7428d7-6f6e-40d0-aedb-cb0578875ff9","created":"2021-10-01T14:42:49.170Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecureList BusyGasper","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:26:02.260Z","description":"[BusyGasper](https://attack.mitre.org/software/S0655) can hide its icon.(Citation: SecureList BusyGasper)","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1f7b7de2-10e8-4eec-9c8f-db44ac3f271b","created":"2020-04-08T15:51:25.128Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ThreatFabric Ginp","description":"ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.","url":"https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:29:36.827Z","description":"[Ginp](https://attack.mitre.org/software/S0423) can collect SMS messages.(Citation: ThreatFabric Ginp)","relationship_type":"uses","source_ref":"malware--6146be90-470c-4049-bb3a-9986b8ffb65b","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87","type":"relationship","created":"2020-05-04T14:04:56.217Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Google Bread","url":"https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html","description":"A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."}],"modified":"2020-05-04T15:40:21.305Z","description":"[Bread](https://attack.mitre.org/software/S0432) has utilized JavaScript within WebViews that loaded a URL hosted on a Bread-controlled server which provided functions to run. [Bread](https://attack.mitre.org/software/S0432) downloads billing fraud execution steps at runtime.(Citation: Google Bread)","relationship_type":"uses","source_ref":"malware--108b2817-bc01-404e-8e1b-8cdeec846326","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1f8f0021-6992-476c-ba1c-232542dc1633","created":"2023-03-20T18:58:52.857Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T22:13:53.253Z","description":"On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd","created":"2020-04-08T18:55:29.205Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Trend Micro Anubis","description":"K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.","url":"https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html"},{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.102Z","description":"[Anubis](https://attack.mitre.org/software/S0422) can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis) ","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--1fdf9c43-0237-461f-86d4-1da843078744","created":"2023-09-21T19:38:49.571Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-21T19:38:49.571Z","description":"Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--20310407-9b05-4d7b-9548-961f545e14e1","created":"2023-06-09T19:18:41.955Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-06-09T19:18:41.955Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) uses an infrequent data upload schedule to avoid user detection and battery drain. It also can delete on-device data after being sent to the C2, and stores collected data in hidden folders on external storage.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6","type":"relationship","created":"2020-07-20T13:27:33.553Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos-WolfRAT","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."}],"modified":"2020-08-10T21:57:54.518Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) sends the device’s IMEI with each exfiltration request.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--204e30ed-5e69-400b-a814-b77e10596865","created":"2022-04-06T15:50:42.481Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T15:50:42.481Z","relationship_type":"revoked-by","source_ref":"attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34","target_ref":"attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"TrendMicro-RCSAndroid","description":"Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.","url":"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:23:38.651Z","description":"[RCSAndroid](https://attack.mitre.org/software/S0295) can collect SMS, MMS, and Gmail messages.(Citation: TrendMicro-RCSAndroid)","relationship_type":"uses","source_ref":"malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--209aa948-393c-46b0-9488-ef93a6252438","created":"2022-03-30T20:07:19.296Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T20:07:19.296Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","target_ref":"attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--20aaafe2-1f55-410f-9eb1-1fc979021fe0","created":"2020-12-24T21:55:56.741Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:51:16.331Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the contact list.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--20dcd886-56c4-421d-ba36-0f37a47a3f86","created":"2022-04-06T13:55:37.498Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be advised that applications generally do not require permission to send SMS messages.","modified":"2022-04-06T13:55:37.498Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2115228b-c61a-4ebb-829a-df7355635fbf","created":"2020-12-17T20:15:22.491Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Palo Alto HenBox","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:50:12.639Z","description":"[HenBox](https://attack.mitre.org/software/S0544) can detect if the app is running on an emulator.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--212801c2-5d14-4381-b25a-340cda11a5ac","created":"2020-12-18T20:14:47.310Z","x_mitre_version":"1.0","external_references":[{"source_name":"WhiteOps TERRACOTTA","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) has displayed a form to collect user data after installation.(Citation: WhiteOps TERRACOTTA)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--21ab4328-7908-4fef-9636-d4d162e4a0cf","created":"2023-12-18T19:05:38.267Z","revoked":false,"external_references":[{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T19:05:38.267Z","description":"[AhRat](https://attack.mitre.org/software/S1095) can find and exfiltrate files with certain extensions, such as .jpg, .mp4, .html, .docx, and .pdf.(Citation: welivesecurity_ahrat_0523)","relationship_type":"uses","source_ref":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--21e179f2-49c9-4ec9-ac7a-b8eae8e15bd9","created":"2020-07-20T13:27:33.509Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos-WolfRAT","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:36:07.297Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) can collect the device’s call log.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--22041a01-75e7-4ff6-8768-ad45188c53c7","created":"2023-02-28T21:45:25.064Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cloudmark_tanglebot_0921","description":"Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.","url":"https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-01T22:03:00.755Z","description":"[TangleBot](https://attack.mitre.org/software/S1069) can obtain a list of installed applications.(Citation: cloudmark_tanglebot_0921)","relationship_type":"uses","source_ref":"malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--22290cce-856a-46d5-9589-699f5dfc1429","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro-XLoader","description":"Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"}],"modified":"2020-07-20T13:49:03.687Z","description":"[XLoader for Android](https://attack.mitre.org/software/S0318) covertly records phone calls.(Citation: TrendMicro-XLoader)","relationship_type":"uses","source_ref":"malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--22334426-e99f-4e97-b4dd-17e297da4118","created":"2020-12-24T21:55:56.696Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:23:54.777Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has captured SMS and MMS messages.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--22708018-defd-4690-8b0f-fe47e11cb5d6","type":"relationship","created":"2020-07-15T20:20:59.316Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"modified":"2020-07-15T20:20:59.316Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can capture all device notifications and hide notifications from the user.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--22755928-b0e1-4004-a89e-5f5ea2504cf8","created":"2023-08-04T18:32:57.089Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T18:32:57.089Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can record environmental and call audio.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--22773074-4a95-48e0-905f-688ce048b5ed","created":"2020-04-24T17:46:31.593Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecurityIntelligence TrickMo","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:53:51.524Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.(Citation: SecurityIntelligence TrickMo)","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6","type":"relationship","created":"2021-01-05T20:16:20.484Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Zscaler TikTok Spyware","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."}],"modified":"2021-01-05T20:16:20.484Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can track the device’s location.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--22f5308c-77ee-4198-be1c-54062aa6a613","created":"2020-12-31T18:25:05.160Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CYBERWARCON CHEMISTGAMES","description":"B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.","url":"https://www.youtube.com/watch?v=xoNSbm1aX_w"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:00:13.616Z","description":"[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has used HTTPS for C2 communication.(Citation: CYBERWARCON CHEMISTGAMES)","relationship_type":"uses","source_ref":"malware--a0d774e4-bafc-4292-8651-3ec899391341","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14","type":"relationship","created":"2019-07-10T15:35:43.610Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","source_name":"Lookout Dark Caracal Jan 2018"}],"modified":"2019-08-09T18:06:11.693Z","description":"[Pallas](https://attack.mitre.org/software/S0399) retrieves a list of all applications installed on the device.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--23522416-9493-4960-8408-f7befae7be60","created":"2024-02-20T23:59:14.650Z","revoked":false,"external_references":[{"source_name":"WhiteOps TERRACOTTA","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:59:14.650Z","description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) has collected the device’s phone number and can check if the active network connection is metered.(Citation: WhiteOps TERRACOTTA)","relationship_type":"uses","source_ref":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2359ad4b-b00b-4fd5-aef8-2d2be8bcf081","created":"2023-01-18T19:19:01.740Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_drinik_1022","description":"Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.","url":"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:52:20.587Z","description":"[Drinik](https://attack.mitre.org/software/S1054) can use Accessibility Services to disable Google Play Protect.(Citation: cyble_drinik_1022)","relationship_type":"uses","source_ref":"malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--23a67f24-a8eb-4e31-acf1-11cb5e9f88b2","created":"2023-01-18T19:57:13.265Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:43:35.115Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) can use Accessibility Services to detect which process is in the foreground.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--23cac1d7-27ca-4c78-bfa0-2d6023d21798","type":"relationship","created":"2020-10-29T19:01:13.854Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Microsoft MalLockerB","url":"https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/","description":"D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020."}],"modified":"2020-10-29T19:01:13.854Z","description":"[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has employed both name mangling and meaningless variable names in source. [AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has stored encrypted payload code in the Assets directory, coupled with a custom decryption routine that assembles a .dex file by passing data through Android Intent objects. (Citation: Microsoft MalLockerB)","relationship_type":"uses","source_ref":"malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--23ecc134-0623-45ec-b8b5-52516483bda1","created":"2023-04-14T14:10:04.452Z","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-14T14:10:04.452Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) has used code abstraction and anti-emulation checks to potentially avoid running while under analysis.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--23fa0fcc-0193-45f2-9e0b-a5f68380015f","created":"2022-04-01T18:52:13.171Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.","modified":"2022-04-01T18:52:13.171Z","relationship_type":"mitigates","source_ref":"course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--242dc659-c205-4e9e-95f9-14fee66195af","created":"2022-04-01T15:29:36.082Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Configuration of per-app VPN policies instead of device-wide VPN can restrict access to internal enterprise resource access via VPN to only enterprise-approved applications","modified":"2022-04-01T15:29:36.082Z","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53","type":"relationship","created":"2020-07-15T20:20:59.318Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"modified":"2020-07-15T20:20:59.318Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--24a7379e-a994-411b-b17c-add6c6c6fc07","type":"relationship","created":"2020-12-24T21:45:56.949Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T21:45:56.949Z","description":"[SilkBean](https://attack.mitre.org/software/S0549) has hidden malicious functionality in a second stage file and has encrypted C2 server information.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--24bcb2cd-1532-4e98-a485-a55e06d2577d","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T15:41:16.865Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"revoked-by","source_ref":"attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2","target_ref":"attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--24de6f6e-86d3-4e4e-a965-3e0435205f48","created":"2020-09-24T15:34:51.298Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-Dendroid","description":"Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.","url":"https://blog.lookout.com/blog/2014/03/06/dendroid/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:24:09.872Z","description":"[Dendroid](https://attack.mitre.org/software/S0301) can intercept SMS messages.(Citation: Lookout-Dendroid)","relationship_type":"uses","source_ref":"malware--317a2c10-d489-431e-b6b2-f0251fddc88e","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--25466097-53c6-4dc7-8409-197758e88673","created":"2023-08-16T16:45:11.580Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:45:11.580Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can download HTML overlay pages after installation.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--25655385-5b0d-4700-a59f-d5d043625b84","created":"2023-02-06T18:50:50.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:13:16.813Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can use rooting exploits to silently give itself permissions or install additional malware.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--257f4f86-950f-4f5a-b38c-0de85753d2d3","created":"2023-12-18T18:09:56.997Z","revoked":false,"external_references":[{"source_name":"mcafee_brata_0421","description":"Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"},{"source_name":"securelist_brata_0819","description":"Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.","url":"https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:09:56.997Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can uninstall itself and remove traces of infection.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--25cdb4f2-5b38-411c-bfb6-eca7ea4d4527","created":"2019-09-04T14:28:16.335Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-Monokle","description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:57:56.616Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can retrieve nearby cell tower and Wi-Fi network information.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--25de6cf6-38d5-4d1e-b3f1-6956a0ff0ac3","created":"2023-03-03T16:26:48.531Z","revoked":false,"external_references":[{"source_name":"paloalto_yispecter_1015","description":"Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.","url":"https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-03T16:26:48.531Z","description":"[YiSpecter](https://attack.mitre.org/software/S0311) has collected compromised device MAC addresses.(Citation: paloalto_yispecter_1015)","relationship_type":"uses","source_ref":"malware--a15c9357-2be0-4836-beec-594f28b9b4a9","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2621a020-8d4f-4ca4-b874-0be336a8cafd","created":"2020-04-08T18:55:29.196Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.103Z","description":"[Anubis](https://attack.mitre.org/software/S0422) exfiltrates data encrypted (with RC4) by its ransomware module.(Citation: Cofense Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--e3b936a4-6321-4172-9114-038a866362ec","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--268c12df-d3bc-46fa-99e9-32caab50b175","created":"2022-03-30T15:52:09.759Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Device attestation can often detect jailbroken or rooted devices.","modified":"2022-03-30T15:52:09.759Z","relationship_type":"mitigates","source_ref":"course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--269d4409-e287-4ef3-b5f3-765ec03e503e","created":"2020-06-02T14:32:31.900Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Google Project Zero Insomnia","description":"I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.","url":"https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:18:38.700Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) grants itself permissions by injecting its hash into the kernel’s trust cache.(Citation: Google Project Zero Insomnia)","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--26b1025b-5c08-4b6e-8c50-7d2baf29e7b7","created":"2022-04-01T18:45:11.299Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them.","modified":"2022-04-01T18:45:11.299Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--26bf27dc-f65d-477d-abbd-f4c3ce475c51","created":"2022-04-01T12:37:17.515Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"OS feature updates often enhance security and privacy around permissions. ","modified":"2022-04-01T12:37:17.515Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--27050442-e578-44b7-9534-ada78824befe","created":"2023-02-06T19:45:09.612Z","revoked":false,"external_references":[{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-06T19:45:09.612Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) can intercept and read SMS messages.(Citation: threatfabric_sova_0921)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--271a311f-71bc-4558-a314-0edfbec44b64","type":"relationship","created":"2019-11-21T16:42:48.495Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList - ViceLeaker 2019","url":"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/","description":"GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."}],"modified":"2019-11-21T16:42:48.495Z","description":"[ViceLeaker](https://attack.mitre.org/software/S0418) collects device information, including the device model and OS version.(Citation: SecureList - ViceLeaker 2019)","relationship_type":"uses","source_ref":"malware--6fcaf9b0-b509-4644-9f93-556222c81ed2","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--27247071-356b-4b5f-bc8f-6436a3fec095","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-EnterpriseApps","description":"Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.","url":"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's location.(Citation: Lookout-EnterpriseApps)","relationship_type":"uses","source_ref":"malware--c709da93-20c3-4d17-ab68-48cba76b2137","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--27490b14-8044-408a-8c6a-6d8427eb78ff","created":"2023-03-20T18:44:26.233Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T16:44:47.944Z","description":"The user can review which applications have location and sensitive phone information permissions in the operating system’s settings menu. ","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--498e7b81-238d-404c-aa5e-332904d63286","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--276bfd69-33cc-4665-8aa7-72bed65d01f9","created":"2023-02-28T21:42:52.037Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cloudmark_tanglebot_0921","description":"Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.","url":"https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:25:22.438Z","description":"[TangleBot](https://attack.mitre.org/software/S1069) can request location permissions.(Citation: cloudmark_tanglebot_0921)","relationship_type":"uses","source_ref":"malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2793d721-df10-4621-8387-f3342def59a1","created":"2022-03-30T18:14:36.786Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"On iOS, the `allowEnterpriseAppTrust` and `allowEnterpriseAppTrustModification` configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. ","modified":"2022-03-30T18:14:36.786Z","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--279b016a-45c8-4961-88fa-48162e56c3fa","created":"2024-02-21T20:49:34.244Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T20:49:34.244Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can collect network information, such as IP address, SIM card info, and Wi-Fi info.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea","type":"relationship","created":"2020-07-15T20:20:59.377Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"modified":"2020-07-15T20:20:59.377Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can collect all accounts stored on the device.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c","type":"relationship","created":"2020-07-27T14:14:56.954Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Google Security Zen","url":"https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html","description":"Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."}],"modified":"2020-08-10T22:18:20.777Z","description":"[Zen](https://attack.mitre.org/software/S0494) can obtain root access via a rooting trojan in its infection chain.(Citation: Google Security Zen)","relationship_type":"uses","source_ref":"malware--22faaa56-a8ac-4292-9be6-b571b255ee40","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--27f5dc22-6ab9-406f-9092-6cb610d777a6","created":"2022-04-01T14:59:53.782Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Device attestation can often detect jailbroken devices.","modified":"2022-04-01T14:59:53.782Z","relationship_type":"mitigates","source_ref":"course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c","target_ref":"attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--280aa15d-c7ff-4005-9861-9fc5c3bfe95a","created":"2020-12-28T18:47:52.357Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Palo Alto HenBox","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:22:26.702Z","description":"[HenBox](https://attack.mitre.org/software/S0544) can run commands as root.(Citation: Palo Alto HenBox) ","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2836dc3d-cbea-493b-af31-5f1fa8279ec2","created":"2020-04-24T17:46:31.589Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecurityIntelligence TrickMo","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:00:28.299Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) communicates with the C2 by sending JSON objects over unencrypted HTTP requests.(Citation: SecurityIntelligence TrickMo)","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--289f5e23-088a-4840-a2a6-bab30da2a64b","created":"2022-04-01T16:51:04.584Z","x_mitre_version":"0.1","external_references":[{"source_name":"GoogleIO2016","url":"https://www.youtube.com/watch?v=XZzLjllizYs","description":"Adrian Ludwig. (2016, May 19). What's new in Android security (M and N Version). Retrieved December 9, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"Changes were introduced in Android 7 to make abuse of device administrator permissions more difficult.(Citation: GoogleIO2016)","modified":"2022-04-01T16:51:04.584Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2908f0f6-2408-41a1-aaab-cf3e7db06aad","created":"2020-12-24T21:55:56.752Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:26:16.282Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has used exploits to root devices and install additional malware on the system partition.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--290a627d-172d-494d-a0cc-685f480a1034","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"forcepoint_bitter","description":"Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.","url":"https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"},{"source_name":"Lookout-EnterpriseApps","description":"Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.","url":"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T16:16:09.250Z","description":"[AndroRAT](https://attack.mitre.org/software/S0292) collects call logs.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ","relationship_type":"uses","source_ref":"malware--a3dad2be-ce62-4440-953b-00fbce7aba93","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--290c9d3f-f59b-4e2b-9b7b-115014845c15","type":"relationship","created":"2021-09-24T14:47:34.447Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-04T20:08:48.439Z","description":"Device attestation can often detect rooted devices.","relationship_type":"mitigates","source_ref":"course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c","target_ref":"attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--29357289-362c-447c-b387-9a38b50d7296","created":"2022-04-15T17:20:06.338Z","x_mitre_version":"0.1","external_references":[{"source_name":"Google Bread","url":"https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html","description":"A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."},{"source_name":"Check Point-Joker","url":"https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/","description":"Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Bread](https://attack.mitre.org/software/S0432) uses various tricks to obfuscate its strings including standard and custom encryption, programmatically building strings at runtime, and splitting unencrypted strings with repeated delimiters to break up keywords. [Bread](https://attack.mitre.org/software/S0432) has also abused Java and JavaScript features to obfuscate code. [Bread](https://attack.mitre.org/software/S0432) payloads have hidden code in native libraries and encrypted JAR files in the data section of an ELF file. [Bread](https://attack.mitre.org/software/S0432) has stored DEX payloads as base64-encoded strings in the Android manifest and internal Java classes.(Citation: Check Point-Joker)(Citation: Google Bread)","modified":"2022-04-15T17:20:06.338Z","relationship_type":"uses","source_ref":"malware--108b2817-bc01-404e-8e1b-8cdeec846326","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224","type":"relationship","created":"2019-09-03T20:08:00.670Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html","source_name":"Talos Gustuff Apr 2019"}],"modified":"2019-10-10T15:19:47.960Z","description":" [Gustuff](https://attack.mitre.org/software/S0406) can capture files and photos from the compromised device.(Citation: Talos Gustuff Apr 2019) ","relationship_type":"uses","source_ref":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--299931f0-4c60-4a9b-8a6a-4adb6362e590","created":"2019-09-23T13:36:08.543Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"securelist rotexy 2018","description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T16:57:05.633Z","description":"[Rotexy](https://attack.mitre.org/software/S0411) can access and upload the contacts list to the command and control server.(Citation: securelist rotexy 2018)","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FireEye-RuMMS","description":"Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.","url":"https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:24:38.256Z","description":"[RuMMS](https://attack.mitre.org/software/S0313) uploads incoming SMS messages to a remote command and control server.(Citation: FireEye-RuMMS)","relationship_type":"uses","source_ref":"malware--936be60d-90eb-4c36-9247-4b31128432c4","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce","type":"relationship","created":"2020-12-18T20:14:47.339Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"WhiteOps TERRACOTTA","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."}],"modified":"2020-12-18T20:14:47.339Z","description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) has used timer events in React Native to initiate the foreground service.(Citation: WhiteOps TERRACOTTA)","relationship_type":"uses","source_ref":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","target_ref":"attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2a472430-c30e-4877-8933-2e75f1de9a01","created":"2022-03-30T14:00:45.120Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T14:00:45.120Z","relationship_type":"revoked-by","source_ref":"attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe","target_ref":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2a5d081f-ba41-4dbe-873b-34b0efee1d92","created":"2024-02-21T21:08:13.038Z","revoked":false,"external_references":[{"source_name":"SecurityIntelligence TrickMo","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T21:08:13.038Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2a5f4f05-bd60-4571-bcce-f3b764a5b5a0","created":"2023-02-28T20:30:01.082Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"proofpoint_flubot_0421","description":"Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.","url":"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-31T22:08:11.662Z","description":"[FluBot](https://attack.mitre.org/software/S1067) can retrieve the contacts list from an infected device.(Citation: proofpoint_flubot_0421)","relationship_type":"uses","source_ref":"malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2acc0c1a-af30-4410-976b-31148df5378d","created":"2022-03-28T19:39:42.538Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-28T19:39:42.538Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da","target_ref":"attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2ae97bcd-0481-415c-8337-12d3a30e6911","created":"2024-02-20T23:58:31.474Z","revoked":false,"external_references":[{"source_name":"Wandera-RedDrop","description":"Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.","url":"https://www.wandera.com/reddrop-malware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:58:31.474Z","description":"[RedDrop](https://attack.mitre.org/software/S0326) collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.(Citation: Wandera-RedDrop)","relationship_type":"uses","source_ref":"malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2af26be3-f910-4700-ab14-9d14532601cc","created":"2023-07-21T19:53:32.703Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"kaspersky_fakecalls_0422","description":"Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.","url":"https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:25:51.814Z","description":"[Fakecalls](https://attack.mitre.org/software/S1080) can access the device’s call log.(Citation: kaspersky_fakecalls_0422)","relationship_type":"uses","source_ref":"malware--429e1526-6293-495b-8808-af7f9a66c4be","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2b065fcf-7ed1-4f88-8910-2eb46bde9ab7","created":"2023-01-18T19:19:34.604Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_drinik_1022","description":"Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.","url":"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:52:35.805Z","description":"[Drinik](https://attack.mitre.org/software/S1054) can send stolen data back to the C2 server.(Citation: cyble_drinik_1022)","relationship_type":"uses","source_ref":"malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2b0f4c1d-8d99-4e80-8555-d9a454d5cab7","created":"2023-03-20T18:55:33.546Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T16:44:31.916Z","description":"Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2b9a3dc1-5842-458a-97ed-3a1339d10c22","created":"2024-03-26T19:04:29.823Z","revoked":false,"external_references":[{"source_name":"fb_arid_viper","description":"Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T19:04:29.823Z","description":"[Phenakite](https://attack.mitre.org/software/S1126) can read SMS messages.(Citation: fb_arid_viper) ","relationship_type":"uses","source_ref":"malware--f97e2718-af50-41df-811f-215ebab45691","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2bbd620d-6deb-4f81-a95b-98a7a74878e9","created":"2023-03-20T18:51:07.547Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T17:20:06.469Z","description":"Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. ","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--2be3d0a4-2e24-4d04-859e-37d24835ff16","type":"relationship","created":"2021-02-17T20:43:52.420Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout FrozenCell","url":"https://blog.lookout.com/frozencell-mobile-threat","description":"Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."}],"modified":"2021-02-17T20:43:52.420Z","description":"[FrozenCell](https://attack.mitre.org/software/S0577) has retrieved device images for exfiltration.(Citation: Lookout FrozenCell)","relationship_type":"uses","source_ref":"malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Kaspersky-WUC","description":"Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.","url":"https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:37:02.853Z","description":"[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole call logs.(Citation: Kaspersky-WUC)","relationship_type":"uses","source_ref":"malware--d05f7357-4cbe-47ea-bf83-b8604226d533","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2c5b36b4-5381-4d9e-9ce5-cd7cd19041b1","created":"2020-07-20T13:27:33.514Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos-WolfRAT","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:35:47.258Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) can delete files from the device.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd","type":"relationship","created":"2020-09-11T14:54:16.644Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Desert Scorpion","url":"https://blog.lookout.com/desert-scorpion-google-play","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."}],"modified":"2020-09-11T14:54:16.644Z","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) can list files stored on external storage.(Citation: Lookout Desert Scorpion)","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2ca6ff09-827d-4e2e-a60d-daa30f113b57","created":"2024-03-26T18:41:48.583Z","revoked":false,"external_references":[{"source_name":"checkpoint_hamas_android_malware","description":"CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20240226125457/https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T18:41:48.583Z","description":"[APT-C-23](https://attack.mitre.org/groups/G1028) can collect the victim’s phone number, device information, IMSI, etc.(Citation: checkpoint_hamas_android_malware) ","relationship_type":"uses","source_ref":"intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2caddf52-2bc2-4f75-90bb-0f292952ada6","created":"2023-01-19T18:07:26.323Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"trendmicro_tianyspy_0122","description":"Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.","url":"https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:13:32.345Z","description":"[TianySpy](https://attack.mitre.org/software/S1056) can utilize WebViews to display fake authentication pages that capture user credentials.(Citation: trendmicro_tianyspy_0122) ","relationship_type":"uses","source_ref":"malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2cb834dd-d7cf-46f3-a19b-bdbfb5bfee07","created":"2023-03-20T18:54:25.458Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T15:02:50.786Z","description":"The user can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong.","relationship_type":"detects","source_ref":"x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4","target_ref":"attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2cdd5474-620c-499e-8b9c-835505febc2c","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Kaspersky-MobileMalware","description":"Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.","url":"https://securelist.com/mobile-malware-evolution-2013/58335/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:00:45.438Z","description":"[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)","relationship_type":"uses","source_ref":"malware--d89c132d-7752-4c7f-9372-954a71522985","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2ce1e63a-2e9b-4cac-9469-3fb78bf4640f","created":"2023-08-16T16:38:15.526Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:38:15.527Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can perform system checks to verify if the device is rooted or has ADB enabled and can avoid execution if found.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2d1b46d5-cc2e-4312-adf2-43fb130a506b","created":"2021-02-17T20:49:24.542Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:22:40.300Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) can run arbitrary shell commands.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2d3198ff-a481-47ec-ae64-13d7be706929","created":"2023-02-28T21:41:47.503Z","revoked":false,"external_references":[{"source_name":"cloudmark_tanglebot_0921","description":"Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.","url":"https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-28T21:41:47.503Z","description":"[TangleBot](https://attack.mitre.org/software/S1069) can record video from the device camera.(Citation: cloudmark_tanglebot_0921)","relationship_type":"uses","source_ref":"malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"PaloAlto-XcodeGhost","description":"Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.","url":"http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[XcodeGhost](https://attack.mitre.org/software/S0297) can read and write data in the user’s clipboard.(Citation: PaloAlto-XcodeGhost)","relationship_type":"uses","source_ref":"malware--d9e07aea-baad-4b68-bdca-90c77647d7f9","target_ref":"attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--2e08820f-a81d-480e-9e60-f14db3e49080","type":"relationship","created":"2019-09-04T14:28:15.909Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf","source_name":"Lookout-Monokle"}],"modified":"2019-09-04T14:32:12.568Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can take photos and videos.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8","type":"relationship","created":"2019-09-04T15:38:56.994Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"FlexiSpy-Features","url":"https://www.flexispy.com/en/features-overview.htm","description":"FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019."}],"modified":"2019-09-10T14:59:26.171Z","description":" [FlexiSpy](https://attack.mitre.org/software/S0408) can take screenshots of other applications.(Citation: FlexiSpy-Features) ","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2e3a5d0d-a80a-4606-8be2-208302e995d1","created":"2020-12-24T21:45:56.920Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:16:17.615Z","description":"[SilkBean](https://attack.mitre.org/software/S0549) has attempted to trick users into enabling installation of applications from unknown sources.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","target_ref":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2e55d0cf-afe6-41f1-8ad3-0d1a910ad010","created":"2023-12-18T18:08:09.656Z","revoked":false,"external_references":[{"source_name":"mcafee_brata_0421","description":"Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"},{"source_name":"securelist_brata_0819","description":"Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.","url":"https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:08:09.656Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can capture and send real-time screen output.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e","type":"relationship","created":"2020-06-02T14:32:31.888Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Volexity Insomnia","url":"https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/","description":"A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."}],"modified":"2020-06-02T14:32:31.888Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) obfuscates various pieces of information within the application.(Citation: Volexity Insomnia) ","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2e6d507e-afbb-4fa5-b459-2b060ab52db3","created":"2020-12-18T20:14:47.316Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"WhiteOps TERRACOTTA","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:50:29.535Z","description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) checks whether its call stack has been modified, an indication that it is running in an analysis environment, and if so, does not decrypt its obfuscated strings(Citation: WhiteOps TERRACOTTA).","relationship_type":"uses","source_ref":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2e797961-356f-4763-bdb2-0ebc2ad4c8b0","created":"2019-09-04T20:01:42.722Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"Enterprise policies should block access to the Android Debug Bridge (ADB) by preventing users from enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development). An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features. ","modified":"2022-04-01T13:32:19.919Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2e7f8995-93ae-41bb-9baf-53178341d93e","created":"2021-02-08T16:36:20.630Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"BlackBerry Bahamut","description":"The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:06:00.885Z","description":"[Windshift](https://attack.mitre.org/groups/G0112) has deployed anti-analysis capabilities during their Operation BULL campaign.(Citation: BlackBerry Bahamut)","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--2e826926-fd5b-407c-adbc-e998058728d3","type":"relationship","created":"2019-09-04T15:38:56.786Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CyberMerchants-FlexiSpy","url":"http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html","description":"Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."}],"modified":"2019-09-10T14:59:26.139Z","description":"[FlexiSpy](https://attack.mitre.org/software/S0408) can record both incoming and outgoing phone calls, as well as microphone audio.(Citation: CyberMerchants-FlexiSpy)","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--2e913583-123a-47af-8872-98fc12ab4a6a","type":"relationship","created":"2020-11-24T17:55:12.846Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos GPlayed","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."}],"modified":"2020-11-24T17:55:12.846Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) can send SMS messages.(Citation: Talos GPlayed)","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2ebd5c4c-af03-4874-a6fd-1e58d51cc055","created":"2020-01-27T17:05:58.310Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Trend Micro Bouncing Golf 2019","description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:28:20.439Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) can collect SMS messages.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2f1e5d77-0054-4f8a-8e01-7c0318278a76","created":"2019-10-18T14:50:57.472Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"Security updates frequently contain patches for known exploits.","modified":"2022-03-25T14:12:54.498Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2f41ab75-3490-4642-8111-9d4d43b88df7","created":"2023-08-04T18:32:23.019Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-22T20:40:40.079Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can take screenshots and abuse accessibility services to scrape BlackBerry Messenger and WhatsApp messages, contacts, and notifications(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2f55e452-f8b3-402b-a193-d261dac9f327","created":"2022-04-01T18:53:48.715Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-01T18:53:48.715Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","target_ref":"attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3","type":"relationship","created":"2021-04-19T14:29:46.530Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2021-04-19T14:29:46.530Z","description":" [SilkBean](https://attack.mitre.org/software/S0549) can send SMS messages.(Citation: Lookout Uyghur Campaign) ","relationship_type":"uses","source_ref":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2f9b95b2-0ef4-40b8-a230-86f273000dc7","created":"2023-03-15T16:26:04.949Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T15:34:52.478Z","description":"The user can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). ","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2f9c31d2-2e6c-4e95-9058-c9a8def46865","created":"2023-09-28T17:21:02.298Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:21:02.298Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can take photos using the device cameras.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--2fcc6291-9a68-45c2-a5c5-94b1973ed3d2","created":"2022-04-01T13:27:29.919Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-01T13:27:29.920Z","relationship_type":"revoked-by","source_ref":"attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--2fdcc49e-1875-4618-b3c5-c0ecfab97386","created":"2023-08-04T19:02:39.950Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T19:02:39.950Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) has impersonated chat applications such as Fruit Chat, Cucu Chat, and Kako Chat.(Citation: lookout_hornbill_sunbird_0221) ","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--300c824d-5586-411b-b274-8941a99a98fb","created":"2022-03-30T14:06:01.859Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Device attestation can often detect jailbroken or rooted devices.","modified":"2022-03-30T14:06:01.859Z","relationship_type":"mitigates","source_ref":"course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c","target_ref":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3020bb16-fb1f-46f9-9e1c-3b3317af6b96","created":"2024-03-28T18:27:40.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T20:30:47.733Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect file lists on the victim device.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3057267c-fdd5-41d8-a9d8-76c0a87b28fa","created":"2023-08-07T17:12:44.013Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T17:12:44.013Z","description":"Mobile security products can often alert the user if their device is vulnerable to known exploits.","relationship_type":"detects","source_ref":"x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6","target_ref":"attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--30990c1a-ed7d-4552-a1aa-c5934ffa5761","created":"2023-12-05T22:17:17.084Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-05T22:17:17.084Z","description":"Security updates frequently contain patches for known software vulnerabilities.","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--30ab9ce7-5369-402a-94ee-f8452642acb9","created":"2022-03-30T19:50:37.739Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T19:50:37.739Z","relationship_type":"revoked-by","source_ref":"attack-pattern--8e27551a-5080-4148-a584-c64348212e4f","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3115a062-e7d0-4eac-9d78-9a9c797e7546","created":"2023-07-21T19:53:45.997Z","revoked":false,"external_references":[{"source_name":"kaspersky_fakecalls_0422","description":"Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.","url":"https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:53:45.997Z","description":"[Fakecalls](https://attack.mitre.org/software/S1080) can request camera permissions.(Citation: kaspersky_fakecalls_0422)","relationship_type":"uses","source_ref":"malware--429e1526-6293-495b-8808-af7f9a66c4be","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","source_name":"Lookout Dark Caracal Jan 2018"}],"modified":"2019-07-16T15:35:21.063Z","description":"(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12","target_ref":"malware--a5528622-3a8a-4633-86ce-8cdaf8423858","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--31330d32-50c8-4499-91fb-e1dcffa9ea8f","created":"2022-03-30T18:14:04.881Z","x_mitre_version":"0.1","external_references":[{"source_name":"Symantec-iOSProfile2","url":"https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles","description":"Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018."},{"source_name":"Android-TrustedCA","url":"https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html","description":"Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018."}],"x_mitre_deprecated":false,"revoked":false,"description":"Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.(Citation: Symantec-iOSProfile2)(Citation: Android-TrustedCA)","modified":"2022-03-30T18:14:04.881Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--319d46b5-de41-4f23-9001-2fa75f954720","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Kaspersky-MobileMalware","description":"Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.","url":"https://securelist.com/mobile-malware-evolution-2013/58335/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:01:14.020Z","description":"[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)","relationship_type":"uses","source_ref":"malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--322d0123-ea4c-4562-a718-672952c83d05","created":"2023-03-20T18:55:54.372Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T15:35:51.271Z","description":"Application vetting services could look for misuse of dynamic libraries.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3230c032-17e0-49f7-b948-c157049aafe2","created":"2017-10-25T14:48:53.742Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"Users should ensure bootloaders are locked to prevent arbitrary operating system code from being flashed onto the device.","modified":"2022-04-01T15:34:50.556Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58","target_ref":"attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3272111a-f31d-47d5-a266-1749255b5016","created":"2019-09-23T13:36:08.335Z","x_mitre_version":"1.0","external_references":[{"source_name":"securelist rotexy 2018","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/","description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Rotexy](https://attack.mitre.org/software/S0411) can be controlled through SMS messages.(Citation: securelist rotexy 2018)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--327d0102-2113-4e12-be68-504db097a6fd","created":"2019-08-07T15:57:13.409Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Kaspersky Riltok June 2019","description":"Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.","url":"https://securelist.com/mobile-banker-riltok/91374/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:01:31.230Z","description":"[Riltok](https://attack.mitre.org/software/S0403) communicates with the command and control server using HTTP requests.(Citation: Kaspersky Riltok June 2019)","relationship_type":"uses","source_ref":"malware--c0efbaae-9e7d-4716-a92d-68373aac7424","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--32958f57-ad9b-4fe1-abf3-6f92df895014","type":"relationship","created":"2019-08-05T13:22:03.917Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","source_name":"Lookout Dark Caracal Jan 2018"}],"modified":"2019-08-09T18:06:11.873Z","description":"[Pallas](https://attack.mitre.org/software/S0399) stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--32be51e2-f74d-441f-aa0d-952697a76494","type":"relationship","created":"2019-09-04T15:38:56.774Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"FortiGuard-FlexiSpy","url":"https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf","description":"K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019."}],"modified":"2019-10-14T18:08:28.599Z","description":"[FlexiSpy](https://attack.mitre.org/software/S0408) uses a `FileObserver` object to monitor the Skype and WeChat database file and shared preferences to retrieve chat messages, account information, and profile pictures of the account owner and chat participants. [FlexiSpy](https://attack.mitre.org/software/S0408) can also spy on popular applications, including Facebook, Hangouts, Hike, Instagram, Kik, Line, QQ, Snapchat, Telegram, Tinder, Viber, and WhatsApp.(Citation: FortiGuard-FlexiSpy)","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--33316f49-f1fb-453a-9ba7-d6889982a010","type":"relationship","created":"2020-07-20T13:27:33.459Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos-WolfRAT","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."}],"modified":"2020-08-10T21:57:54.516Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) can obtain a list of installed applications.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3364dd33-c012-4aaf-852b-86e63bd724ac","created":"2023-02-06T19:38:22.312Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cleafy_sova_1122","description":"Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.","url":"https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly"},{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-11T22:06:53.022Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) can gather session cookies from infected devices. [S.O.V.A.](https://attack.mitre.org/software/S1062) can also abuse Accessibility Services to steal Google Authenticator tokens.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--33857221-2543-4a7f-8255-b0d140d70ad7","type":"relationship","created":"2020-07-20T13:27:33.461Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos-WolfRAT","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."}],"modified":"2020-08-10T21:57:54.686Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) can record call audio.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--34351abd-1f58-420a-a893-ad822839815d","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-Pegasus","description":"Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:33:36.294Z","description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures call logs.(Citation: Lookout-Pegasus)","relationship_type":"uses","source_ref":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--346b7e4a-dbd1-486b-ba26-55ae2ac613d0","type":"relationship","created":"2020-12-14T14:52:03.396Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Sophos Red Alert 2.0","url":"https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/","description":"J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."}],"modified":"2020-12-16T20:52:21.426Z","description":"[Red Alert 2.0](https://attack.mitre.org/software/S0539) can download additional overlay templates.(Citation: Sophos Red Alert 2.0)","relationship_type":"uses","source_ref":"malware--6e282bbf-5f32-476a-b879-ba77eec463c8","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--348d1acd-3f37-4523-95cd-ae002c02c975","created":"2023-08-23T22:17:46.116Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-23T22:17:46.116Z","description":"Users should be wary of iMessages from unknown senders. Additionally, users should be instructed not to open unrecognized links or other attachments in text messages.  ","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--3498d304-48e3-4fe4-a3ab-fc261104f413","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","source_name":"Lookout-StealthMango"}],"modified":"2019-08-09T17:59:49.094Z","description":"[Stealth Mango](https://attack.mitre.org/software/S0328) can record audio using the device microphone.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--085eb36d-697d-4d9a-bac3-96eb879fe73c","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--349c2f82-1166-4dab-88d0-cfe920804b70","created":"2023-12-18T19:06:41.939Z","revoked":false,"external_references":[{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T19:06:41.939Z","description":"[AhRat](https://attack.mitre.org/software/S1095) can exfiltrate collected data to the C2, such as audio recordings and files.(Citation: welivesecurity_ahrat_0523)","relationship_type":"uses","source_ref":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--34a8a945-cc6c-474b-8db1-ffe8b5ecf99f","created":"2019-11-21T19:16:34.776Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CheckPoint SimBad 2019","description":"Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.","url":"https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:44:53.855Z","description":"[SimBad](https://attack.mitre.org/software/S0419) registers for the `BOOT_COMPLETED` and `USER_PRESENT` broadcast intents, which allows the software to perform actions after the device is booted and when the user is using the device, respectively.(Citation: CheckPoint SimBad 2019)","relationship_type":"uses","source_ref":"malware--f79c01eb-2954-40d8-a819-00b342f47ce7","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--34b6abb0-d199-46bb-af21-b65560e75658","created":"2022-04-01T19:06:40.361Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-01T19:06:40.361Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","target_ref":"attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--34dd5c26-eec9-4288-8e53-677271d490b2","created":"2023-01-18T19:46:02.646Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:43:57.834Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) can use accessibility event logging to steal data in text fields.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--34f9aed0-48a7-4815-8456-5541a7b8210f","created":"2019-09-04T14:28:16.487Z","x_mitre_version":"1.0","external_references":[{"source_name":"Lookout-Monokle","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf","description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Monokle](https://attack.mitre.org/software/S0407) can record the user's keystrokes.(Citation: Lookout-Monokle)","modified":"2022-04-15T17:34:52.414Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--352fabc8-48fe-4190-92b3-49b00348bb22","created":"2019-03-11T15:13:40.454Z","x_mitre_version":"1.0","external_references":[{"source_name":"TrendMicro-Anserver","url":"http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/","description":"Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017."}],"x_mitre_deprecated":false,"revoked":false,"description":"[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.(Citation: TrendMicro-Anserver)","modified":"2022-04-18T19:04:48.388Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--4bf6ba32-4165-42c1-b911-9c36165891c8","target_ref":"attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--35453bbb-c9b3-4421-8452-95efdd290d21","type":"relationship","created":"2021-01-20T16:01:19.323Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Zimperium z9","url":"https://blog.zimperium.com/how-zimperiums-z9-detected-unknown-mobile-malware-overlooked-by-the-av-industry/","description":"zLabs. (2019, November 12).  How Zimperium’s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021."}],"modified":"2021-01-20T16:01:19.323Z","description":"[Anubis](https://attack.mitre.org/software/S0422) can collect a list of running processes.(Citation: Zimperium z9)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3565140f-1570-494d-9d6f-91c9203ece69","created":"2023-03-20T18:52:29.821Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T17:14:40.565Z","description":"Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--35927c96-7645-4ef3-b3da-e44822386a10","created":"2023-01-18T21:43:10.838Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:47:19.403Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) contains domain generation algorithms to use as backups in case the hardcoded C2 domains are unavailable.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--fd211238-f767-4599-8c0d-9dca36624626","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3598ab6e-9271-40ca-9771-b9a6bbce497c","created":"2023-08-16T16:44:09.459Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:44:09.459Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can use HTTP to communicate with the C2 server.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--35a12ae8-562d-4e24-979e-ef970dde0b94","created":"2022-04-15T17:52:24.125Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-15T17:52:24.125Z","relationship_type":"revoked-by","source_ref":"attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9","target_ref":"attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","external_references":[{"source_name":"Wandera-RedDrop","url":"https://www.wandera.com/reddrop-malware/","description":"Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018."}],"x_mitre_deprecated":false,"revoked":false,"description":"[RedDrop](https://attack.mitre.org/software/S0326) tricks the user into sending SMS messages to premium services and then deletes those messages.(Citation: Wandera-RedDrop)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3616bacc-6f6e-41f2-832c-cdbbae9622f3","created":"2020-11-24T17:55:12.830Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos GPlayed","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:21:42.102Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) can read SMS messages.(Citation: Talos GPlayed)","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--36268322-9f5e-4749-8760-6430178a3d68","created":"2020-06-26T14:55:13.311Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cybereason EventBot","description":"D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.","url":"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:25:08.956Z","description":"[EventBot](https://attack.mitre.org/software/S0478) can intercept SMS messages.(Citation: Cybereason EventBot)","relationship_type":"uses","source_ref":"malware--aecc0097-c9f8-4786-9b39-e891ff173f54","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--36298fd6-d909-4490-8a04-095aef9ffafe","type":"relationship","created":"2020-11-20T15:54:07.747Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Symantec GoldenCup","url":"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans","description":"R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."}],"modified":"2020-11-20T15:54:07.747Z","description":"[Golden Cup](https://attack.mitre.org/software/S0535) can record audio from the microphone and phone calls.(Citation: Symantec GoldenCup) ","relationship_type":"uses","source_ref":"malware--f3975cc0-72bc-4308-836e-ac701b83860e","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Wandera-RedDrop","description":"Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.","url":"https://www.wandera.com/reddrop-malware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:01:48.463Z","description":"[RedDrop](https://attack.mitre.org/software/S0326) uses HTTP requests for C2 communication.(Citation: Wandera-RedDrop)","relationship_type":"uses","source_ref":"malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--36c71b5d-e453-488c-ae63-8fb063924c27","created":"2023-08-10T21:57:51.879Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T21:57:51.879Z","description":"The user can review available call logs for irregularities, such as missing or unrecognized calls.","relationship_type":"detects","source_ref":"x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4","target_ref":"attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--370bf74f-7499-4d66-9626-a61926af8f84","created":"2023-09-21T22:32:19.683Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-21T22:32:19.683Z","description":"Application vetting services may detect when an application requests permissions after an application update.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10","type":"relationship","created":"2020-06-26T15:32:25.074Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Threat Fabric Cerberus","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."}],"modified":"2020-06-26T15:32:25.074Z","description":"[Cerberus](https://attack.mitre.org/software/S0480) can update the malicious payload module on command.(Citation: Threat Fabric Cerberus)","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631","type":"relationship","created":"2020-11-24T17:55:12.885Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos GPlayed","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."}],"modified":"2020-11-24T17:55:12.885Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) has used timers to enable Wi-Fi, ping the C2 server, register the device with the C2, and register wake locks on the system.(Citation: Talos GPlayed)","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"HackerNews-OldBoot","description":"Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.","url":"http://thehackernews.com/2014/01/first-widely-distributed-android.html"}],"modified":"2018-10-17T00:14:20.652Z","description":"[OldBoot](https://attack.mitre.org/software/S0285) uses escalated privileges to modify the init script on the device's boot partition to maintain persistence.(Citation: HackerNews-OldBoot)","relationship_type":"uses","source_ref":"malware--2074b2ad-612e-4758-adce-7901c1b49bbc","target_ref":"attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--3752c235-0576-47dc-b05d-d3eaeaccfecc","type":"relationship","created":"2020-12-24T21:55:56.688Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T21:55:56.688Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has captured audio and can record phone calls.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--37d14338-b629-4b54-b734-446789b79f6f","created":"2023-10-10T15:33:57.641Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cybereason EventBot","description":"D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.","url":"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:57.641Z","description":"[EventBot](https://attack.mitre.org/software/S0478) has used icons from popular applications.(Citation: Cybereason EventBot)","relationship_type":"uses","source_ref":"malware--aecc0097-c9f8-4786-9b39-e891ff173f54","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--37fd2f2a-e4f4-4d39-8698-d17305fb2517","created":"2023-08-16T16:45:37.235Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-15T19:17:24.158Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can communicate over port 7242 using HTTP.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3832d2cf-0568-451d-aac9-6fb809fc423d","created":"2024-02-20T21:45:45.021Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cyfirma Bahamut","description":"Cyfirma. (2023, February 10). APT Bahamut Attacks Indian Intelligence Operative using Android Malware. Retrieved February 23, 2024.","url":"https://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-23T17:31:35.855Z","description":"[Windshift](https://attack.mitre.org/groups/G0112) has hidden multimedia files from the user.(Citation: Cyfirma Bahamut)","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--383e5b12-061e-45c6-911b-b37187dd9254","type":"relationship","created":"2021-02-08T16:36:20.701Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"BlackBerry Bahamut","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf","description":"The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."}],"modified":"2021-05-24T13:16:56.399Z","description":"[Windshift](https://attack.mitre.org/groups/G0112) has included file enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3841024e-1047-40fa-9e25-ac6d5c14612a","created":"2023-02-28T21:41:22.768Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cloudmark_tanglebot_0921","description":"Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.","url":"https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:25:52.302Z","description":"[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view device contacts.(Citation: cloudmark_tanglebot_0921)","relationship_type":"uses","source_ref":"malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3857f790-6ea1-4f37-8d90-90904f175d63","created":"2023-01-18T21:37:55.717Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:48:17.771Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) has C2 commands that can uninstall the app from the infected device.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--38634e49-f19e-41bc-bb6d-e711f0cabd91","created":"2020-10-29T19:21:23.187Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"WeLiveSecurity AdDisplayAshas","description":"L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.","url":"https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:42:27.975Z","description":"[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can hide its icon and create a shortcut based on the C2 server response.(Citation: WeLiveSecurity AdDisplayAshas)","relationship_type":"uses","source_ref":"malware--f7e7b736-2cff-4c2a-9232-352cd383463a","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--386b0a9f-9951-4717-8bce-30c8fbe05050","type":"relationship","created":"2020-06-26T15:32:24.955Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Threat Fabric Cerberus","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."}],"modified":"2020-06-26T15:32:24.955Z","description":"[Cerberus](https://attack.mitre.org/software/S0480) uses standard payload and string obfuscation techniques.(Citation: Threat Fabric Cerberus)","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3874eaf6-aa14-4d8e-ad44-7ad227ecda1b","created":"2024-02-23T19:53:28.913Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-23T19:53:28.913Z","description":"","relationship_type":"subtechnique-of","source_ref":"attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3","target_ref":"attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--38962b26-7cbe-4761-8b4f-50a022167c4d","created":"2019-09-03T20:08:00.708Z","x_mitre_version":"1.0","external_references":[{"source_name":"Talos Gustuff Apr 2019","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html","description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Gustuff](https://attack.mitre.org/software/S0406) checks for antivirus software contained in a predefined list.(Citation: Talos Gustuff Apr 2019)","modified":"2022-04-15T16:55:56.825Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","target_ref":"attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--38cb6365-40ba-47c6-a5e4-1a9be665f951","created":"2023-01-19T18:08:14.716Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"trendmicro_tianyspy_0122","description":"Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.","url":"https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-01T16:50:04.964Z","description":"[TianySpy](https://attack.mitre.org/software/S1056) has encrypted C2 details, email addresses, and passwords.(Citation: trendmicro_tianyspy_0122) ","relationship_type":"uses","source_ref":"malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--38ec048f-7f6e-4bbd-9455-1b1e54968af4","created":"2023-03-30T15:18:37.934Z","revoked":false,"external_references":[{"source_name":"cleafy_sova_1122","description":"Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.","url":"https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T15:18:37.934Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) can take screenshots and abuse the Android Screen Cast feature to capture screen data.(Citation: cleafy_sova_1122)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--38f37e3f-1d4b-4f04-b176-1cae6d22931e","type":"relationship","created":"2020-12-14T14:52:03.310Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Sophos Red Alert 2.0","url":"https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/","description":"J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."}],"modified":"2020-12-14T14:52:03.310Z","description":"[Red Alert 2.0](https://attack.mitre.org/software/S0539) can send SMS messages.(Citation: Sophos Red Alert 2.0)","relationship_type":"uses","source_ref":"malware--6e282bbf-5f32-476a-b879-ba77eec463c8","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--38f96449-dfb1-49db-b0d0-f257c3ee2c5d","created":"2020-09-11T14:54:16.587Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Desert Scorpion","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.","url":"https://blog.lookout.com/desert-scorpion-google-play"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:25:21.998Z","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) can retrieve SMS messages.(Citation: Lookout Desert Scorpion)","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--393300c4-6852-466d-a163-1d51330fe055","created":"2023-03-20T18:45:39.292Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T15:40:52.983Z","description":"Mobile security products can potentially detect jailbroken devices.","relationship_type":"detects","source_ref":"x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6","target_ref":"attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--395cb6b2-0848-43c7-ac4a-617e103fb66a","created":"2020-11-20T16:37:28.591Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Symantec GoldenCup","description":"R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.","url":"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:02:09.253Z","description":"[Golden Cup](https://attack.mitre.org/software/S0535) has communicated with the C2 using MQTT and HTTP.(Citation: Symantec GoldenCup)","relationship_type":"uses","source_ref":"malware--f3975cc0-72bc-4308-836e-ac701b83860e","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3997b2a1-2b70-4eeb-aa8f-1053bb3744c2","created":"2023-03-20T19:00:26.780Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T17:04:24.775Z","description":"Application vetting services could potentially detect the usage of APIs intended for artifact hiding.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--39b854c1-5906-4d14-a0bc-1242c3eaa5b0","created":"2022-04-11T20:05:56.540Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-11T20:05:56.540Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08","target_ref":"attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3a18f41d-876c-403a-80cc-47ef57ae630d","created":"2023-09-25T19:53:56.034Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T19:53:56.034Z","description":"Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. ","relationship_type":"detects","source_ref":"x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456","target_ref":"attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3a282967-0536-474d-8831-30cd60b818a9","created":"2023-09-28T17:20:38.294Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:20:38.294Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can initiate phone calls.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3a5dee7b-92a2-4382-aa02-2c14d0b82010","created":"2024-02-20T23:51:50.439Z","revoked":false,"external_references":[{"source_name":"SWB Exodus March 2019","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:51:50.439Z","description":"[Exodus](https://attack.mitre.org/software/S0405) One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.(Citation: SWB Exodus March 2019) ","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3a7d4872-2bfb-4df3-ad53-91c8229b9b41","created":"2024-03-28T18:10:46.740Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T20:30:56.849Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to obfuscate code and strings to evade detection.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3a8fea40-69ba-4cfe-b577-c3112a60887a","created":"2022-04-01T14:51:51.593Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to notifications. ","modified":"2022-04-01T14:51:51.593Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--3abc80ad-4ea0-4e91-a170-f040469c2083","type":"relationship","created":"2020-07-20T13:27:33.483Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos-WolfRAT","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."}],"modified":"2020-08-10T21:57:54.688Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) can take photos and videos.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3abcd7f4-5f6d-4b5d-9b37-eee68751dcbd","created":"2022-04-01T15:02:43.475Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-01T15:02:43.475Z","relationship_type":"revoked-by","source_ref":"attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38","target_ref":"attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3acbaa64-fb6e-4c26-ada4-1aab88798265","created":"2021-04-19T14:29:46.510Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:15:42.930Z","description":"[SilkBean](https://attack.mitre.org/software/S0549) has used HTTPS for C2 communication.(Citation: Lookout Uyghur Campaign) ","relationship_type":"uses","source_ref":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3ae62d66-6405-413f-86e3-ccdb66fac7ba","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T15:41:33.829Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"revoked-by","source_ref":"attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9","target_ref":"attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Kaspersky-WUC","description":"Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.","url":"https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:02:40.717Z","description":"[Android/Chuli.A](https://attack.mitre.org/software/S0304) used HTTP uploads to a URL as a command and control mechanism.(Citation: Kaspersky-WUC)","relationship_type":"uses","source_ref":"malware--d05f7357-4cbe-47ea-bf83-b8604226d533","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3b24a287-36e1-49b9-811d-c0080147ff57","created":"2023-03-20T18:41:47.754Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T22:45:47.105Z","description":"Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3be6ad82-722d-4699-8e3a-c1ea60018244","created":"2023-03-16T13:32:55.140Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:29:15.000Z","description":"Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.","relationship_type":"detects","source_ref":"x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0","target_ref":"attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3bf4b093-a1a3-48da-9236-bce9514765eb","created":"2022-04-05T19:46:05.853Z","x_mitre_version":"0.1","external_references":[{"source_name":"Samsung Keyboards","url":"https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-","description":"Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved September 1, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.(Citation: Samsung Keyboards)","modified":"2022-04-05T19:46:05.853Z","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--3bf5a566-986b-478c-b2da-e57caf261378","type":"relationship","created":"2019-09-03T19:45:48.515Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SWB Exodus March 2019","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."}],"modified":"2019-09-11T13:25:19.216Z","description":" [Exodus](https://attack.mitre.org/software/S0405) Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.(Citation: SWB Exodus March 2019) ","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3c0b0763-78d2-4d6e-8e57-b4f27af7e414","created":"2019-10-18T14:50:57.521Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. ","modified":"2022-03-30T20:08:17.127Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--3c291ee5-1782-4e5b-8131-5188c7388f45","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"FireEye-RuMMS","description":"Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.","url":"https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"}],"modified":"2018-10-17T00:14:20.652Z","description":"[RuMMS](https://attack.mitre.org/software/S0313) gathers the device phone number and IMEI and transmits them to a command and control server.(Citation: FireEye-RuMMS)","relationship_type":"uses","source_ref":"malware--936be60d-90eb-4c36-9247-4b31128432c4","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7","type":"relationship","created":"2019-10-15T19:33:42.204Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Kaspersky-Skygofree","description":"Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.","url":"https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"}],"modified":"2019-10-15T19:33:42.204Z","description":"[Skygofree](https://attack.mitre.org/software/S0327) can track the device's location.(Citation: Kaspersky-Skygofree)","relationship_type":"uses","source_ref":"malware--3a913bac-4fae-4d0e-bca8-cae452f1599b","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3c43d125-6719-420e-bb69-878cc91c2474","created":"2020-09-15T15:18:12.428Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cybereason FakeSpy","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:45:11.727Z","description":"[FakeSpy](https://attack.mitre.org/software/S0509) can register for the `BOOT_COMPLETED` broadcast Intent.(Citation: Cybereason FakeSpy)","relationship_type":"uses","source_ref":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3c57ee56-34bc-4f0c-b363-68dab3e5e7b3","created":"2023-10-10T15:33:58.361Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Proofpoint-Droidjack","description":"Proofpoint. (2016, July 7). DroidJack Uses Side-Load…It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.","url":"https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:58.361Z","description":"[DroidJack](https://attack.mitre.org/software/S0320) included code from the legitimate Pokemon GO app in order to appear identical to the user, but it also included additional malicious code.(Citation: Proofpoint-Droidjack)","relationship_type":"uses","source_ref":"malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--3c6776b9-258c-460c-b4b4-ea1a1453e5c5","created":"2023-08-16T16:40:34.787Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:40:34.787Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can gather device location data.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3c874ffa-63c3-491f-8d8c-623b19a7fdad","created":"2020-04-24T15:06:33.397Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"TrendMicro Coronavirus Updates","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:37:37.674Z","description":"[Corona Updates](https://attack.mitre.org/software/S0425) can collect the device’s call log.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3c90dc4c-8156-49ae-8144-76526268a6c1","created":"2023-08-04T18:32:08.706Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T18:32:08.706Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can request device administrator privileges. (Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3ca284e7-062c-4f23-b95d-9f9c6a2d882a","created":"2019-07-16T14:33:12.175Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Kaspersky Triada March 2016","description":"Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.","url":"https://www.kaspersky.com/blog/triada-trojan/11481/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:25:35.330Z","description":"[Triada](https://attack.mitre.org/software/S0424) variants capture transaction data from SMS-based in-app purchases.(Citation: Kaspersky Triada March 2016) ","relationship_type":"uses","source_ref":"malware--f082fc59-0317-49cf-971f-a1b6296ebb52","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00","type":"relationship","created":"2020-09-15T15:18:12.421Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Cybereason FakeSpy","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."}],"modified":"2020-09-15T15:18:12.421Z","description":"[FakeSpy](https://attack.mitre.org/software/S0509) can collect a list of installed applications.(Citation: Cybereason FakeSpy)","relationship_type":"uses","source_ref":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-PegasusAndroid","description":"Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.","url":"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}],"modified":"2019-08-09T17:52:31.838Z","description":"[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to exploit well-known Android OS vulnerabilities to escalate privileges.(Citation: Lookout-PegasusAndroid)","relationship_type":"uses","source_ref":"malware--93799a9d-3537-43d8-b6f4-17215de1657c","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3d5a1472-4042-49a4-8b66-7ff1fcfee92c","created":"2024-04-18T15:36:58.833Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"MSTIC Octo Tempest Operations October 2023","description":"Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.","url":"https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-18T17:49:54.985Z","description":"[Scattered Spider](https://attack.mitre.org/groups/G1015) has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.(Citation: MSTIC Octo Tempest Operations October 2023)","relationship_type":"uses","source_ref":"intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b","target_ref":"attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b","type":"relationship","created":"2021-01-05T20:16:20.419Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Zscaler TikTok Spyware","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."}],"modified":"2021-01-05T20:16:20.419Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can capture audio from the device’s microphone and can record phone calls.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3d65c2b7-c907-45e1-b942-95f7d765e749","created":"2023-03-20T18:53:34.056Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:29:32.104Z","description":"Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.","relationship_type":"detects","source_ref":"x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0","target_ref":"attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3db58541-3870-424d-ad74-f2b84ff87abb","created":"2023-07-14T19:06:42.839Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-14T19:10:57.654Z","description":"Unexpected behavior from an application could be an indicator of masquerading.","relationship_type":"detects","source_ref":"x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4","target_ref":"attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3dd0cd4d-bcde-4105-b98e-b32add191083","created":"2020-01-27T17:05:58.331Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Trend Micro Bouncing Golf 2019","description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:39:39.589Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) exfiltrates data using HTTP POST requests.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--3dff770d-9627-4647-b945-7f24a97b2273","type":"relationship","created":"2019-09-15T15:26:22.926Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2020-06-24T15:02:13.533Z","description":"An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3e11a61b-14b3-4268-a6dd-937d4baef6de","created":"2023-06-09T19:17:12.858Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-06-09T19:17:12.858Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can record environmental and call audio.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3e2474d3-f36d-4193-92f6-273296befdd3","created":"2022-04-05T19:38:18.760Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should protect their account credentials and enable multi-factor authentication options when available. ","modified":"2022-04-05T19:38:18.760Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3e2b9dc1-5da0-46a1-a576-4b41a10f3a60","created":"2020-11-24T17:55:12.828Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos GPlayed","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:21:27.210Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) can access the device’s contact list.(Citation: Talos GPlayed)","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf","description":"CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.","source_name":"CrowdStrike-Android"}],"modified":"2020-03-20T16:37:06.668Z","description":"(Citation: CrowdStrike-Android)","relationship_type":"uses","source_ref":"intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c","target_ref":"malware--56660521-6db4-4e5a-a927-464f22954b7c","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3e5b5c7a-32e1-4745-8ceb-c46ce7276364","created":"2023-02-06T19:46:19.592Z","revoked":false,"external_references":[{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-06T19:46:19.592Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) has C2 commands to add an infected device to a DDoS pool.(Citation: threatfabric_sova_0921)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56","created":"2017-10-25T14:48:53.738Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"Android 9 introduced a new security policy that prevents applications from reading or writing data to other applications’ internal storage directories, regardless of permissions. ","modified":"2022-04-01T13:51:48.934Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3ebdc17d-401e-4f6a-af51-2dc57437b817","created":"2019-09-20T18:03:57.062Z","x_mitre_version":"1.0","external_references":[{"source_name":"Android 10 Execute","url":"https://developer.android.com/about/versions/10/behavior-changes-all#execute-permission","description":"Android Developers. (n.d.). Behavior changes: all apps - Removed execute permission for app home directory. Retrieved September 20, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"Applications that target Android API level 29 or higher cannot execute native code stored in the application's internal data storage directory, limiting the ability of applications to download and execute native code at runtime. (Citation: Android 10 Execute)","modified":"2022-04-01T18:37:44.516Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3ec30b37-1db2-4048-9dd9-22d863f034bb","created":"2024-03-26T16:14:04.853Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"blackberry_mobile_malware_apt_esp","description":"BlackBerry Research and Insights Team. (n.d.). Mobile Malware and APT Espionage. Retrieved March 1, 2024.","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-16T21:14:22.641Z","description":"[BITTER](https://attack.mitre.org/groups/G1002) has delivered malicious applications to victims via shortened URLs distributed through SMS, WhatsApp, and various social media platforms.(Citation: blackberry_mobile_malware_apt_esp) ","relationship_type":"uses","source_ref":"intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9","target_ref":"attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3efe7dcc-a572-45ac-aff2-2932206a0632","created":"2019-08-07T15:57:13.441Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Kaspersky Riltok June 2019","description":"Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.","url":"https://securelist.com/mobile-banker-riltok/91374/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:52:06.559Z","description":"[Riltok](https://attack.mitre.org/software/S0403) can access and upload the device's contact list to the command and control server.(Citation: Kaspersky Riltok June 2019)","relationship_type":"uses","source_ref":"malware--c0efbaae-9e7d-4716-a92d-68373aac7424","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3f2daf2e-c28c-46cd-bf91-ae35e873f365","created":"2019-09-04T14:28:15.950Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-Monokle","description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:35:59.273Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3f31b209-dbc7-4c7e-bb0a-e37801121c13","created":"2020-10-29T17:48:27.425Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Threat Fabric Exobot","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:45:26.765Z","description":"[Exobot](https://attack.mitre.org/software/S0522) has registered to receive the `BOOT_COMPLETED` broadcast intent.(Citation: Threat Fabric Exobot)","relationship_type":"uses","source_ref":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--3f392718-87c4-483b-b89f-4f0cc056d251","type":"relationship","created":"2020-07-20T13:58:53.610Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro-XLoader-FakeSpy","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/","description":"Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."}],"modified":"2020-09-24T15:12:24.302Z","description":"[XLoader for iOS](https://attack.mitre.org/software/S0490) can obtain the device’s UDID, version number, and product number.(Citation: TrendMicro-XLoader-FakeSpy)","relationship_type":"uses","source_ref":"malware--29944858-da52-4d3d-b428-f8a6eb8dde6f","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3f47f048-badd-4476-8534-d06e20c02ec6","created":"2023-06-09T19:18:59.889Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-06-09T19:18:59.889Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can use HTTP and HTTP POST to communicate information to the C2.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3f5dbd48-5899-4e97-96a6-ad7e68b673cd","created":"2023-03-20T18:43:03.117Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T22:30:26.847Z","description":"Application vetting services could look for use of the accessibility service or features that typically require root access.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--3f81a680-3151-4608-b83f-550756632013","type":"relationship","created":"2020-07-20T13:58:53.604Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro-XLoader-FakeSpy","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/","description":"Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."}],"modified":"2020-09-24T15:12:24.301Z","description":"[XLoader for iOS](https://attack.mitre.org/software/S0490) can obtain the device’s IMEM, ICCID, and MEID.(Citation: TrendMicro-XLoader-FakeSpy)","relationship_type":"uses","source_ref":"malware--29944858-da52-4d3d-b428-f8a6eb8dde6f","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--3f973c3c-45f8-432a-9859-e8749f2e7418","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-PegasusAndroid","description":"Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.","url":"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}],"modified":"2019-08-09T17:52:31.848Z","description":"[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings.(Citation: Lookout-PegasusAndroid)","relationship_type":"uses","source_ref":"malware--93799a9d-3537-43d8-b6f4-17215de1657c","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--3fcd2177-2030-4781-bd19-8b9fa8c6e645","type":"relationship","created":"2021-02-08T16:36:20.655Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"BlackBerry Bahamut","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf","description":"The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."}],"modified":"2021-05-24T13:16:56.410Z","description":"[Windshift](https://attack.mitre.org/groups/G0112) has included phone call and audio recording capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a","created":"2020-06-26T14:55:13.304Z","x_mitre_version":"1.0","external_references":[{"source_name":"Cybereason EventBot","url":"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born","description":"D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[EventBot](https://attack.mitre.org/software/S0478) can display popups over running applications.(Citation: Cybereason EventBot)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--aecc0097-c9f8-4786-9b39-e891ff173f54","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--3fdb8bfb-1b2d-4fac-bb41-d26a5ad18dbb","created":"2023-08-16T16:44:30.692Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:44:30.692Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can send stolen data over HTTP.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4009ff40-4616-4b1c-bff9-599e52ccab37","created":"2020-01-27T17:05:58.263Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Trend Micro Bouncing Golf 2019","description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:28:34.373Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device’s contact list.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4088b31b-d542-4935-84b4-82b592159591","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/","description":"Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.","source_name":"TrendMicro-RCSAndroid"}],"modified":"2019-10-10T15:22:52.591Z","description":"[RCSAndroid](https://attack.mitre.org/software/S0295) can collect contacts and messages from popular applications, including Facebook Messenger, WhatsApp, Skype, Viber, Line, WeChat, Hangouts, Telegram, and BlackBerry Messenger.(Citation: TrendMicro-RCSAndroid)","relationship_type":"uses","source_ref":"malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--40c9adb5-9d1a-4f51-8ef2-a80c2d78e4e4","created":"2022-04-05T19:38:41.538Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device’s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. ","modified":"2022-04-05T19:38:41.538Z","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--40f30137-4db9-4596-b4c7-a12f1497fd92","created":"2020-11-10T17:08:35.831Z","x_mitre_version":"1.0","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[CarbonSteal](https://attack.mitre.org/software/S0529) has performed rudimentary SSL certificate validation to verify C2 server authenticity before establishing a SSL connection.(Citation: Lookout Uyghur Campaign)","modified":"2022-04-18T16:02:42.303Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4159bc09-ddf3-4d88-9bf0-853ace9c8151","created":"2023-12-18T18:50:27.381Z","revoked":false,"external_references":[{"source_name":"securelist_brata_0819","description":"Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.","url":"https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:50:27.381Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can request the user unlock the device, or remotely unlock the device.(Citation: securelist_brata_0819)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--418168ad-fee9-42c8-ac27-11f7472a5f86","created":"2019-09-03T19:45:48.498Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SWB Exodus March 2019","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:09:08.738Z","description":"[Exodus](https://attack.mitre.org/software/S0405) One checks in with the command and control server using HTTP POST requests.(Citation: SWB Exodus March 2019) ","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--41da5845-a1a8-4d10-8929-053be3496396","created":"2022-04-20T17:46:43.542Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecureList - ViceLeaker 2019","description":"GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.","url":"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"},{"source_name":"Bitdefender - Triout 2018","description":"L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.","url":"https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:39:57.165Z","description":"[ViceLeaker](https://attack.mitre.org/software/S0418) uses HTTP data exfiltration.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)","relationship_type":"uses","source_ref":"malware--6fcaf9b0-b509-4644-9f93-556222c81ed2","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--4220ec84-3c30-462b-9bad-4fb4de42cfd4","created":"2022-04-06T15:28:20.249Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be instructed to not grant applications unexpected or unnecessary permissions. ","modified":"2022-04-06T15:28:20.249Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--42342d72-a37c-477e-b8f1-1768273fcb7f","created":"2019-10-18T15:51:48.451Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"Users should be advised not to grant consent for screen captures to occur unless expected. Users should avoid enabling USB debugging (Android Debug Bridge) unless explicitly required. ","modified":"2022-04-01T13:32:32.335Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--42510b9a-7e72-4a52-bc7a-6e1a7ebacff7","created":"2023-08-16T16:33:12.493Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:33:12.493Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) has disguised itself as other applications, such as a cryptocurrency app called ‘CoinSpot’, and IKO bank in Poland. It has also used familiar icons, such as the Chrome and Bitcoin logos.(Citation: cyble_chameleon_0423) ","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--42536c96-ae61-41ab-a1bf-3e7d126a4000","created":"2022-03-30T15:13:42.462Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T15:13:42.462Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831","target_ref":"attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--42624ee9-1bf5-46aa-87d0-9fda0de9a06e","created":"2020-06-26T15:32:24.921Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Threat Fabric Cerberus","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:50:47.973Z","description":"[Cerberus](https://attack.mitre.org/software/S0480) avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.(Citation: Threat Fabric Cerberus)","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4267ebfa-d932-4949-9d7f-8e183f51f2d9","created":"2023-12-18T18:10:38.421Z","revoked":false,"external_references":[{"source_name":"cleafy_brata_0122","description":"Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.","url":"https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:10:38.421Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can perform a factory reset.(Citation: cleafy_brata_0122)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--429a4b02-f774-4b1e-aaef-5fd9c654dd09","type":"relationship","created":"2021-02-08T16:36:20.846Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"BlackBerry Bahamut","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf","description":"The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."}],"modified":"2021-05-24T13:16:56.596Z","description":"[Windshift](https://attack.mitre.org/groups/G0112) has exfiltrated local account data and calendar information as part of Operation ROCK.(Citation: BlackBerry Bahamut)","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b","created":"2017-12-14T16:46:06.044Z","x_mitre_version":"1.0","external_references":[{"source_name":"Gooligan Citation","url":"http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/","description":"Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Gooligan](https://attack.mitre.org/software/S0290) can install adware to generate revenue.(Citation: Gooligan Citation)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--20d56cd6-8dff-4871-9889-d32d254816de","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396","type":"relationship","created":"2020-12-14T15:02:35.304Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Securelist Asacub","url":"https://securelist.com/the-rise-of-mobile-banker-asacub/87591/","description":"T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020."}],"modified":"2020-12-14T15:02:35.304Z","description":"[Asacub](https://attack.mitre.org/software/S0540) has stored encrypted strings in the APK file.(Citation: Securelist Asacub)","relationship_type":"uses","source_ref":"malware--a76b837b-93cc-417d-bf28-c47a6a284fa4","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b","type":"relationship","created":"2020-07-20T13:27:33.549Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos-WolfRAT","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."}],"modified":"2020-08-10T21:57:54.524Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) can record the screen and take screenshots to capture messages from Line, Facebook Messenger, and WhatsApp.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--433af79b-ce77-4a4c-84f7-6cdc34e70674","created":"2023-01-18T19:56:01.025Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:48:53.396Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) can intercept SMS messages.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-StealthMango","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}],"modified":"2019-10-10T15:27:22.174Z","description":"[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather cellular IDs.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--35aae10a-97c5-471a-9c67-02c231a7a31a","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--437f719c-d602-4cb8-a2b9-c33e85ad7c50","created":"2020-06-26T15:32:25.025Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Threat Fabric Cerberus","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:52:43.629Z","description":"[Cerberus](https://attack.mitre.org/software/S0480) can obtain the device’s contact list.(Citation: Threat Fabric Cerberus)","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--439d905b-1ad8-461a-ab0d-b2f426cb2c3a","created":"2023-03-20T18:53:35.012Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T16:24:02.473Z","description":"On Android, the user is presented with a permissions popup when an application requests access to external device storage.","relationship_type":"detects","source_ref":"x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38","type":"relationship","created":"2020-05-11T16:37:36.616Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.","url":"https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html","source_name":"ThreatFabric Ginp"}],"modified":"2020-05-11T16:37:36.616Z","description":" [Ginp](https://attack.mitre.org/software/S0423) can inject input to make itself the default SMS handler.(Citation: ThreatFabric Ginp) ","relationship_type":"uses","source_ref":"malware--6146be90-470c-4049-bb3a-9986b8ffb65b","target_ref":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--43af5696-ac4d-4618-9da9-0784b8f7e433","created":"2023-12-18T19:07:55.393Z","revoked":false,"external_references":[{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T19:07:55.393Z","description":"[AhRat](https://attack.mitre.org/software/S1095) can collect the device’s contact list.(Citation: welivesecurity_ahrat_0523)","relationship_type":"uses","source_ref":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--43eeee7f-339a-4f6e-9df3-ccbf08ecf358","type":"relationship","created":"2020-11-10T17:08:35.664Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-01T19:48:44.840Z","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) has looked for specific applications, such as MiCode.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--442dd700-2d7d-4cad-8282-9027e4f69133","created":"2022-03-30T20:31:41.927Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"New OS releases frequently contain additional limitations or controls around device location access.","modified":"2022-03-30T20:31:41.927Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--498e7b81-238d-404c-aa5e-332904d63286","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--44304163-9a44-4760-bd04-0e14adb33299","created":"2022-04-01T15:13:40.779Z","x_mitre_version":"0.1","external_references":[{"source_name":"Trend Micro iOS URL Hijacking","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/","description":"L. Wu, Y. Zhou, M. Li. (2019, July 12).  iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.","modified":"2022-04-01T15:13:40.779Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4449ac76-8329-4483-b152-99b990006cbc","created":"2019-09-04T15:38:56.937Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FlexiSpy-Features","description":"FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.","url":"https://www.flexispy.com/en/features-overview.htm"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:58:10.115Z","description":"[FlexiSpy](https://attack.mitre.org/software/S0408) can collect a list of known Wi-Fi access points.(Citation: FlexiSpy-Features) ","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--4454a696-7619-40ee-971b-cbf646e4ee61","created":"2017-12-14T16:46:06.044Z","x_mitre_version":"1.0","external_references":[{"source_name":"Lookout-EnterpriseApps","url":"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/","description":"Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"[PJApps](https://attack.mitre.org/software/S0291) has the capability to send messages to premium SMS messages.(Citation: Lookout-EnterpriseApps)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--c709da93-20c3-4d17-ab68-48cba76b2137","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--44a673c9-7ce7-42a0-8ab4-60bbb5001ce2","created":"2023-03-20T18:53:15.929Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T22:23:14.948Z","description":"Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--44b63426-1ea7-456e-907b-0856e3eab0c3","type":"relationship","created":"2020-12-31T18:25:05.142Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CYBERWARCON CHEMISTGAMES","url":"https://www.youtube.com/watch?v=xoNSbm1aX_w","description":"B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."}],"modified":"2020-12-31T18:25:05.142Z","description":"[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has collected the device’s location.(Citation: CYBERWARCON CHEMISTGAMES)","relationship_type":"uses","source_ref":"malware--a0d774e4-bafc-4292-8651-3ec899391341","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--44da429b-9dee-43c9-9397-445c6f9e647e","created":"2022-03-30T19:54:59.651Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Android includes system partition integrity mechanisms that could detect unauthorized modifications. ","modified":"2022-03-30T19:54:59.651Z","relationship_type":"mitigates","source_ref":"course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321","target_ref":"attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408","created":"2017-12-14T16:46:06.044Z","x_mitre_version":"1.0","external_references":[{"source_name":"Lookout-Pegasus","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf","description":"Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.(Citation: Lookout-Pegasus)","modified":"2022-04-15T19:47:48.036Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","target_ref":"attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--45253350-c802-4566-a72d-57d43d05fd63","type":"relationship","created":"2020-05-07T15:24:49.530Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2020-05-27T13:23:34.536Z","description":"Security updates frequently contain patches to vulnerabilities.","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--45383213-4323-4f77-9f9f-360d6d43c128","created":"2024-04-02T19:13:21.430Z","revoked":false,"external_references":[{"source_name":"Meta Adversarial Threat Report 2022","description":"Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.","url":"https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-02T19:13:21.430Z","description":"[HilalRAT](https://attack.mitre.org/software/S1128) can retrieve a device’s contact list.(Citation: Meta Adversarial Threat Report 2022)","relationship_type":"uses","source_ref":"malware--55714f87-6178-4b89-b3e5-d3a643f647ca","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--45505ae7-0e54-4279-82c3-f92f4a832ed9","created":"2022-04-06T13:57:38.847Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T13:57:38.847Z","relationship_type":"revoked-by","source_ref":"attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--455b1287-5784-42b4-91fb-01dac007758d","created":"2020-09-29T13:24:15.234Z","x_mitre_version":"1.0","external_references":[{"source_name":"Lookout-Dendroid","url":"https://blog.lookout.com/blog/2014/03/06/dendroid/","description":"Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Dendroid](https://attack.mitre.org/software/S0301) can open a dialog box to ask the user for passwords.(Citation: Lookout-Dendroid)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--317a2c10-d489-431e-b6b2-f0251fddc88e","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4586277d-bebd-4717-87c6-a31a9be741ed","type":"relationship","created":"2020-12-24T21:45:56.982Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T21:45:56.982Z","description":"[SilkBean](https://attack.mitre.org/software/S0549) can get file lists on the SD card.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--45da5ed9-3a9b-4491-98cb-96db68e245bb","created":"2020-12-14T14:52:03.184Z","x_mitre_version":"1.0","external_references":[{"source_name":"Sophos Red Alert 2.0","url":"https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/","description":"J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Red Alert 2.0](https://attack.mitre.org/software/S0539) has used malicious overlays to collect banking credentials.(Citation: Sophos Red Alert 2.0)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--6e282bbf-5f32-476a-b879-ba77eec463c8","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--465b7a4a-32d5-475c-9fb9-6335c44fb0d1","created":"2022-04-05T19:48:31.354Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T19:48:31.354Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","target_ref":"attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--465d14e7-eb9e-4794-9cb3-1de2cff86a8e","created":"2020-01-27T17:05:58.335Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Trend Micro Bouncing Golf 2019","description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:28:07.442Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) registers for the `USER_PRESENT` broadcast intent and uses it as a trigger to take photos with the front-facing camera.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4761145d-34ac-4b45-a0d6-a09b1907a196","type":"relationship","created":"2020-12-18T20:14:47.367Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"WhiteOps TERRACOTTA","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."}],"modified":"2020-12-18T20:14:47.367Z","description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) can inject clicks to launch applications, share posts on social media, and interact with WebViews to perform fraudulent actions.(Citation: WhiteOps TERRACOTTA)","relationship_type":"uses","source_ref":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","target_ref":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--476e269e-3c49-4fda-a54b-3f0cb577c5af","created":"2020-12-14T14:52:03.322Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Sophos Red Alert 2.0","description":"J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.","url":"https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:52:58.974Z","description":"[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect the device’s contact list.(Citation: Sophos Red Alert 2.0)","relationship_type":"uses","source_ref":"malware--6e282bbf-5f32-476a-b879-ba77eec463c8","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--477edf7d-cc1f-49b7-9d96-f88399808775","created":"2022-04-05T20:15:43.660Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T20:15:43.660Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8","target_ref":"attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4819f391-01de-4525-992b-7e4a4f6667de","type":"relationship","created":"2020-11-20T15:46:51.603Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Symantec GoldenCup","url":"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans","description":"R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."}],"modified":"2020-11-20T15:46:51.603Z","description":"[Golden Cup](https://attack.mitre.org/software/S0535) can take pictures with the camera.(Citation: Symantec GoldenCup)","relationship_type":"uses","source_ref":"malware--f3975cc0-72bc-4308-836e-ac701b83860e","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--481e5d33-eca4-453c-9fec-27ee01d50989","created":"2023-02-28T21:45:41.365Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cloudmark_tanglebot_0921","description":"Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.","url":"https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:26:12.006Z","description":"[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view files and media.(Citation: cloudmark_tanglebot_0921)","relationship_type":"uses","source_ref":"malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--48486680-530c-4ed9-aca3-94969aa262b6","created":"2019-07-10T15:35:43.665Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Dark Caracal Jan 2018","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:38:00.609Z","description":"[Pallas](https://attack.mitre.org/software/S0399) accesses and exfiltrates the call log.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--48552acc-5f1a-422f-90fa-37108446f36d","created":"2022-03-30T19:14:20.374Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T19:14:20.374Z","relationship_type":"revoked-by","source_ref":"attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa","target_ref":"attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--48854999-1c12-4454-bb7c-051691a081f9","created":"2022-03-28T19:25:49.640Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Ensure Verified Boot is enabled on devices with that capability.","modified":"2022-03-28T19:25:49.640Z","relationship_type":"mitigates","source_ref":"course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321","target_ref":"attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--4896e256-fb04-403c-bbb7-2323b158a6e0","created":"2022-03-30T19:52:05.143Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T19:52:05.143Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3","target_ref":"attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4897ef75-0035-4ae5-b325-de2f6b27565f","created":"2023-09-21T22:31:28.428Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-21T22:31:28.428Z","description":"Application vetting services may look for indications that the application’s update includes malicious code at runtime. ","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74","type":"relationship","created":"2021-01-05T20:16:20.511Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Zscaler TikTok Spyware","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."}],"modified":"2021-01-05T20:16:20.511Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) has contained an alarm that triggers every three minutes and timers for communicating with the C2.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--48cd0af5-9ad1-44b3-beeb-d576974dadee","created":"2023-09-28T17:19:00.464Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:19:00.464Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can request the `DISABLE_KEYGUARD` permission to disable the device lock screen password.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4920a041-86f7-495b-896c-4d964950ed7e","type":"relationship","created":"2020-12-17T20:15:22.454Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Palo Alto HenBox","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."}],"modified":"2020-12-17T20:15:22.454Z","description":"[HenBox](https://attack.mitre.org/software/S0544) has contained native libraries.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--492d5699-f885-411a-8431-254fcf33fb12","created":"2019-08-09T16:14:58.367Z","x_mitre_version":"1.0","external_references":[{"source_name":"Android Capture Sensor 2019","url":"https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access","description":"Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"Android 9 and above restricts access to the mic, camera, and other device sensors from applications running in the background. iOS 14 and Android 12 introduced a visual indicator on the status bar (green dot) when an application is accessing the device’s camera.(Citation: Android Capture Sensor 2019)","modified":"2022-04-01T13:56:12.774Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--4943cca6-69b1-4565-ac09-87ebda04584c","created":"2022-04-01T18:52:02.211Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be taught the dangers of rooting or jailbreaking their device.","modified":"2022-04-01T18:52:02.211Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--496976ef-4a0c-4782-95e7-231bd44df162","type":"relationship","created":"2020-12-14T15:02:35.295Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Securelist Asacub","url":"https://securelist.com/the-rise-of-mobile-banker-asacub/87591/","description":"T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020."}],"modified":"2020-12-14T15:02:35.295Z","description":"[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device information, including device model and OS version.(Citation: Securelist Asacub)","relationship_type":"uses","source_ref":"malware--a76b837b-93cc-417d-bf28-c47a6a284fa4","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--49c0c003-433c-467f-93b7-ca585aab8232","created":"2023-08-16T16:46:17.841Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:46:17.841Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can register as an `SMSBroadcast` receiver to monitor incoming SMS messages.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4a408dee-07da-4855-b2ff-be512480ccb5","created":"2023-01-19T18:08:41.596Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"trendmicro_tianyspy_0122","description":"Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.","url":"https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:18:05.095Z","description":"[TianySpy](https://attack.mitre.org/software/S1056) can gather device UDIDs.(Citation: trendmicro_tianyspy_0122) ","relationship_type":"uses","source_ref":"malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4a4aba6e-2dc4-43a5-bcac-876c89114a57","created":"2023-03-20T18:43:49.345Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Android-AppLinks","description":"Android. (n.d.). Handling App Links. Retrieved December 21, 2016.","url":"https://developer.android.com/training/app-links/index.html"},{"source_name":"IETF-OAuthNativeApps","description":"W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.","url":"https://tools.ietf.org/html/rfc8252"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T16:09:09.008Z","description":"When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4a608d3b-aa02-4563-8b6b-c64a491856f5","created":"2023-03-03T16:26:20.400Z","revoked":false,"external_references":[{"source_name":"paloalto_yispecter_1015","description":"Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.","url":"https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-03T16:26:20.400Z","description":"[YiSpecter](https://attack.mitre.org/software/S0311) has collected information about running processes.(Citation: paloalto_yispecter_1015)","relationship_type":"uses","source_ref":"malware--a15c9357-2be0-4836-beec-594f28b9b4a9","target_ref":"attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e","type":"relationship","created":"2020-04-24T15:06:33.519Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro Coronavirus Updates","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."}],"modified":"2020-04-24T15:06:33.519Z","description":"[Corona Updates](https://attack.mitre.org/software/S0425) can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application’s notification content.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4a77c56b-ed2c-4e43-bd0f-7acf9cce1952","created":"2020-04-24T17:46:31.564Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecurityIntelligence TrickMo","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:25:55.378Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) can intercept SMS messages.(Citation: SecurityIntelligence TrickMo)","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4a936488-526c-40c1-b2d5-490052cb0e73","created":"2020-12-31T18:25:05.162Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CYBERWARCON CHEMISTGAMES","description":"B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.","url":"https://www.youtube.com/watch?v=xoNSbm1aX_w"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:22:53.698Z","description":"[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can run bash commands.(Citation: CYBERWARCON CHEMISTGAMES)","relationship_type":"uses","source_ref":"malware--a0d774e4-bafc-4292-8651-3ec899391341","target_ref":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4aae6ab8-2a67-4780-a69e-b15ecff7fc5d","created":"2023-02-28T21:43:12.487Z","revoked":false,"external_references":[{"source_name":"cloudmark_tanglebot_0921","description":"Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.","url":"https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-28T21:43:12.487Z","description":"[TangleBot](https://attack.mitre.org/software/S1069) can make and block phone calls.(Citation: cloudmark_tanglebot_0921)","relationship_type":"uses","source_ref":"malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f","target_ref":"attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4ab1867c-b924-4b0d-a332-c0e150a28d7d","created":"2023-03-16T18:28:40.419Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T22:11:01.943Z","description":"Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application’s manifest, or `NSCalendarsUsageDescription` in an iOS application’s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. ","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257","type":"relationship","created":"2020-10-29T17:48:27.469Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Threat Fabric Exobot","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020."}],"modified":"2020-10-29T17:48:27.469Z","description":"[Exobot](https://attack.mitre.org/software/S0522) can forward SMS messages.(Citation: Threat Fabric Exobot)","relationship_type":"uses","source_ref":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4ae0c45f-4ff0-4296-aaf4-c3e0d2e355e3","created":"2020-09-15T15:18:12.462Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cybereason FakeSpy","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:42:40.327Z","description":"[FakeSpy](https://attack.mitre.org/software/S0509) can hide its icon if it detects that it is being run on an emulator.(Citation: Cybereason FakeSpy)","relationship_type":"uses","source_ref":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4aec0738-2c76-4dc7-af8a-87785e658193","created":"2021-10-01T14:42:49.152Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecureList BusyGasper","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:26:18.801Z","description":"[BusyGasper](https://attack.mitre.org/software/S0655) can run shell commands.(Citation: SecureList BusyGasper)","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4af26643-880f-4c34-a4a8-23e89b950c9d","created":"2019-09-04T15:38:56.883Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CyberMerchants-FlexiSpy","description":"Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.","url":"http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:18:38.582Z","description":"[FlexiSpy](https://attack.mitre.org/software/S0408) can collect the device calendars.(Citation: CyberMerchants-FlexiSpy)","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4b16e681-9542-4f32-b23a-f1b0caf44b6a","type":"relationship","created":"2020-12-24T21:55:56.726Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T21:55:56.726Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has downloaded additional code to root devices, such as TowelRoot.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--4b3cfd7c-5e41-4d9e-8879-b126ba66eaf1","created":"2021-10-01T14:42:49.176Z","x_mitre_version":"1.0","external_references":[{"source_name":"SecureList BusyGasper","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021."}],"x_mitre_deprecated":false,"revoked":false,"description":"[BusyGasper](https://attack.mitre.org/software/S0655) can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.(Citation: SecureList BusyGasper)","modified":"2022-04-15T17:33:49.565Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4b68bcb1-a512-40f7-9aee-235b3668f022","type":"relationship","created":"2020-01-27T17:05:58.271Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/","source_name":"Trend Micro Bouncing Golf 2019"}],"modified":"2020-01-27T17:05:58.271Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) can obtain clipboard contents.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4b7e117b-0c82-49d0-bee6-119158b3355b","created":"2023-02-28T20:32:37.800Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"proofpoint_flubot_0421","description":"Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.","url":"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-28T20:32:50.168Z","description":"[FluBot](https://attack.mitre.org/software/S1067) can disable Google Play Protect to prevent detection.(Citation: proofpoint_flubot_0421)","relationship_type":"uses","source_ref":"malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4b838636-bfa4-4592-b72f-3044946b8187","created":"2020-09-14T14:13:45.236Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout eSurv","description":"A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.","url":"https://blog.lookout.com/esurv-research"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:53:16.656Z","description":"[eSurv](https://attack.mitre.org/software/S0507) can exfiltrate the device’s contact list.(Citation: Lookout eSurv)","relationship_type":"uses","source_ref":"malware--680f680c-eef9-4f8a-b5f5-f451bf47e403","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61","type":"relationship","created":"2020-04-24T15:06:33.495Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro Coronavirus Updates","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."}],"modified":"2020-04-24T15:06:33.495Z","description":"[Corona Updates](https://attack.mitre.org/software/S0425) can track the device’s location.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4bdda427-2fff-428d-ba19-4bee5d2508e1","type":"relationship","created":"2021-02-08T16:36:20.801Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"BlackBerry Bahamut","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf","description":"The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."}],"modified":"2021-05-24T13:16:56.571Z","description":"[Windshift](https://attack.mitre.org/groups/G0112) has included video recording in the malicious apps deployed as part of Operation BULL.(Citation: BlackBerry Bahamut)","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4c035760-9bf2-40cd-87d1-f286afd76376","created":"2023-07-21T19:41:45.173Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:41:45.173Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can collect clipboard data.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4c6f1475-3b92-4a37-8bb5-4dcc69660b11","created":"2022-09-29T20:08:54.389Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cylance Dust Storm","description":"Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.","url":"https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-30T18:38:37.195Z","description":"During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors capable of exfiltrating specific files directly from the infected devices.(Citation: Cylance Dust Storm)","relationship_type":"uses","source_ref":"campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4c7e776d-ed19-4e5a-842c-81612f5c07bd","created":"2019-09-03T19:45:48.503Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SWB Exodus March 2019","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:10:38.937Z","description":"[Exodus](https://attack.mitre.org/software/S0405) Two can download the address book.(Citation: SWB Exodus March 2019) ","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4cb926c1-c242-45c2-be46-07c22435a8a5","created":"2022-09-30T19:23:02.689Z","revoked":false,"external_references":[{"source_name":"Cylance Dust Storm","description":"Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.","url":"https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-30T19:23:02.689Z","description":"During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors that would send information and data from a victim's mobile device to the C2 servers.(Citation: Cylance Dust Storm)","relationship_type":"uses","source_ref":"campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4cc8a16f-562a-42c7-b5d9-10e1088af89c","created":"2019-09-03T20:08:00.687Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos Gustuff Apr 2019","description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:31:38.319Z","description":"[Gustuff](https://attack.mitre.org/software/S0406) can intercept two-factor authentication codes transmitted via SMS.(Citation: Talos Gustuff Apr 2019) ","relationship_type":"uses","source_ref":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4cccb708-b51b-4e71-94a1-78d6819eaac1","created":"2023-03-20T15:16:19.428Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T22:16:55.879Z","description":"Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4d431474-1dcc-4d0e-9906-129eb02f00b3","created":"2023-02-06T19:43:43.574Z","revoked":false,"external_references":[{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-06T19:43:43.574Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) can uninstall itself.(Citation: threatfabric_sova_0921)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4d4dfc26-3ab7-4798-abf2-be8dc278fdfa","type":"relationship","created":"2020-11-24T17:55:12.804Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos GPlayed","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."}],"modified":"2020-11-24T17:55:12.804Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) has the capability to remotely load plugins and download and compile new .NET code.(Citation: Talos GPlayed) ","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4d542595-1eb0-45aa-9702-9d494142b390","type":"relationship","created":"2019-08-09T18:08:07.109Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/","description":"Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.","source_name":"Kaspersky-Skygofree"}],"modified":"2019-08-09T18:08:07.109Z","description":"[Skygofree](https://attack.mitre.org/software/S0327) can record video or capture photos when an infected device is in a specified location.(Citation: Kaspersky-Skygofree)","relationship_type":"uses","source_ref":"malware--3a913bac-4fae-4d0e-bca8-cae452f1599b","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4d6a900d-d1c4-4a91-bded-c9062aae384b","created":"2021-01-05T20:16:20.492Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Zscaler TikTok Spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:47:18.774Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) has registered for device boot, incoming, and outgoing calls broadcast intents.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FireEye-RuMMS","description":"Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.","url":"https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:03:03.296Z","description":"[RuMMS](https://attack.mitre.org/software/S0313) uses HTTP for command and control.(Citation: FireEye-RuMMS)","relationship_type":"uses","source_ref":"malware--936be60d-90eb-4c36-9247-4b31128432c4","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4d88c5ac-68c0-4304-9474-d07372d0ad99","created":"2023-09-21T22:19:04.080Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-21T22:19:04.080Z","description":"Enterprises can provision policies to mobile devices for application allow-listing, ensuring only approved applications are installed onto mobile devices.  ","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4dcbb081-a0b3-4b80-a63e-28547cb6f89c","created":"2023-12-18T18:10:16.764Z","revoked":false,"external_references":[{"source_name":"cleafy_brata_0122","description":"Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.","url":"https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"},{"source_name":"mcafee_brata_0421","description":"Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"},{"source_name":"securelist_brata_0819","description":"Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.","url":"https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:10:16.764Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can log device keystrokes.(Citation: securelist_brata_0819)(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--4de3f794-63df-4f9e-8bd8-59796d91aa36","created":"2020-05-07T15:33:32.895Z","x_mitre_version":"1.0","external_references":[{"source_name":"CheckPoint Agent Smith","url":"https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/","description":"A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Agent Smith](https://attack.mitre.org/software/S0440) shows fraudulent ads to generate revenue.(Citation: CheckPoint Agent Smith)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--a6228601-03f6-4949-ae22-c1087627a637","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4df6a22e-489f-400c-b953-cc53bfb708a3","type":"relationship","created":"2020-09-14T14:13:45.296Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout eSurv","url":"https://blog.lookout.com/esurv-research","description":"A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."}],"modified":"2020-09-14T14:13:45.296Z","description":"[eSurv](https://attack.mitre.org/software/S0507)’s iOS version can collect device information.(Citation: Lookout eSurv)","relationship_type":"uses","source_ref":"malware--680f680c-eef9-4f8a-b5f5-f451bf47e403","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4e68feca-083f-40ed-88d8-2b6a3935c949","created":"2023-01-18T19:12:11.201Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_drinik_1022","description":"Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.","url":"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:53:38.271Z","description":"[Drinik](https://attack.mitre.org/software/S1054) can use the Android `CallScreeningService` to silently block incoming calls.(Citation: cyble_drinik_1022)","relationship_type":"uses","source_ref":"malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe","target_ref":"attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4e6b726d-9ef4-4eb6-b9a7-74059caee5b7","created":"2020-07-20T13:27:33.440Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos-WolfRAT","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:26:22.984Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) can collect SMS messages.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819","type":"relationship","created":"2019-08-07T15:57:13.412Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Kaspersky Riltok June 2019","url":"https://securelist.com/mobile-banker-riltok/91374/","description":"Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."}],"modified":"2019-09-15T15:36:42.312Z","description":"[Riltok](https://attack.mitre.org/software/S0403) can retrieve a list of installed applications. Installed application names are then checked against an adversary-defined list of targeted applications.(Citation: Kaspersky Riltok June 2019)","relationship_type":"uses","source_ref":"malware--c0efbaae-9e7d-4716-a92d-68373aac7424","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4e9f021d-3cf4-4790-8f7d-f87f33133446","created":"2020-12-14T14:52:03.294Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Sophos Red Alert 2.0","description":"J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.","url":"https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:26:37.661Z","description":"[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect SMS messages.(Citation: Sophos Red Alert 2.0)","relationship_type":"uses","source_ref":"malware--6e282bbf-5f32-476a-b879-ba77eec463c8","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4ed97a0d-2fcf-4c53-8aaa-21e174b28309","created":"2024-03-28T18:28:13.667Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T20:31:07.234Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect call logs.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--4ee57616-7205-490c-86c3-c27dcffd8689","created":"2022-04-06T13:35:43.203Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Recent OS versions have limited access to certain APIs unless certain conditions are met, making [Data Manipulation](https://attack.mitre.org/techniques/T1641) more difficult","modified":"2022-04-06T13:35:43.203Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4efa4953-7854-4144-8837-d7831ccbe35d","type":"relationship","created":"2020-04-24T17:46:31.691Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecurityIntelligence TrickMo","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."}],"modified":"2020-04-24T17:46:31.691Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) can collect a list of installed applications.(Citation: SecurityIntelligence TrickMo)","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f","created":"2017-12-14T16:46:06.044Z","x_mitre_version":"1.0","external_references":[{"source_name":"Lookout-Pegasus","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf","description":"Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) uses SMS for command and control.(Citation: Lookout-Pegasus)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-PegasusAndroid","description":"Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.","url":"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:13:18.720Z","description":"[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses call logs.(Citation: Lookout-PegasusAndroid)","relationship_type":"uses","source_ref":"malware--93799a9d-3537-43d8-b6f4-17215de1657c","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--4f6f4def-e76d-4d1b-9416-b6543e7dbc54","type":"relationship","created":"2021-10-01T14:42:48.744Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList BusyGasper","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021."}],"modified":"2021-10-01T14:42:48.744Z","description":"[BusyGasper](https://attack.mitre.org/software/S0655) can record audio.(Citation: SecureList BusyGasper)","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4f812a57-efdc-463b-bf37-baa4bca7502b","created":"2020-05-04T14:22:20.348Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecurityIntelligence TrickMo","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:35:00.081Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) can uninstall itself from a device on command by abusing the accessibility service.(Citation: SecurityIntelligence TrickMo) ","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4fc165fd-185e-4c70-b423-c242cf715510","created":"2019-10-07T16:32:27.127Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"securelist rotexy 2018","description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T16:55:21.480Z","description":"[Rotexy](https://attack.mitre.org/software/S0411) checks if it is running in an analysis environment.(Citation: securelist rotexy 2018) ","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--4ff5f854-bfe9-45bc-b11a-196cf826b760","created":"2022-03-30T14:41:20.735Z","x_mitre_version":"0.1","external_references":[{"source_name":"Android Changes to System Broadcasts","url":"https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts","description":"Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"Android 8 introduced additional limitations on the implicit intents that an application can register for.(Citation: Android Changes to System Broadcasts)","modified":"2022-03-30T14:41:20.735Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--4ff9b16f-3643-4fa0-b107-f93a9bb847c3","created":"2023-02-28T21:44:45.063Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cloudmark_tanglebot_0921","description":"Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.","url":"https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:26:33.166Z","description":"[TangleBot](https://attack.mitre.org/software/S1069) can use overlays to cover legitimate applications or screens.(Citation: cloudmark_tanglebot_0921)","relationship_type":"uses","source_ref":"malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Zscaler-SpyNote","description":"Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.","url":"https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:53:41.561Z","description":"[SpyNote RAT](https://attack.mitre.org/software/S0305) can view contacts.(Citation: Zscaler-SpyNote)","relationship_type":"uses","source_ref":"malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--502fc83c-ce03-4ce7-a202-095bbe0b492b","created":"2023-07-21T19:51:08.375Z","revoked":false,"external_references":[{"source_name":"kaspersky_fakecalls_0422","description":"Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.","url":"https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:51:08.375Z","description":"[Fakecalls](https://attack.mitre.org/software/S1080) can access a device’s location.(Citation: kaspersky_fakecalls_0422)","relationship_type":"uses","source_ref":"malware--429e1526-6293-495b-8808-af7f9a66c4be","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--503ca6f2-a747-43fb-8fc5-7be095dcb966","created":"2023-08-04T18:31:30.237Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T18:31:30.237Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can access images stored on external storage.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--506d657b-1634-442e-8179-7187f82feb3a","created":"2020-12-24T21:55:56.691Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:38:17.926Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the call logs.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24","type":"relationship","created":"2020-01-27T17:05:58.267Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/","source_name":"Trend Micro Bouncing Golf 2019"}],"modified":"2020-01-27T17:05:58.267Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) can track the device’s location.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--50ad2a8c-ed45-4376-be31-8bafa26ba794","created":"2020-04-08T15:41:19.451Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.103Z","description":"[Anubis](https://attack.mitre.org/software/S0422) can collect the device’s ID.(Citation: Cofense Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--50bab448-fee6-49e9-a296-498fe06eacc7","type":"relationship","created":"2019-11-21T16:42:48.490Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList - ViceLeaker 2019","url":"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/","description":"GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."}],"modified":"2019-11-21T16:42:48.490Z","description":"[ViceLeaker](https://attack.mitre.org/software/S0418) can obtain a list of installed applications.(Citation: SecureList - ViceLeaker 2019)","relationship_type":"uses","source_ref":"malware--6fcaf9b0-b509-4644-9f93-556222c81ed2","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--50c81a85-8c70-48df-a338-8622d2debc74","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-StealthMango","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:38:39.008Z","description":"[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather call logs.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--35aae10a-97c5-471a-9c67-02c231a7a31a","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--50d8e788-d405-45e8-b6b7-0f02f353cc97","created":"2023-09-28T17:20:00.981Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:20:00.981Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can request coarse and fine location permissions to track the device.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--50e3b570-2e9a-409b-973a-3ce91b9579d4","created":"2024-03-28T18:32:05.099Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T20:31:19.083Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to receive files from the C2 and execute them via the parent application.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--50f03c00-5488-49fe-a527-a8776e526523","type":"relationship","created":"2020-11-24T17:55:12.820Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos GPlayed","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."}],"modified":"2020-11-24T17:55:12.820Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) can collect a list of installed applications.(Citation: Talos GPlayed)","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--5107be8a-b5fc-4442-af0d-2c92e086a912","type":"relationship","created":"2020-05-11T16:13:43.062Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CheckPoint Agent Smith","url":"https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/","description":"A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."}],"modified":"2020-05-11T16:13:43.062Z","description":"[Agent Smith](https://attack.mitre.org/software/S0440) checks if a targeted application is running in user-space prior to infection.(Citation: CheckPoint Agent Smith) ","relationship_type":"uses","source_ref":"malware--a6228601-03f6-4949-ae22-c1087627a637","target_ref":"attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--51457698-e98b-435a-88c2-75a82cdc2bda","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-StealthMango","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:38:56.380Z","description":"[Stealth Mango](https://attack.mitre.org/software/S0328) uploads call logs.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--085eb36d-697d-4d9a-bac3-96eb879fe73c","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5151b976-cfcf-4771-a75a-995d49bcc1ab","created":"2022-04-11T20:06:38.811Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Mobile security products that are part of the Samsung Knox for Mobile Threat Defense program could examine running applications while the device is idle, potentially detecting malicious applications that are running primarily when the device is not being used.","modified":"2022-04-11T20:06:38.811Z","relationship_type":"mitigates","source_ref":"course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433","target_ref":"attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--51757971-17ac-40c3-bae7-78365579db49","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"TrendMicro-Obad","description":"Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.","url":"http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:02:27.188Z","description":"[OBAD](https://attack.mitre.org/software/S0286) abuses device administrator access to make it more difficult for users to remove the application.(Citation: TrendMicro-Obad)","relationship_type":"uses","source_ref":"malware--ca4f63b9-a358-4214-bb26-8c912318cfde","target_ref":"attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--51b0a4fb-a308-4694-9437-95702a50ebd5","type":"relationship","created":"2020-09-11T16:22:03.231Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout ViperRAT","url":"https://blog.lookout.com/viperrat-mobile-apt","description":"M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."}],"modified":"2020-09-11T16:22:03.231Z","description":"[ViperRAT](https://attack.mitre.org/software/S0506) can take photos with the device camera.(Citation: Lookout ViperRAT)","relationship_type":"uses","source_ref":"malware--f666e17c-b290-43b3-8947-b96bd5148fbb","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--51bd38a1-465b-49c0-9218-5984f391a51c","created":"2023-12-18T19:03:44.550Z","revoked":false,"external_references":[{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T19:03:44.550Z","description":"[AhRat](https://attack.mitre.org/software/S1095) can register with the `BOOT_COMPLETED` broadcast to start when the device turns on.(Citation: welivesecurity_ahrat_0523)","relationship_type":"uses","source_ref":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","target_ref":"attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--51bf6ffc-85c7-4910-8821-9736a1ec60f1","created":"2019-09-04T15:38:57.037Z","x_mitre_version":"1.0","external_references":[{"source_name":"FlexiSpy-Features","url":"https://www.flexispy.com/en/features-overview.htm","description":"FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"[FlexiSpy](https://attack.mitre.org/software/S0408) can record keystrokes and analyze them for keywords.(Citation: FlexiSpy-Features)","modified":"2022-04-15T17:34:17.813Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--51d31e17-6c80-4ab3-9e8e-6231483e0999","created":"2020-11-24T17:55:12.818Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos GPlayed","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:21:12.197Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) can register for the `BOOT_COMPLETED` broadcast intent.(Citation: Talos GPlayed)","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--51f75dd5-b584-482f-8f7f-dbee2d5cf6f3","created":"2019-10-18T15:51:48.487Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.","modified":"2022-04-05T19:42:51.306Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--520668a0-2523-4515-8ed9-f8059023632f","created":"2024-02-20T23:59:59.854Z","revoked":false,"external_references":[{"source_name":"trendmicro_tianyspy_0122","description":"Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.","url":"https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:59:59.854Z","description":"[TianySpy](https://attack.mitre.org/software/S1056) can check to see if WiFi is enabled.(Citation: trendmicro_tianyspy_0122) ","relationship_type":"uses","source_ref":"malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--520c7112-9768-42c5-8917-1950efd182f9","created":"2023-02-06T19:38:45.607Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:33:30.155Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) can use keylogging to capture user input.(Citation: threatfabric_sova_0921)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--52649ab6-8d1c-41d0-9804-3fd4b6a1ba48","created":"2023-03-16T18:37:55.715Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T14:52:23.577Z","description":"On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--526ce88f-ee58-4a55-a1b2-b72e1b5971aa","created":"2022-04-01T16:52:36.974Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-01T16:52:36.974Z","relationship_type":"revoked-by","source_ref":"attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483","target_ref":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--529107fd-6420-4573-8dbf-cdcd49c2708c","type":"relationship","created":"2020-06-26T14:55:13.307Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Cybereason EventBot","url":"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born","description":"D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."}],"modified":"2020-06-26T14:55:13.307Z","description":"[EventBot](https://attack.mitre.org/software/S0478) can gather device network information.(Citation: Cybereason EventBot) ","relationship_type":"uses","source_ref":"malware--aecc0097-c9f8-4786-9b39-e891ff173f54","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25","type":"relationship","created":"2020-09-11T15:55:43.774Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","source_name":"Lookout-StealthMango"}],"modified":"2020-09-11T15:55:43.774Z","description":"[Stealth Mango](https://attack.mitre.org/software/S0328) deletes incoming SMS messages from specified numbers, including those that contain particular strings.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--085eb36d-697d-4d9a-bac3-96eb879fe73c","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--52f7e464-db89-4201-aea8-38d9b44bbd1b","type":"relationship","created":"2020-12-18T20:14:47.314Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"WhiteOps TERRACOTTA","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."}],"modified":"2020-12-18T20:14:47.314Z","description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) has utilized foreground services.(Citation: WhiteOps TERRACOTTA)","relationship_type":"uses","source_ref":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","target_ref":"attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--53364899-1ea5-47fa-afde-c210aed64120","type":"relationship","created":"2019-07-10T15:47:19.659Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","source_name":"Lookout Dark Caracal Jan 2018"}],"modified":"2019-07-16T15:35:21.086Z","description":"(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12","target_ref":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--533e5ce5-138c-4bfc-9a59-eb0ced8e6e1a","created":"2023-10-10T15:33:59.484Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:59.484Z","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) has impersonated several apps, including official Google apps, chat apps, VPN apps, and popular games.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--535d2425-21aa-4fe5-ae6d-5b677f459020","created":"2022-03-28T19:41:37.162Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Security updates may contain patches for devices that were compromised at the supply chain level.","modified":"2022-03-28T19:41:37.162Z","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--53ebd5b6-e60e-4aa4-a342-de586917f06d","created":"2023-03-20T18:38:36.873Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T22:26:05.065Z","description":"The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--54151897-cc7e-4f92-af50-bed41ea78d92","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Kaspersky-MobileMalware","description":"Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.","url":"https://securelist.com/mobile-malware-evolution-2013/58335/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:03:20.968Z","description":"[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)","relationship_type":"uses","source_ref":"malware--28e39395-91e7-4f02-b694-5e079c964da9","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--5417959b-9478-49fb-b779-3c82a10ad080","type":"relationship","created":"2020-12-17T20:15:22.498Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Palo Alto HenBox","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."}],"modified":"2020-12-17T20:15:22.498Z","description":"[HenBox](https://attack.mitre.org/software/S0544) can obtain a list of running apps.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--544e8fc3-c656-4081-9b4f-8a5d60926f47","created":"2022-04-01T17:08:41.293Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device’s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. ","modified":"2022-04-01T17:08:41.293Z","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--545d9313-3fcc-4d4a-b9d2-7555430df8f2","created":"2019-09-04T14:28:15.482Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-Monokle","description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:28:58.447Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can reset the user's password/PIN.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5482462c-08bc-4e28-bc20-bfbbc60f3f81","created":"2022-04-05T20:03:46.789Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T20:03:46.789Z","relationship_type":"revoked-by","source_ref":"attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de","target_ref":"attack-pattern--fd211238-f767-4599-8c0d-9dca36624626","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--54bfecbc-4d1d-4bca-bb9c-652d09b29515","created":"2023-06-09T19:10:48.877Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T19:14:31.727Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can collect the device ID, model, manufacturer, and Android version. It can also check available storage space and if the screen is locked.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--54ce9375-cc0f-456e-ac22-e6fe822a6cec","created":"2022-04-01T15:54:48.924Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Applications very rarely require administrator permission. Developers should be cautioned against using this higher degree of access to avoid being flagged as a potentially malicious application. ","modified":"2022-04-01T15:54:48.924Z","relationship_type":"mitigates","source_ref":"course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1","target_ref":"attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--54dac52d-5279-407f-b7b4-5484ae90b98c","type":"relationship","created":"2021-02-17T20:43:52.402Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout FrozenCell","url":"https://blog.lookout.com/frozencell-mobile-threat","description":"Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."}],"modified":"2021-02-17T20:43:52.402Z","description":"[FrozenCell](https://attack.mitre.org/software/S0577) has downloaded and installed additional applications.(Citation: Lookout FrozenCell)","relationship_type":"uses","source_ref":"malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--554ec347-c8b2-43da-876b-36608dcc543d","created":"2017-10-25T14:48:53.746Z","x_mitre_version":"1.0","external_references":[{"source_name":"TelephonyManager","url":"https://developer.android.com/reference/android/telephony/TelephonyManager.html","description":"Android. (n.d.). TelephonyManager. Retrieved December 21, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"Android 10 introduced changes that prevent normal applications from accessing sensitive device identifiers.(Citation: TelephonyManager) ","modified":"2022-03-30T21:04:59.921Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--557e6d99-d7d8-4e2f-bc01-66b0754de089","created":"2022-03-28T19:41:27.610Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Application developers should be cautious when selecting third-party libraries to integrate into their application.","modified":"2022-03-28T19:41:27.610Z","relationship_type":"mitigates","source_ref":"course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1","target_ref":"attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15","type":"relationship","created":"2020-04-24T15:06:33.319Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro Coronavirus Updates","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."}],"modified":"2020-04-24T15:06:33.319Z","description":"[Corona Updates](https://attack.mitre.org/software/S0425) can collect voice notes, device accounts, and gallery images.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--55b3df0f-252d-4208-bdb8-91fa1e1119b4","created":"2021-01-05T20:16:20.507Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Zscaler TikTok Spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:23:12.919Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can execute commands .(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5619e263-d48c-47a5-ab68-8677fe080a15","created":"2022-03-30T14:42:27.821Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T14:42:27.821Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","target_ref":"attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--56551987-326a-46ad-a34a-59bb7ab793a9","created":"2020-12-14T14:52:03.266Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Sophos Red Alert 2.0","description":"J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.","url":"https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:24:07.828Z","description":"[Red Alert 2.0](https://attack.mitre.org/software/S0539) can request device administrator permissions.(Citation: Sophos Red Alert 2.0)","relationship_type":"uses","source_ref":"malware--6e282bbf-5f32-476a-b879-ba77eec463c8","target_ref":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--56758bb5-230e-43ac-9851-167c296c3dfa","created":"2023-03-20T18:38:27.730Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T22:25:29.731Z","description":"During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--56a0173f-68ec-48f6-88d8-ed1e7a2470ba","created":"2023-12-18T19:08:12.976Z","revoked":false,"external_references":[{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T19:08:12.976Z","description":"[AhRat](https://attack.mitre.org/software/S1095) can track the device’s location.(Citation: welivesecurity_ahrat_0523)","relationship_type":"uses","source_ref":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--56a255a5-9fa2-45bb-8848-fd0a68514467","created":"2022-04-11T20:06:56.034Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-11T20:06:56.034Z","relationship_type":"revoked-by","source_ref":"attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d","target_ref":"attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--56c8af86-2924-46f8-a1d7-8309ee6f0282","created":"2023-07-21T19:36:35.822Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:36:35.822Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can collect network information, such as IP address, SIM card info, and Wi-Fi info.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5706742b-733d-44e9-a032-62b81ba05bcf","created":"2020-06-02T14:32:31.897Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Google Project Zero Insomnia","description":"I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.","url":"https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:26:52.491Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) can retrieve SMS messages and iMessages.(Citation: Google Project Zero Insomnia)","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--57293fc9-8838-4acd-a16f-48f516d0921e","created":"2020-04-08T15:51:25.122Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ThreatFabric Ginp","description":"ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.","url":"https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:29:51.699Z","description":"[Ginp](https://attack.mitre.org/software/S0423) hides its icon after installation.(Citation: ThreatFabric Ginp)","relationship_type":"uses","source_ref":"malware--6146be90-470c-4049-bb3a-9986b8ffb65b","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5738479d-47fb-4d6f-9f04-5ce988327694","created":"2023-12-18T19:07:31.393Z","revoked":false,"external_references":[{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T19:07:31.393Z","description":"[AhRat](https://attack.mitre.org/software/S1095) can collect the device’s call log.(Citation: welivesecurity_ahrat_0523)","relationship_type":"uses","source_ref":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5749763a-0aef-460a-b081-849adba8d58f","created":"2023-12-18T18:18:44.171Z","revoked":false,"external_references":[{"source_name":"mcafee_brata_0421","description":"Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:18:44.171Z","description":"[BRATA](https://attack.mitre.org/software/S1094) has injected string contents into the device clipboard.(Citation: mcafee_brata_0421)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--576dfa89-d400-4cac-b32d-8ee85a9de5d7","created":"2023-03-20T18:57:42.922Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T22:17:40.405Z","description":"Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--57881f4b-8463-430c-912a-0e3c961e7784","created":"2023-07-21T19:52:30.528Z","revoked":false,"external_references":[{"source_name":"kaspersky_fakecalls_0422","description":"Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.","url":"https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:52:30.529Z","description":"[Fakecalls](https://attack.mitre.org/software/S1080) can copy and exfiltrate a device’s contact list.(Citation: kaspersky_fakecalls_0422)","relationship_type":"uses","source_ref":"malware--429e1526-6293-495b-8808-af7f9a66c4be","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--57a069a0-399f-43ab-9efc-50432a41b26b","created":"2020-12-24T21:55:56.743Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:36:12.585Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has deleted or renamed specific files.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--57a5ae72-6932-45e6-83f2-609943902b35","created":"2023-03-20T18:50:33.248Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T16:30:03.505Z","description":"In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. ","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--57df3046-2f14-4bb8-93e9-84a9c8b46791","created":"2022-03-30T19:33:17.520Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.","modified":"2022-03-30T19:33:17.520Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--57e441f8-6799-4d1b-8e2a-13d8ac1c8e78","created":"2023-02-28T20:37:59.846Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"proofpoint_flubot_0421","description":"Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.","url":"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-31T22:08:37.122Z","description":"[FluBot](https://attack.mitre.org/software/S1067) can obfuscated class, string, and method names in newer malware versions.(Citation: proofpoint_flubot_0421)","relationship_type":"uses","source_ref":"malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--583720d0-8b15-4662-822e-bb40bc1df940","created":"2023-12-18T18:09:02.735Z","revoked":false,"external_references":[{"source_name":"securelist_brata_0819","description":"Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.","url":"https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:09:02.735Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can retrieve Android system and hardware information.(Citation: securelist_brata_0819)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72","type":"relationship","created":"2020-11-24T17:55:12.900Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos GPlayed","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."}],"modified":"2020-11-24T17:55:12.900Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) can collect the device’s IMEI, phone number, and country.(Citation: Talos GPlayed)","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--58c15bce-1593-4be1-ae56-7e7b2634fc56","created":"2020-06-26T15:32:25.045Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Threat Fabric Cerberus","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:27:05.040Z","description":"[Cerberus](https://attack.mitre.org/software/S0480) can collect SMS messages from a device.(Citation: Threat Fabric Cerberus)","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--58c857f8-4f40-48e0-b3ac-41944d82b576","created":"2020-12-24T22:04:27.991Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:54:02.223Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has collected a list of contacts.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--592331d2-60a7-4264-b844-fbeb89b6386c","created":"2023-03-20T18:58:56.942Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:53:16.626Z","description":"The user can view the default SMS handler in system settings.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--597579b4-7e2f-4843-8cd3-f9143eca34f2","created":"2023-12-18T19:06:59.289Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-17T13:11:49.039Z","description":"[AhRat](https://attack.mitre.org/software/S1095) can use an encryption key received from its C2 to encrypt and decrypt configuration files and exfiltrated data.(Citation: welivesecurity_ahrat_0523)","relationship_type":"uses","source_ref":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--5977289e-d38f-4974-912b-2151fc00c850","type":"relationship","created":"2020-11-20T16:37:28.524Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Symantec GoldenCup","url":"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans","description":"R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."}],"modified":"2020-11-20T16:37:28.524Z","description":"[Golden Cup](https://attack.mitre.org/software/S0535) can collect the device’s phone number and IMSI.(Citation: Symantec GoldenCup)","relationship_type":"uses","source_ref":"malware--f3975cc0-72bc-4308-836e-ac701b83860e","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--59aaa62b-a629-42c8-9bd2-8e75810135a9","created":"2022-04-05T19:52:32.201Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T19:52:32.201Z","relationship_type":"revoked-by","source_ref":"attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--59c2bfb5-a55b-43d3-b1e9-3fbaff0fb7fc","created":"2023-03-20T18:14:50.401Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T22:35:46.046Z","description":"Mobile security products can use attestation to detect compromised devices.","relationship_type":"detects","source_ref":"x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6","target_ref":"attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--59d463d3-3a41-4269-be9a-7a69f44eca78","created":"2020-10-29T19:21:23.215Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"WeLiveSecurity AdDisplayAshas","description":"L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.","url":"https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:03:47.434Z","description":"[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has communicated with the C2 server using HTTP.(Citation: WeLiveSecurity AdDisplayAshas)","relationship_type":"uses","source_ref":"malware--f7e7b736-2cff-4c2a-9232-352cd383463a","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--59e225fa-b181-4906-9f0b-ef8f6ce7f2ef","created":"2022-04-05T20:14:17.442Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T20:14:17.442Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303","target_ref":"attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5a036fb8-9f72-4383-91c5-0f47b33b2c9d","created":"2019-07-10T15:35:43.658Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Dark Caracal Jan 2018","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:57:40.371Z","description":"[Pallas](https://attack.mitre.org/software/S0399) gathers and exfiltrates data about nearby Wi-Fi access points.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","target_ref":"attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5a18e6c3-4bbf-4418-8815-55ebf283c8a1","created":"2020-10-29T17:48:27.272Z","x_mitre_version":"1.0","external_references":[{"source_name":"Threat Fabric Exobot","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Exobot](https://attack.mitre.org/software/S0522) can obtain a list of installed applications and can detect if an antivirus application is running, and close it if it is.(Citation: Threat Fabric Exobot)","modified":"2022-04-15T16:53:00.735Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","target_ref":"attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--5a277966-4559-487e-bdfb-7be6366ccdb6","type":"relationship","created":"2019-09-03T19:45:48.508Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SWB Exodus March 2019","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."}],"modified":"2019-09-11T13:25:19.114Z","description":" [Exodus](https://attack.mitre.org/software/S0405) Two can take pictures with the device cameras.(Citation: SWB Exodus March 2019) ","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3","type":"relationship","created":"2020-06-26T14:55:13.351Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Cybereason EventBot","url":"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born","description":"D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."}],"modified":"2020-06-26T14:55:13.351Z","description":"[EventBot](https://attack.mitre.org/software/S0478) can collect a list of installed applications.(Citation: Cybereason EventBot)","relationship_type":"uses","source_ref":"malware--aecc0097-c9f8-4786-9b39-e891ff173f54","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5a50d9da-3fa5-443e-8367-8a0520d58cae","created":"2020-12-24T22:04:27.902Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:04:02.992Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has used HTTP POST requests for C2.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5a64b957-32fb-4dd6-84ae-48a2c74c560f","created":"2023-03-20T15:56:34.418Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T15:27:56.357Z","description":"Application vetting services can check for the string `BIND_DEVICE_ADMIN` in the application’s manifest. This indicates it can prompt the user for device administrator permissions.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a","created":"2017-12-14T16:46:06.044Z","x_mitre_version":"1.0","external_references":[{"source_name":"Tripwire-MazarBOT","url":"https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/","description":"Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"[MazarBOT](https://attack.mitre.org/software/S0303) can send messages to premium-rate numbers.(Citation: Tripwire-MazarBOT)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","external_references":[{"source_name":"Lookout-StealthMango","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Stealth Mango](https://attack.mitre.org/software/S0328) uses commands received from text messages for C2.(Citation: Lookout-StealthMango)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--085eb36d-697d-4d9a-bac3-96eb879fe73c","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0","type":"relationship","created":"2019-09-15T15:32:17.563Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2020-07-09T14:07:02.315Z","description":"Application developers could be encouraged to avoid placing sensitive data in notification text.","relationship_type":"mitigates","source_ref":"course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5aa167b8-4166-440b-b49f-bf1bab597237","created":"2019-11-21T16:42:48.441Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecureList - ViceLeaker 2019","description":"GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.","url":"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:39:13.309Z","description":"[ViceLeaker](https://attack.mitre.org/software/S0418) can collect the device’s call log.(Citation: SecureList - ViceLeaker 2019)","relationship_type":"uses","source_ref":"malware--6fcaf9b0-b509-4644-9f93-556222c81ed2","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5b04c8d0-c026-4838-9383-e4146de36d4d","created":"2023-03-16T18:33:19.941Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T15:34:11.221Z","description":"Application vetting services could detect usage of standard clipboard APIs.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5b235ed4-548d-49f2-ae01-1874666e6747","created":"2022-03-30T19:51:56.543Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T19:51:56.543Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","target_ref":"attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--5b37d94a-64a3-432a-b340-1c9a4f553d02","type":"relationship","created":"2020-12-17T20:15:22.452Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Palo Alto HenBox","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."}],"modified":"2020-12-17T20:15:22.452Z","description":"[HenBox](https://attack.mitre.org/software/S0544) has obfuscated components using XOR, ZIP with a single-byte key or ZIP/Zlib compression wrapped with RC4 encryption.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--5b5586b9-75ee-476f-b3eb-49878254302c","type":"relationship","created":"2019-07-16T14:33:12.117Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Google Triada June 2019","url":"https://security.googleblog.com/2019/06/pha-family-highlights-triada.html","description":"Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."}],"modified":"2020-04-27T16:52:49.643Z","description":"[Triada](https://attack.mitre.org/software/S0424) is able to modify code within the com.android.systemui application to gain access to `GET_REAL_TASKS` permissions. This permission enables access to information about applications currently on the foreground and other recently used apps.(Citation: Google Triada June 2019) ","relationship_type":"uses","source_ref":"malware--f082fc59-0317-49cf-971f-a1b6296ebb52","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--5b670281-0054-42b4-8e54-ea01a692f5bf","type":"relationship","created":"2021-10-01T14:42:48.900Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList BusyGasper","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021."}],"modified":"2021-10-01T14:42:48.900Z","description":"[BusyGasper](https://attack.mitre.org/software/S0655) can open a hidden menu when a specific phone number is called from the infected device.(Citation: SecureList BusyGasper)","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5b7c73d3-a983-456e-82fe-1c823a282eb0","created":"2024-03-26T19:06:59.314Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"fb_arid_viper","description":"Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"},{"source_name":"sentinelone_israel_hamas_war","description":"Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20240208234008/www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T20:22:22.162Z","description":"(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)","relationship_type":"uses","source_ref":"intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394","target_ref":"malware--f97e2718-af50-41df-811f-215ebab45691","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5b87bb01-9587-42bd-aa6b-30158ca8f55f","created":"2020-04-08T15:41:19.427Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.105Z","description":"[Anubis](https://attack.mitre.org/software/S0422) can send, receive, and delete SMS messages.(Citation: Cofense Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5b9a2c93-95bf-4f39-aeac-b2af051faca9","created":"2023-08-23T22:50:55.591Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-23T22:50:55.591Z","description":"Application vetting services may detect API calls to `performGlobalAction(int)`. ","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c","type":"relationship","created":"2021-02-17T20:43:52.324Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout FrozenCell","url":"https://blog.lookout.com/frozencell-mobile-threat","description":"Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."}],"modified":"2021-02-17T20:43:52.324Z","description":"[FrozenCell](https://attack.mitre.org/software/S0577) has collected phone metadata such as cell location, mobile country code (MCC), and mobile network code (MNC).(Citation: Lookout FrozenCell)","relationship_type":"uses","source_ref":"malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5c447471-2b97-4d96-b75f-1cbb574b39cf","created":"2023-03-20T15:46:49.646Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T15:39:37.117Z","description":"Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5c746ac8-4034-4ae3-98c3-66d89f5a6d6a","created":"2020-07-27T14:14:56.996Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Google Security Zen","description":"Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.","url":"https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:19:00.199Z","description":"[Zen](https://attack.mitre.org/software/S0494) can inject code into the Setup Wizard at runtime to extract CAPTCHA images. [Zen](https://attack.mitre.org/software/S0494) can inject code into the `libc` of running processes to infect them with the malware.(Citation: Google Security Zen)","relationship_type":"uses","source_ref":"malware--22faaa56-a8ac-4292-9be6-b571b255ee40","target_ref":"attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--5c7508ae-5d05-49fd-a489-b944d3b45dd0","type":"relationship","created":"2020-12-24T22:04:27.997Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T22:04:27.997Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has tracked location.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--5ced57a7-b674-40d4-98b8-a090963a6ade","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.","source_name":"PaloAlto-SpyDealer"}],"modified":"2019-09-18T13:45:58.872Z","description":"[SpyDealer](https://attack.mitre.org/software/S0324) abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.(Citation: PaloAlto-SpyDealer)","relationship_type":"uses","source_ref":"malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5d0fdc8a-af17-4334-88e6-111aa290b22f","created":"2023-03-20T18:43:14.051Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T21:18:54.014Z","description":"The user can see a list of applications that can use accessibility services in the device settings.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--5d2a3a9f-2467-4ac6-ab64-ffe91ec584da","type":"relationship","created":"2021-09-24T14:52:41.308Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf","source_name":"Lookout-Monokle"}],"modified":"2021-09-24T14:52:41.308Z","description":" [Monokle](https://attack.mitre.org/software/S0407) can hook itself to appear invisible to the Process Manager.(Citation: Lookout-Monokle) ","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5d37400f-80f9-4500-9357-185650e5a7b2","created":"2023-02-06T18:54:13.573Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:14:02.866Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can use HTTP to communicate with the C2 server.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5dc4eaca-ff82-412a-a8dd-168de1857d8c","created":"2023-01-18T21:38:58.113Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:49:16.069Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) can use input injection via Accessibility Services to simulate user touch inputs, prevent applications from opening, change device settings, and bypass MFA protections.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5dd9e0aa-e4dc-4776-9580-5a765c2cc08d","created":"2023-02-06T18:52:40.543Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:14:41.449Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can intercept SMS messages containing two factor authentication codes.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5de0caa8-81f8-453c-b70c-a74e7ea9e5c2","created":"2022-03-30T19:12:31.481Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T19:12:31.481Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee","target_ref":"attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--5e360913-4986-4423-8d3c-46d3202b7787","type":"relationship","created":"2019-09-04T14:28:15.471Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf","source_name":"Lookout-Monokle"}],"modified":"2019-10-14T17:51:37.979Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can retrieve the salt used when storing the user’s password, aiding an adversary in computing the user’s plaintext password/PIN from the stored password hash. [Monokle](https://attack.mitre.org/software/S0407) can also capture the user’s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5e6cb0d7-6e82-450a-bcf5-e0113e7ad41e","created":"2024-03-29T15:05:17.290Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-29T15:05:17.290Z","description":"Users should be advised to not trust or install self-signed certificates.","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--5e74f4f8-5057-42f4-9796-aee60122cf6d","created":"2019-09-23T13:36:08.451Z","x_mitre_version":"1.0","external_references":[{"source_name":"securelist rotexy 2018","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/","description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Rotexy](https://attack.mitre.org/software/S0411) procedurally generates subdomains for command and control communication.(Citation: securelist rotexy 2018)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--fd211238-f767-4599-8c0d-9dca36624626","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5e95ca90-bf75-4031-a28f-f8565c02185c","created":"2020-11-24T17:55:12.883Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos GPlayed","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:23:49.569Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) can lock the user out of the device by showing a persistent overlay.(Citation: Talos GPlayed)","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5ec3fcbb-d2ac-44ba-a2d4-99e7ddacf3a2","created":"2023-03-20T18:59:57.364Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T17:05:08.407Z","description":"The user can examine the list of all installed applications in the device settings. ","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--5fb59cf9-9af5-4dd5-9878-dda2ba228ae5","created":"2023-12-18T18:12:37.010Z","revoked":false,"external_references":[{"source_name":"cleafy_brata_0122","description":"Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.","url":"https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"},{"source_name":"mcafee_brata_0421","description":"Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:12:37.010Z","description":"[BRATA](https://attack.mitre.org/software/S1094) has employed code obfuscation and encryption of configuration files.(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6001f77a-da30-4ebc-85fd-5bf9afe5f0a1","created":"2023-03-15T16:24:12.588Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T15:26:59.132Z","description":"Application vetting services can detect when an application requests administrator permission.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--603df08f-22d3-4418-9151-4b3a3c9c7c24","created":"2023-03-15T16:40:37.553Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T21:03:10.023Z","description":"Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. ","relationship_type":"detects","source_ref":"x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba","target_ref":"attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--60439118-3ceb-490b-9df5-e35e7fca9009","created":"2024-03-28T18:26:14.625Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T21:39:13.963Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to receive the following broadcast events to establish persistence: `BOOT_COMPLETED`, `BATTERY_LOW`,`USER_PRESENT`, `SCREEN_ON`, `SCREEN_OFF`, or `CONNECTIVITY_CHANGE`.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--605d95a1-0493-418e-9d81-de58531c4421","created":"2020-04-24T15:12:11.217Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"TrendMicro Coronavirus Updates","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:04:31.136Z","description":"[Concipit1248](https://attack.mitre.org/software/S0426) communicates with the C2 server using HTTP requests.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--89c3dbf6-f281-41b7-be1d-a0e641014853","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--606b07b9-b5a4-464f-8381-062e2134d0ab","created":"2023-12-18T18:14:22.223Z","revoked":false,"external_references":[{"source_name":"cleafy_brata_0122","description":"Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.","url":"https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"},{"source_name":"mcafee_brata_0421","description":"Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:14:22.223Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can remove installed antivirus applications as well as disable Google Play Protect.(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--60782df8-1e96-48eb-a6b7-843c94b32b59","created":"2023-02-06T19:43:17.802Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:33:52.290Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) can hide its application icon.(Citation: threatfabric_sova_0921)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7","created":"2017-12-14T16:46:06.044Z","x_mitre_version":"1.0","external_references":[{"source_name":"Lookout-BrainTest","url":"https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/","description":"Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"[BrainTest](https://attack.mitre.org/software/S0293) provided capabilities that allowed developers to use compromised devices to post positive reviews on their own malicious applications as well as download other malicious applications they had submitted to the Play Store.(Citation: Lookout-BrainTest)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--e13d084c-382f-40fd-aa9a-98d69e20301e","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--609ec9f8-f702-444b-b837-72a0880d429b","created":"2023-09-22T19:17:01.704Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-22T19:17:01.704Z","description":"The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing. ","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--60ad088f-3133-4b0c-a441-e1e06fff1765","created":"2023-02-06T19:37:56.416Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:34:29.147Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) can gather data about the device.(Citation: threatfabric_sova_0921)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb","type":"relationship","created":"2020-01-27T17:05:58.308Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/","source_name":"Trend Micro Bouncing Golf 2019"}],"modified":"2020-01-27T17:05:58.308Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) encodes its configurations using a customized algorithm.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--60e2ebd0-90dc-4131-ba4f-adc9b49ec113","created":"2020-06-26T15:32:25.032Z","x_mitre_version":"1.0","external_references":[{"source_name":"Threat Fabric Cerberus","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Cerberus](https://attack.mitre.org/software/S0480) can generate fake notifications and launch overlay attacks against attacker-specified applications.(Citation: Threat Fabric Cerberus)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3","created":"2019-07-10T15:35:43.712Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Dark Caracal Jan 2018","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:36:27.557Z","description":"[Pallas](https://attack.mitre.org/software/S0399) has the ability to delete attacker-specified files from compromised devices.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71","created":"2019-07-10T15:42:09.606Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Dark Caracal Jan 2018","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:01:46.513Z","description":"[Dark Caracal](https://attack.mitre.org/groups/G0070) controls implants using standard HTTP communication.(Citation: Lookout Dark Caracal Jan 2018) ","relationship_type":"uses","source_ref":"intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--61550ef4-41f0-4354-af5c-f47db8aca654","type":"relationship","created":"2020-06-02T14:32:31.910Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Google Project Zero Insomnia","url":"https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html","description":"I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."}],"modified":"2020-06-02T14:32:31.910Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).(Citation: Google Project Zero Insomnia)","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c","type":"relationship","created":"2020-01-21T15:29:27.041Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList - ViceLeaker 2019","url":"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/","description":"GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."}],"modified":"2020-01-21T15:29:27.041Z","description":"[ViceLeaker](https://attack.mitre.org/software/S0418) can download attacker-specified files.(Citation: SecureList - ViceLeaker 2019)","relationship_type":"uses","source_ref":"malware--6fcaf9b0-b509-4644-9f93-556222c81ed2","target_ref":"attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6209cccd-2877-4941-ac0c-bec3ba7a5544","created":"2022-04-05T19:40:25.071Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T19:40:25.071Z","relationship_type":"revoked-by","source_ref":"attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a","target_ref":"attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--62623afc-8222-4d59-b5d0-7bc1ccc7fadc","created":"2023-02-06T19:41:40.104Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:35:04.072Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) can silently intercept and manipulate notifications. [S.O.V.A.](https://attack.mitre.org/software/S1062) can also inject cookies via push notifications.(Citation: threatfabric_sova_0921)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--626d4c6c-97e4-4aa3-922b-c1a81e677213","created":"2023-03-20T15:32:36.972Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T17:18:06.656Z","description":"Application vetting services can detect malicious code in applications.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--628435f7-7d1e-40f1-a29a-7c5861b14c7d","created":"2022-03-30T20:13:40.625Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be shown what a synthetic activity looks like so they can scrutinize them in the future.","modified":"2022-03-30T20:13:40.625Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6294e276-e4ac-4097-a5cd-3b81e0d4498f","type":"relationship","created":"2020-12-14T15:02:35.287Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Securelist Asacub","url":"https://securelist.com/the-rise-of-mobile-banker-asacub/87591/","description":"T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020."}],"modified":"2020-12-14T15:02:35.290Z","description":"[Asacub](https://attack.mitre.org/software/S0540) has implemented functions in native code.(Citation: Securelist Asacub)","relationship_type":"uses","source_ref":"malware--a76b837b-93cc-417d-bf28-c47a6a284fa4","target_ref":"attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--62cc60d9-1581-4a0f-b7e2-a18d386511e6","created":"2022-03-30T13:48:43.977Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Mobile security products can typically detect jailbroken or rooted devices. ","modified":"2022-03-30T13:48:43.977Z","relationship_type":"mitigates","source_ref":"course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433","target_ref":"attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6315b6ec-35f8-4b28-8603-664664311a33","created":"2023-08-16T16:44:53.770Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:44:53.770Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can read the name of application packages.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--634071ce-d386-4143-8e6e-b88bc077de6d","type":"relationship","created":"2020-07-27T14:14:56.961Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Google Security Zen","url":"https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html","description":"Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."}],"modified":"2020-08-10T22:18:20.782Z","description":"[Zen](https://attack.mitre.org/software/S0494) can dynamically load executable code from remote sources.(Citation: Google Security Zen)","relationship_type":"uses","source_ref":"malware--22faaa56-a8ac-4292-9be6-b571b255ee40","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-Pegasus","description":"Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}],"modified":"2018-10-17T00:14:20.652Z","description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.(Citation: Lookout-Pegasus)","relationship_type":"uses","source_ref":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","target_ref":"attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--63e67cba-4eae-4495-8897-2610103a0c41","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-Pegasus","description":"Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}],"modified":"2018-10-17T00:14:20.652Z","description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) exploits iOS vulnerabilities to escalate privileges.(Citation: Lookout-Pegasus)","relationship_type":"uses","source_ref":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--642a2599-a50c-480c-8e07-2a3a217f4a46","created":"2023-07-21T19:52:13.807Z","revoked":false,"external_references":[{"source_name":"kaspersky_fakecalls_0422","description":"Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.","url":"https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:52:13.807Z","description":"[Fakecalls](https://attack.mitre.org/software/S1080) can turn on a device’s microphone to capture audio.(Citation: kaspersky_fakecalls_0422)","relationship_type":"uses","source_ref":"malware--429e1526-6293-495b-8808-af7f9a66c4be","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--64489abc-5c2f-4620-833d-9ac010040955","created":"2023-08-14T16:19:54.684Z","revoked":false,"external_references":[{"source_name":"unit42_strat_aged_domain_det","description":"Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.","url":"https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/"},{"source_name":"Data Driven Security DGA","description":"Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.","url":"https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:19:54.684Z","description":"Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.","relationship_type":"detects","source_ref":"x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0","target_ref":"attack-pattern--fd211238-f767-4599-8c0d-9dca36624626","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--644a19d3-c94f-40d9-87ac-02ef20b14eda","created":"2023-02-06T19:02:00.135Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:16:28.481Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself microphone permissions.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65","type":"relationship","created":"2021-04-19T17:05:42.574Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2021-04-19T17:05:42.574Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has collected files from the infected device.(Citation: Lookout Uyghur Campaign)\t","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff","type":"relationship","created":"2019-09-04T14:28:16.478Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf","source_name":"Lookout-Monokle"}],"modified":"2019-10-14T17:52:48.001Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can record the screen as the user unlocks the device and can take screenshots of any application in the foreground. [Monokle](https://attack.mitre.org/software/S0407) can also abuse accessibility features to read the screen to capture data from a large number of popular applications.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e","type":"relationship","created":"2020-07-15T20:20:59.382Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"modified":"2020-07-15T20:20:59.382Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) has communicated with the C2 server over TCP port 7777.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4","type":"relationship","created":"2020-04-08T15:51:25.157Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"ThreatFabric Ginp","url":"https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html","description":"ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."}],"modified":"2020-04-08T15:51:25.157Z","description":"[Ginp](https://attack.mitre.org/software/S0423) can capture device screenshots and stream them back to the C2.(Citation: ThreatFabric Ginp)","relationship_type":"uses","source_ref":"malware--6146be90-470c-4049-bb3a-9986b8ffb65b","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6588186c-2fa1-408d-bef4-2d63ccf49c28","created":"2023-10-10T15:33:58.533Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CYBERWARCON CHEMISTGAMES","description":"B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.","url":"https://www.youtube.com/watch?v=xoNSbm1aX_w"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:58.533Z","description":"[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has masqueraded as popular South Korean applications.(Citation: CYBERWARCON CHEMISTGAMES)","relationship_type":"uses","source_ref":"malware--a0d774e4-bafc-4292-8651-3ec899391341","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--6588914f-d270-47d3-b889-046564ad616f","created":"2023-08-16T16:35:21.853Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:35:21.853Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can gather SMS messages.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61","type":"relationship","created":"2020-01-27T17:05:58.201Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/","source_name":"Trend Micro Bouncing Golf 2019"}],"modified":"2020-03-26T20:50:07.154Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) can collect local accounts on the device, pictures, bookmarks/histories of the default browser, and files stored on the SD card. [GolfSpy](https://attack.mitre.org/software/S0421) can list image, audio, video, and other files stored on the device. [GolfSpy](https://attack.mitre.org/software/S0421) can copy arbitrary files from the device.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--65acbbe2-48e1-4fba-a781-39fb040a711d","type":"relationship","created":"2019-09-03T19:45:48.505Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SWB Exodus March 2019","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."}],"modified":"2019-09-11T13:25:19.178Z","description":" [Exodus](https://attack.mitre.org/software/S0405) One, after checking in, sends a POST request and then downloads  [Exodus](https://attack.mitre.org/software/S0405) Two, the second stage binaries.(Citation: SWB Exodus March 2019) ","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--65dc7cc1-e047-4087-8b2b-7d0d0f67576a","created":"2023-08-16T16:34:14.088Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:34:14.088Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can perform overlay attacks against a device by injecting HTML phishing pages into a webview.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6603a556-9732-4f8b-ac9c-5c3949b251ed","created":"2023-09-21T22:20:53.256Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"app_hibernation","description":"Android Developers. (2023, August 28). App hibernation. Retrieved September 21, 2023.","url":"https://developer.android.com/topic/performance/app-hibernation"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-21T22:25:08.129Z","description":"Android 11 and above implement application hibernation, which can hibernate an application that has not been used for a few months and can reset the application’s permission requests.(Citation: app_hibernation)","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6609b892-d388-4b8a-ac21-5cbf12e0d574","created":"2023-10-10T15:33:58.701Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Forbes Cerberus","description":"Z. Doffman. (2019, August 16). Warning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated). Retrieved June 26, 2020.","url":"https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/#1563fef26d9c"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:58.701Z","description":"[Cerberus](https://attack.mitre.org/software/S0480) has pretended to be an Adobe Flash Player installer.(Citation: Forbes Cerberus)","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--66132260-65d1-4bf5-8200-abdb2014be6f","created":"2020-09-15T15:18:12.465Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cybereason FakeSpy","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:51:12.881Z","description":"[FakeSpy](https://attack.mitre.org/software/S0509) can detect if it is running in an emulator and adjust its behavior accordingly.(Citation: Cybereason FakeSpy)","relationship_type":"uses","source_ref":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6661823b-4fdd-4879-ad5d-64c9a4b12519","created":"2022-04-05T17:03:53.457Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T17:03:53.457Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--51636761-2e35-44bf-9e56-e337adf97174","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--66ba3094-7c14-41b9-b7c1-814d026156b9","type":"relationship","created":"2020-09-11T15:58:40.846Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos-WolfRAT","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."}],"modified":"2020-09-11T15:58:40.846Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) can delete and send SMS messages.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42","type":"relationship","created":"2020-11-10T17:08:35.593Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-11-10T17:08:35.593Z","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) has seen native libraries used in some reported samples (Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--66fb8a34-9d48-4599-a56e-19b057380030","created":"2023-03-20T18:46:08.304Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T15:04:38.833Z","description":"Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ","relationship_type":"detects","source_ref":"x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6","target_ref":"attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--670a0995-a789-4674-9e91-c74316cdef90","type":"relationship","created":"2020-09-11T14:54:16.621Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Desert Scorpion","url":"https://blog.lookout.com/desert-scorpion-google-play","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."}],"modified":"2020-09-11T14:54:16.621Z","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) can record audio from phone calls and the device microphone.(Citation: Lookout Desert Scorpion)","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--67aa692c-24e4-483e-996e-02ce1e861ec8","created":"2023-02-28T20:37:29.206Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"proofpoint_flubot_0421","description":"Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.","url":"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-31T22:09:02.129Z","description":"[FluBot](https://attack.mitre.org/software/S1067) can add display overlays onto banking apps to capture credit card information.(Citation: proofpoint_flubot_0421)","relationship_type":"uses","source_ref":"malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--67c2b73d-cd51-4894-a7bd-fdd5d14b33a2","created":"2019-09-03T20:08:00.704Z","x_mitre_version":"1.0","external_references":[{"source_name":"Talos Gustuff Apr 2019","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html","description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Gustuff](https://attack.mitre.org/software/S0406) code is both obfuscated and packed with an FTT packer.(Citation: Talos Gustuff Apr 2019)","modified":"2022-04-15T17:18:58.074Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","target_ref":"attack-pattern--51636761-2e35-44bf-9e56-e337adf97174","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--67db22d4-6f89-40c6-b31b-737c1e3dec3f","created":"2021-01-20T16:01:19.488Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Trend Micro Anubis","description":"K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.","url":"https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:17:07.374Z","description":"[Anubis](https://attack.mitre.org/software/S0422) has used motion sensor data  to attempt to determine if it is running in an emulator.(Citation: Trend Micro Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--681161b2-4e30-4d49-8524-6cc0d94585cb","created":"2023-03-16T13:33:26.925Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:34:55.830Z","description":"Many properly configured firewalls may naturally block bidirectional command and control traffic.","relationship_type":"detects","source_ref":"x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba","target_ref":"attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T15:42:13.445Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"revoked-by","source_ref":"attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f","target_ref":"attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6846dc09-b66a-42d3-aea2-c80b51f22952","created":"2023-02-28T21:42:31.008Z","revoked":false,"external_references":[{"source_name":"cloudmark_tanglebot_0921","description":"Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.","url":"https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-28T21:42:31.008Z","description":"[TangleBot](https://attack.mitre.org/software/S1069) can record audio using the device microphone.(Citation: cloudmark_tanglebot_0921)","relationship_type":"uses","source_ref":"malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--684c17bb-2075-4e1f-9fcb-17408511222d","type":"relationship","created":"2021-09-20T13:54:19.957Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2021-09-20T13:54:19.957Z","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) can silently accept an incoming phone call.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6859be95-c11a-4085-b8d3-c4ea4e2add44","created":"2024-04-02T19:14:16.279Z","revoked":false,"external_references":[{"source_name":"Meta Adversarial Threat Report 2022","description":"Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.","url":"https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-02T19:14:16.279Z","description":"[HilalRAT](https://attack.mitre.org/software/S1128) can access and retrieve files on a device.(Citation: Meta Adversarial Threat Report 2022)","relationship_type":"uses","source_ref":"malware--55714f87-6178-4b89-b3e5-d3a643f647ca","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6885280e-5423-422a-94f1-e91d557e043e","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","external_references":[{"source_name":"PaloAlto-XcodeGhost1","url":"http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/","description":"Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016."},{"source_name":"PaloAlto-XcodeGhost","url":"http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/","description":"Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"[XcodeGhost](https://attack.mitre.org/software/S0297) was injected into apps by a modified version of Xcode (Apple's software development tool).(Citation: PaloAlto-XcodeGhost1)(Citation: PaloAlto-XcodeGhost)","modified":"2022-04-15T15:10:16.607Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--d9e07aea-baad-4b68-bdca-90c77647d7f9","target_ref":"attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--68c17e9b-1fda-49dd-982b-566d473cc32b","created":"2022-04-06T15:51:11.939Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T15:51:11.939Z","relationship_type":"revoked-by","source_ref":"attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3","target_ref":"attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--68e5789c-9f60-421e-9c79-fae207a29e83","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Kaspersky-WUC","description":"Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.","url":"https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:27:20.839Z","description":"[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole SMS message content.(Citation: Kaspersky-WUC)","relationship_type":"uses","source_ref":"malware--d05f7357-4cbe-47ea-bf83-b8604226d533","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6920d0d0-27f4-4d29-8622-c8a92090eec3","created":"2020-07-20T13:27:33.486Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos-WolfRAT","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:54:25.851Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) can collect the device’s contact list.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6935752c-e400-4dfa-863f-1d44a8f6dd50","created":"2021-09-20T13:50:02.036Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.105Z","description":"[Anubis](https://attack.mitre.org/software/S0422) can make phone calls.(Citation: Cofense Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--694857ba-92e8-462e-8900-a9f6fdcf495d","type":"relationship","created":"2020-12-31T18:25:05.133Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CYBERWARCON CHEMISTGAMES","url":"https://www.youtube.com/watch?v=xoNSbm1aX_w","description":"B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."}],"modified":"2020-12-31T18:25:05.133Z","description":"[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has encrypted its DEX payload.(Citation: CYBERWARCON CHEMISTGAMES)","relationship_type":"uses","source_ref":"malware--a0d774e4-bafc-4292-8651-3ec899391341","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6961eec4-8e31-4be1-88d9-dca682e38b8c","created":"2019-08-09T18:02:06.688Z","x_mitre_version":"1.0","external_references":[{"source_name":"Zscaler-SuperMarioRun","url":"https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat","description":"Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017."}],"x_mitre_deprecated":false,"revoked":false,"description":"[DroidJack](https://attack.mitre.org/software/S0320) can capture video using device cameras.(Citation: Zscaler-SuperMarioRun)","modified":"2022-05-20T17:13:16.507Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-Pegasus","description":"Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:33:51.882Z","description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) modifies the system partition to maintain persistence.(Citation: Lookout-Pegasus)","relationship_type":"uses","source_ref":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","target_ref":"attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--697f5584-667f-4489-a535-586dd1a8b48c","created":"2023-10-10T15:33:59.823Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:59.823Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has inserted trojan functionality into legitimate apps, including popular apps within the Uyghur community, VPNs, instant messaging apps, social networking, games, adult media, and Google searching.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CheckPoint-Charger","description":"Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.","url":"http://blog.checkpoint.com/2017/01/24/charger-malware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:17:53.923Z","description":"[Charger](https://attack.mitre.org/software/S0323) locks the device if it is granted admin permissions, displaying a message demanding a ransom payment.(Citation: CheckPoint-Charger)","relationship_type":"uses","source_ref":"malware--d1c600f8-0fb6-4367-921b-85b71947d950","target_ref":"attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--69de3f7e-faa7-4342-b755-4777a68fd89b","created":"2017-12-14T16:46:06.044Z","x_mitre_version":"1.0","external_references":[{"source_name":"Zscaler-SuperMarioRun","url":"https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat","description":"Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017."}],"x_mitre_deprecated":false,"revoked":false,"description":"[DroidJack](https://attack.mitre.org/software/S0320) is capable of recording device phone calls.(Citation: Zscaler-SuperMarioRun)","modified":"2022-05-20T17:13:16.508Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6a1d8b2f-9007-46ba-b559-356b81632cee","created":"2023-10-10T15:33:58.444Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Zscaler TikTok Spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:58.444Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) has masqueraded as TikTok.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b","type":"relationship","created":"2020-09-14T14:13:45.259Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout eSurv","url":"https://blog.lookout.com/esurv-research","description":"A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."}],"modified":"2020-09-14T14:13:45.259Z","description":"[eSurv](https://attack.mitre.org/software/S0507) can exfiltrate device pictures.(Citation: Lookout eSurv)","relationship_type":"uses","source_ref":"malware--680f680c-eef9-4f8a-b5f5-f451bf47e403","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6a5926f3-8c44-4806-83c2-e8ed0be36bc2","created":"2022-04-01T15:13:55.124Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be instructed to not open links in applications they don’t recognize.","modified":"2022-04-01T15:13:55.124Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6a5f151f-36cb-496a-9d0c-d726f1b00d4e","created":"2023-03-16T18:26:45.940Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Android-VerifiedBoot","description":"Android. (n.d.). Verified Boot. Retrieved December 21, 2016.","url":"https://source.android.com/security/verifiedboot/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T15:21:42.253Z","description":"On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ","relationship_type":"detects","source_ref":"x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6","target_ref":"attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6a715733-cde6-4903-b967-35562b584c6f","type":"relationship","created":"2020-06-02T14:32:31.878Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Google Project Zero Insomnia","url":"https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html","description":"I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."}],"modified":"2020-06-02T14:32:31.878Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) can obtain a list of installed non-Apple applications.(Citation: Google Project Zero Insomnia)","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6a813057-5fe0-46b5-89a3-c804d223568c","created":"2023-08-04T18:30:16.933Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-26T12:54:10.319Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate the victim device ID, model, manufacturer, and Android version.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6a821e14-8247-408b-af37-9cecbba616ec","type":"relationship","created":"2020-05-07T15:33:32.945Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CheckPoint Agent Smith","url":"https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/","description":"A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."}],"modified":"2020-05-07T15:33:32.945Z","description":"[Agent Smith](https://attack.mitre.org/software/S0440) obtains the device’s application list.(Citation: CheckPoint Agent Smith)","relationship_type":"uses","source_ref":"malware--a6228601-03f6-4949-ae22-c1087627a637","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6a924f93-6a3a-4931-b0b3-b8bc37f0587a","created":"2024-03-26T18:49:57.818Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"fb_arid_viper","description":"Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-16T16:03:22.664Z","description":"[Phenakite](https://attack.mitre.org/software/S1126) can masquerade as the chat application \"Magic Smile.\"(Citation: fb_arid_viper)","relationship_type":"uses","source_ref":"malware--f97e2718-af50-41df-811f-215ebab45691","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6ac2d9a5-248b-42c5-af71-3ffad7bc7f3e","created":"2023-09-21T22:18:06.516Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-22T19:39:19.069Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) initially poses as a benign application, then malware is downloaded and executed after an application update.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6ad4f199-99fe-4366-87be-7a462f6c89b0","created":"2023-06-09T19:11:38.612Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-22T20:48:41.487Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can access a device’s location and check if GPS is enabled. [Hornbill](https://attack.mitre.org/software/S1077) has logic to only log location changes greater than 70 meters.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6b41d649-bcd0-4427-baa1-15a145bace6e","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.","source_name":"PaloAlto-SpyDealer"}],"modified":"2019-08-09T17:56:05.642Z","description":"[SpyDealer](https://attack.mitre.org/software/S0324) downloads and executes root exploits from a remote server.(Citation: PaloAlto-SpyDealer)","relationship_type":"uses","source_ref":"malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6b623a18-a3cf-4f94-b3a8-19f7369a2b61","created":"2024-03-26T18:43:59.377Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T18:43:59.377Z","description":"","relationship_type":"uses","source_ref":"intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394","target_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6b64d3f4-96d6-48e5-a57e-b5cf897670f9","created":"2021-01-05T20:16:20.500Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Zscaler TikTok Spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:27:33.948Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect SMS messages from the device.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6b74d347-4d28-401f-9ac2-b3e1c9428bab","created":"2023-01-18T19:16:15.534Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_drinik_1022","description":"Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.","url":"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:54:10.458Z","description":"[Drinik](https://attack.mitre.org/software/S1054) can use keylogging to steal user banking credentials.(Citation: cyble_drinik_1022)","relationship_type":"uses","source_ref":"malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6ba09d73-4ed5-4a37-8191-fc54a8f01696","created":"2022-03-28T19:38:23.189Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-28T19:38:23.190Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3","target_ref":"attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6bb4de7d-1ef9-4bc8-8d34-62e176d4188a","created":"2023-03-03T15:42:28.475Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:17:24.417Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can send large amounts of device data over its C2 channel, including the device’s manufacturer, model, version and serial number, telephone number, and IP address.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6c0105f3-e919-499d-b080-d127394d2837","created":"2022-03-30T18:14:23.210Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). ","modified":"2022-03-30T18:14:23.210Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6c35f99c-153d-4023-a29a-821488ce5418","created":"2020-04-08T15:41:19.383Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.107Z","description":"[Anubis](https://attack.mitre.org/software/S0422) can collect a list of installed applications to compare to a list of targeted applications.(Citation: Cofense Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82","type":"relationship","created":"2020-09-11T16:22:03.301Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout ViperRAT","url":"https://blog.lookout.com/viperrat-mobile-apt","description":"M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."}],"modified":"2020-09-11T16:22:03.301Z","description":"[ViperRAT](https://attack.mitre.org/software/S0506) can collect system information, including brand, manufacturer, and serial number.(Citation: Lookout ViperRAT)","relationship_type":"uses","source_ref":"malware--f666e17c-b290-43b3-8947-b96bd5148fbb","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6c887e1b-ff9a-4d7f-baec-7d19e1c982bd","created":"2023-08-07T22:48:30.275Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T22:48:30.275Z","description":"Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.","relationship_type":"detects","source_ref":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","target_ref":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e","type":"relationship","created":"2021-02-08T16:36:20.692Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"BlackBerry Bahamut","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf","description":"The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."}],"modified":"2021-05-24T13:16:56.443Z","description":"[Windshift](https://attack.mitre.org/groups/G0112) has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6cace9e3-f095-4914-bddc-24cec8bcc859","type":"relationship","created":"2020-09-24T15:34:51.276Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-Dendroid","description":"Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.","url":"https://blog.lookout.com/blog/2014/03/06/dendroid/"}],"modified":"2020-09-24T15:34:51.276Z","description":"[Dendroid](https://attack.mitre.org/software/S0301) can collect the device’s photos, browser history, bookmarks, and accounts stored on the device.(Citation: Lookout-Dendroid)","relationship_type":"uses","source_ref":"malware--317a2c10-d489-431e-b6b2-f0251fddc88e","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6ce36374-2ff6-4b41-8493-148416153232","type":"relationship","created":"2020-07-20T13:27:33.443Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos-WolfRAT","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."}],"modified":"2020-08-10T21:57:54.526Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) can collect user account, photos, browser history, and arbitrary files.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6d2c7743-fc75-4524-b217-13867ca1dd10","created":"2019-09-03T20:08:00.649Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos Gustuff Apr 2019","description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:32:04.659Z","description":"[Gustuff](https://attack.mitre.org/software/S0406) can collect the contact list.(Citation: Talos Gustuff Apr 2019) ","relationship_type":"uses","source_ref":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6d659130-545b-4917-891c-6c1b7d54ed07","type":"relationship","created":"2021-01-05T20:16:20.505Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Zscaler TikTok Spyware","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."}],"modified":"2021-01-05T20:16:20.505Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can send SMS messages.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--6d88242f-e45b-481c-bd41-b66a662618ce","created":"2022-04-06T13:57:24.730Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T13:57:24.730Z","relationship_type":"revoked-by","source_ref":"attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6d910b1c-df72-4fcb-9d9e-0bb666c9c108","created":"2023-03-20T18:57:17.059Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T20:53:47.270Z","description":"On Android, the user can review which applications can use premium SMS features in the \"Special access\" page within application settings. ","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6db7839a-5699-4e2a-8410-4e33bf88ba05","created":"2023-12-18T18:18:56.785Z","revoked":false,"external_references":[{"source_name":"mcafee_brata_0421","description":"Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:18:56.785Z","description":"[BRATA](https://attack.mitre.org/software/S1094) has performed country and language checks.(Citation: mcafee_brata_0421)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23","type":"relationship","created":"2020-09-11T14:54:16.566Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Desert Scorpion","url":"https://blog.lookout.com/desert-scorpion-google-play","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."}],"modified":"2020-09-11T14:54:16.566Z","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect device metadata and can check if the device is rooted.(Citation: Lookout Desert Scorpion)","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6e811d89-6526-480f-be40-1ad6483182ff","created":"2023-10-10T15:33:58.801Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos GPlayed","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:58.801Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) has used the Play Store icon as well as the name “Google Play Marketplace”.(Citation: Talos GPlayed)","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--6ee69225-7c42-49e6-bfe4-c7009c82e76a","created":"2023-03-20T18:44:36.073Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T15:56:10.432Z","description":"The user can view and manage installed third-party keyboards.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6f240b1d-de8f-465d-a0f1-f75e828493c3","created":"2023-08-04T18:29:05.423Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-22T20:42:54.574Z","description":"(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f","target_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60","type":"relationship","created":"2020-09-11T14:54:16.585Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Desert Scorpion","url":"https://blog.lookout.com/desert-scorpion-google-play","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."}],"modified":"2021-04-19T17:11:50.418Z","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect attacker-specified files, including files located on external storage.(Citation: Lookout Desert Scorpion)\t","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87","type":"relationship","created":"2020-06-26T15:12:40.098Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"ESET DEFENSOR ID","url":"https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/","description":"L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020."}],"modified":"2020-06-26T15:12:40.098Z","description":"[DEFENSOR ID](https://attack.mitre.org/software/S0479) can retrieve a list of installed applications.(Citation: ESET DEFENSOR ID)","relationship_type":"uses","source_ref":"malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d","created":"2019-07-10T15:25:57.585Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Dark Caracal Jan 2018","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:39:29.860Z","description":"[FinFisher](https://attack.mitre.org/software/S0182) accesses and exfiltrates the call log.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--a5528622-3a8a-4633-86ce-8cdaf8423858","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c","type":"relationship","created":"2020-11-10T17:08:35.624Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-11-10T17:08:35.624Z","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) can dynamically load additional functionality.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--6faacfdd-d17d-4c6e-a33e-5fdea2cc3998","created":"2020-04-08T15:41:19.385Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.107Z","description":"[Anubis](https://attack.mitre.org/software/S0422) can create overlays to capture user credentials for targeted applications.(Citation: Cofense Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--70000e5a-cdff-4ff8-a565-5f7db60f8c49","created":"2024-04-02T19:13:36.178Z","revoked":false,"external_references":[{"source_name":"Meta Adversarial Threat Report 2022","description":"Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.","url":"https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-02T19:13:36.178Z","description":"[HilalRAT](https://attack.mitre.org/software/S1128) can activate a device’s microphone.(Citation: Meta Adversarial Threat Report 2022)","relationship_type":"uses","source_ref":"malware--55714f87-6178-4b89-b3e5-d3a643f647ca","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7017085c-c612-48b2-b655-e18d7822d0e7","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"PaloAlto-SpyDealer","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.","url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:39:48.895Z","description":"[SpyDealer](https://attack.mitre.org/software/S0324) harvests phone call history from victims.(Citation: PaloAlto-SpyDealer)","relationship_type":"uses","source_ref":"malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"PaloAlto-SpyDealer","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.","url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:26:35.443Z","description":"[SpyDealer](https://attack.mitre.org/software/S0324) maintains persistence by installing an Android application package (APK) on the system partition.(Citation: PaloAlto-SpyDealer)","relationship_type":"uses","source_ref":"malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b","target_ref":"attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-BrainTest","description":"Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.","url":"https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"}],"modified":"2018-10-17T00:14:20.652Z","description":"Original samples of [BrainTest](https://attack.mitre.org/software/S0293) download their exploit packs for rooting from a remote server after installation.(Citation: Lookout-BrainTest)","relationship_type":"uses","source_ref":"malware--e13d084c-382f-40fd-aa9a-98d69e20301e","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e","type":"relationship","created":"2020-01-14T17:47:08.826Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList DVMap June 2017","url":"https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/","description":"R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019."}],"modified":"2020-01-14T17:47:08.826Z","description":"[Dvmap](https://attack.mitre.org/software/S0420) checks the Android version to determine which system library to patch.(Citation: SecureList DVMap June 2017)","relationship_type":"uses","source_ref":"malware--22b596a6-d288-4409-8520-5f2846f85514","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"PaloAlto-Xbot","description":"Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.","url":"http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[Xbot](https://attack.mitre.org/software/S0298) can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.(Citation: PaloAlto-Xbot)","relationship_type":"uses","source_ref":"tool--da21929e-40c0-443d-bdf4-6b60d15448b4","target_ref":"attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--70fa8498-6117-4e15-ae3c-f53d63996826","type":"relationship","created":"2020-06-26T15:32:25.050Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Threat Fabric Cerberus","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."}],"modified":"2020-06-26T15:32:25.050Z","description":"[Cerberus](https://attack.mitre.org/software/S0480) can collect the device’s location.(Citation: Threat Fabric Cerberus)","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--71490fdb-e271-4a67-b932-5288924b1dae","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"PaloAlto-DualToy","description":"Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.","url":"https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[DualToy](https://attack.mitre.org/software/S0315) collects the connected iOS device’s information including IMEI, IMSI, ICCID, serial number and phone number.(Citation: PaloAlto-DualToy)","relationship_type":"uses","source_ref":"malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--716f68ee-1e77-4254-8f67-d8f3c71db678","type":"relationship","created":"2021-09-20T13:59:00.498Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf","source_name":"Lookout-Monokle"}],"modified":"2021-09-20T13:59:00.498Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can be controlled via phone call from a set of \"control phones.\"(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--717feaf1-493b-4a3e-b886-40652f41168d","created":"2024-03-28T18:31:04.700Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T21:39:23.615Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to obtain a list of installed applications.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--718a612e-50c5-40ab-9081-b88cefeafcb6","created":"2021-04-26T15:33:55.905Z","x_mitre_version":"1.0","external_references":[{"source_name":"CitizenLab Circles","url":"https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/","description":"Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Circles](https://attack.mitre.org/software/S0602) can track the location of mobile devices.(Citation: CitizenLab Circles)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24","target_ref":"attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--71fbb52a-1808-45a1-8cc2-13b461376e4a","created":"2024-02-20T23:53:09.490Z","revoked":false,"external_references":[{"source_name":"Trend Micro FlyTrap","description":"Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts — Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.","url":"https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:53:09.490Z","description":"[FlyTrap](https://attack.mitre.org/software/S1093) can collect IP address and network configuration information.(Citation: Trend Micro FlyTrap)","relationship_type":"uses","source_ref":"malware--8338393c-cb2e-4ee6-b944-34672499c785","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Tripwire-MazarBOT","description":"Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.","url":"https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:27:47.788Z","description":"[MazarBOT](https://attack.mitre.org/software/S0303) can intercept two-factor authentication codes sent by online banking apps.(Citation: Tripwire-MazarBOT)","relationship_type":"uses","source_ref":"malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--724e1b64-7c9b-4a8f-a2ab-3f9cab539e68","created":"2023-10-10T19:19:38.654Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T19:19:38.654Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) has exfiltrated cached data from infected devices.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7258542e-029b-45b9-be69-6e76d9c93b35","created":"2020-09-14T13:35:45.886Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ESET-Twitoor","description":"ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.","url":"http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:43:03.565Z","description":"[Twitoor](https://attack.mitre.org/software/S0302) can hide its presence on the system.(Citation: ESET-Twitoor)","relationship_type":"uses","source_ref":"malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--725dc68b-e56d-42ac-b35e-651a7b3a2db8","created":"2024-03-26T16:18:25.630Z","revoked":false,"external_references":[{"source_name":"forcepoint_bitter","description":"Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.","url":"https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T16:18:25.630Z","description":"[AndroRAT](https://attack.mitre.org/software/S0292) can take photos and videos using the device cameras.(Citation: forcepoint_bitter) ","relationship_type":"uses","source_ref":"malware--a3dad2be-ce62-4440-953b-00fbce7aba93","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0","created":"2017-10-25T14:48:53.741Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"Security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents.","modified":"2022-03-30T20:25:46.994Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af","type":"relationship","created":"2020-04-24T15:06:33.531Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro Coronavirus Updates","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."}],"modified":"2020-04-24T17:55:55.049Z","description":"[Corona Updates](https://attack.mitre.org/software/S0425) can take pictures using the camera and can record MP4 files.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--72a88d43-4144-444e-8f71-ac0d19ae3710","type":"relationship","created":"2020-09-14T14:13:45.256Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout eSurv","url":"https://blog.lookout.com/esurv-research","description":"A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."}],"modified":"2020-09-14T14:13:45.256Z","description":"[eSurv](https://attack.mitre.org/software/S0507) can track the device’s location.(Citation: Lookout eSurv)","relationship_type":"uses","source_ref":"malware--680f680c-eef9-4f8a-b5f5-f451bf47e403","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--732ca9b5-961d-4734-9f8d-339078457457","created":"2024-04-02T19:15:19.864Z","revoked":false,"external_references":[{"source_name":"Meta Adversarial Threat Report 2022","description":"Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.","url":"https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-02T19:15:19.864Z","description":"(Citation: Meta Adversarial Threat Report 2022)","relationship_type":"uses","source_ref":"intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258","target_ref":"malware--55714f87-6178-4b89-b3e5-d3a643f647ca","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--73410b22-5aca-4b86-8efc-98c1ad75399a","created":"2023-10-10T15:33:59.572Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos-WolfRAT","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:59.572Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) has masqueraded as “Google service”, “GooglePlay”, and “Flash update”.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9","type":"relationship","created":"2020-09-11T15:52:12.520Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"modified":"2020-09-11T15:52:12.520Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can block, forward, hide, and send SMS messages.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--73d22490-4043-42d7-ad25-74e4a642bf6a","created":"2023-03-20T18:41:45.186Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CSRIC5-WG10-FinalReport","description":"Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.","url":"https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-15T15:06:03.429Z","description":"Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"Enterprises can provision policies to mobile devices that require a minimum complexity (length, character requirements, etc.) for the device passcode, and cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. Enterprises can also provision policies to disable biometric authentication, however, biometric authentication can help make using a longer, more complex passcode more practical because it does not need to be entered as frequently. ","modified":"2022-03-28T19:20:30.375Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--73e78aab-bcd9-4d3c-96f8-832f399bf2ee","created":"2024-02-20T23:56:14.156Z","revoked":false,"external_references":[{"source_name":"Google Project Zero Insomnia","description":"I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.","url":"https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:56:14.156Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).(Citation: Google Project Zero Insomnia)","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--74080f4f-1de2-464f-8ec1-0635fc142273","created":"2023-08-08T16:23:41.141Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T16:23:41.141Z","description":"Application vetting services may be able to list domains and/or IP addresses that applications communicate with. ","relationship_type":"detects","source_ref":"x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8","type":"relationship","created":"2020-04-24T17:46:31.613Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecurityIntelligence TrickMo","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."}],"modified":"2020-04-24T17:46:31.613Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.(Citation: SecurityIntelligence TrickMo)","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--746eaf98-bd95-4e9a-a4ed-0e3f20402276","created":"2023-10-10T15:33:57.989Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-Dendroid","description":"Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.","url":"https://blog.lookout.com/blog/2014/03/06/dendroid/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:57.989Z","description":"[Dendroid](https://attack.mitre.org/software/S0301) can be bound to legitimate applications prior to installation on devices.(Citation: Lookout-Dendroid)","relationship_type":"uses","source_ref":"malware--317a2c10-d489-431e-b6b2-f0251fddc88e","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--749dcdbd-9be9-403b-850f-8ee5452b7aed","created":"2023-03-20T18:58:56.347Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T16:30:21.044Z","description":"Application vetting services can detect unnecessary and potentially abused location permissions.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--74a137c7-b3f8-421f-bc52-bf9f0785d0ba","created":"2023-09-22T19:15:56.498Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-22T19:15:56.498Z","description":"Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes.  ","relationship_type":"detects","source_ref":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","target_ref":"attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69","created":"2020-04-08T15:51:25.078Z","x_mitre_version":"1.0","external_references":[{"source_name":"ThreatFabric Ginp","url":"https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html","description":"ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Ginp](https://attack.mitre.org/software/S0423) can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.(Citation: ThreatFabric Ginp)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--6146be90-470c-4049-bb3a-9986b8ffb65b","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--74c8c9e7-cd8b-4f3a-830d-a7e6e9668330","created":"2022-04-01T15:01:53.321Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary’s access to password stores.","modified":"2022-04-01T15:01:53.321Z","relationship_type":"mitigates","source_ref":"course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433","target_ref":"attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe","type":"relationship","created":"2020-07-15T20:20:59.282Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"modified":"2020-07-15T20:20:59.282Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can record the screen.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--75400f2e-8a9a-4bc6-a40b-f860b38868b6","created":"2023-03-16T13:31:29.822Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Android Privacy Indicators","description":"Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.","url":"https://source.android.com/devices/tech/config/privacy-indicators"},{"source_name":"iOS Mic Spyware","description":"ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.","url":"https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T21:08:37.537Z","description":"In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78","type":"relationship","created":"2019-10-10T15:17:00.972Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.","url":"https://www.flexispy.com/en/features-overview.htm","source_name":"FlexiSpy-Features"}],"modified":"2019-10-14T18:08:28.666Z","description":"[FlexiSpy](https://attack.mitre.org/software/S0408) can monitor device photos and can also access browser history and bookmarks.(Citation: FlexiSpy-Features)","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--75770898-93a7-45e3-bdb2-03172004a88f","created":"2022-03-30T14:49:47.451Z","x_mitre_version":"0.1","external_references":[{"source_name":"Android-VerifiedBoot","url":"https://source.android.com/security/verifiedboot/","description":"Android. (n.d.). Verified Boot. Retrieved December 21, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.(Citation: Android-VerifiedBoot) ","modified":"2022-03-30T14:49:47.451Z","relationship_type":"mitigates","source_ref":"course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321","target_ref":"attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--75989cf6-c023-4ed3-9d23-a83f55690186","created":"2023-02-28T21:43:36.886Z","revoked":false,"external_references":[{"source_name":"cloudmark_tanglebot_0921","description":"Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.","url":"https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-28T21:43:36.886Z","description":"[TangleBot](https://attack.mitre.org/software/S1069) can read incoming text messages.(Citation: cloudmark_tanglebot_0921)","relationship_type":"uses","source_ref":"malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--759a2e09-32b6-4857-9b6d-adf5dcee142b","type":"relationship","created":"2020-12-14T15:02:35.286Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Securelist Asacub","url":"https://securelist.com/the-rise-of-mobile-banker-asacub/87591/","description":"T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020."}],"modified":"2020-12-14T15:02:35.286Z","description":"[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device network configuration information, such as mobile network operator.(Citation: Securelist Asacub)","relationship_type":"uses","source_ref":"malware--a76b837b-93cc-417d-bf28-c47a6a284fa4","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--75a8614f-bf92-455d-b2ef-7085aff9a64d","created":"2023-08-16T16:33:56.014Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-15T19:16:57.874Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can log keystrokes and gather the lock screen password of an infected device by abusing Accessibility Services.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--75ed2348-279f-4485-97a3-9a5ada27d799","created":"2023-02-06T19:06:17.406Z","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-06T19:06:17.406Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can disable Play Protect.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--760037f0-f027-41bb-adf8-1ced6c7085be","created":"2023-10-10T15:33:59.225Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"WeLiveSecurity AdDisplayAshas","description":"L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.","url":"https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:59.225Z","description":"[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has mimicked Facebook and Google icons on the “Recent apps” screen to avoid discovery and uses the `com.google.xxx` package name to avoid detection.(Citation: WeLiveSecurity AdDisplayAshas)","relationship_type":"uses","source_ref":"malware--f7e7b736-2cff-4c2a-9232-352cd383463a","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--760faa7b-06cb-48b7-9103-1c52f2ca408f","type":"relationship","created":"2020-11-10T17:08:35.644Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-11-10T17:08:35.644Z","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--764ba23e-9902-4a60-8ec3-e0ae1abf92ce","created":"2023-09-22T19:16:35.609Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-22T19:16:35.609Z","description":"The user is prompted for approval when an application requests device administrator permissions.","relationship_type":"detects","source_ref":"x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456","target_ref":"attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7657a4d4-1ba3-4b66-83f7-6db5eab14847","created":"2022-04-06T13:30:03.526Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be taught that Device Administrator permissions are very dangerous, and very few applications need it.","modified":"2022-04-06T13:30:03.527Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--7696b512-ba2f-4310-86e1-7c528529fc5e","type":"relationship","created":"2020-09-15T15:18:12.425Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Cybereason FakeSpy","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."}],"modified":"2020-09-15T15:18:12.425Z","description":"[FakeSpy](https://attack.mitre.org/software/S0509) stores its malicious code in encrypted asset files that are decrypted at runtime. Newer versions of [FakeSpy](https://attack.mitre.org/software/S0509) encrypt the C2 address.(Citation: Cybereason FakeSpy)","relationship_type":"uses","source_ref":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--76cc66f4-ce85-4873-a63e-879b4a14a540","created":"2023-03-03T16:23:20.764Z","revoked":false,"external_references":[{"source_name":"paloalto_yispecter_1015","description":"Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.","url":"https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-03T16:23:20.764Z","description":"[YiSpecter](https://attack.mitre.org/software/S0311) has connected to the C2 server via HTTP.(Citation: paloalto_yispecter_1015)","relationship_type":"uses","source_ref":"malware--a15c9357-2be0-4836-beec-594f28b9b4a9","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--76f852f3-f218-40e2-8fa1-6fb15c4cbf98","created":"2023-10-10T15:33:59.661Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Sophos Red Alert 2.0","description":"J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.","url":"https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:59.661Z","description":"[Red Alert 2.0](https://attack.mitre.org/software/S0539) has masqueraded as legitimate media player, social media, and VPN applications.(Citation: Sophos Red Alert 2.0)","relationship_type":"uses","source_ref":"malware--6e282bbf-5f32-476a-b879-ba77eec463c8","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--7793a066-d72b-4a60-9579-e16369ea7185","created":"2023-03-20T18:57:55.221Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T22:22:25.132Z","description":"The user can view a list of apps with accessibility service privileges in the device settings.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--77efa84c-5ef0-4554-b774-2dbfcca74087","type":"relationship","created":"2020-10-29T19:20:58.116Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"WeLiveSecurity AdDisplayAshas","url":"https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/","description":"L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020."}],"modified":"2020-10-29T19:20:58.116Z","description":"[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has checked to see how many apps are installed, and specifically if Facebook or FB Messenger are installed.(Citation: WeLiveSecurity AdDisplayAshas)","relationship_type":"uses","source_ref":"malware--f7e7b736-2cff-4c2a-9232-352cd383463a","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7825f4b1-75ca-4377-b8f6-0dda9311d889","created":"2023-08-04T18:30:58.116Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T18:30:58.116Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can access a device’s location.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--78417fce-5aaa-4ad3-a2f1-279fa18bfe45","created":"2023-02-06T19:47:26.528Z","revoked":false,"external_references":[{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-06T19:47:26.528Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) has been distributed in obfuscated and packed form.(Citation: threatfabric_sova_0921)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--51636761-2e35-44bf-9e56-e337adf97174","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164","type":"relationship","created":"2020-01-27T17:49:05.664Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/","source_name":"Trend Micro Bouncing Golf 2019"}],"modified":"2020-01-27T17:49:05.664Z","description":"(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd","target_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7863ef22-130a-4670-80c6-9bdeee58b8c9","created":"2024-01-26T17:44:59.987Z","revoked":false,"external_references":[{"source_name":"checkpoint_flixonline_0421","description":"Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.","url":"https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-01-26T17:44:59.987Z","description":"[FlixOnline](https://attack.mitre.org/software/S1103) may use the `BOOT_COMPLETED` action to trigger further scripts on boot.(Citation: checkpoint_flixonline_0421)","relationship_type":"uses","source_ref":"malware--0ec9593f-3221-49b1-b597-37f307c19f13","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7885c84c-b832-42d4-b3d3-49b82849262f","created":"2024-03-26T19:04:53.270Z","revoked":false,"external_references":[{"source_name":"fb_arid_viper","description":"Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T19:04:53.270Z","description":"[Phenakite](https://attack.mitre.org/software/S1126) can collect and exfiltrate WhatsApp media, photos and files with specific extensions, such as .pdf and .doc.(Citation: fb_arid_viper)","relationship_type":"uses","source_ref":"malware--f97e2718-af50-41df-811f-215ebab45691","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--789699c2-44f1-4280-bf86-ab23e6a13e84","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-StealthMango","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:18:51.813Z","description":"[Stealth Mango](https://attack.mitre.org/software/S0328) uploads calendar events and reminders.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--085eb36d-697d-4d9a-bac3-96eb879fe73c","target_ref":"attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-EnterpriseApps","description":"Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.","url":"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's phone number, mobile device unique identifier (IMEI).(Citation: Lookout-EnterpriseApps)","relationship_type":"uses","source_ref":"malware--c709da93-20c3-4d17-ab68-48cba76b2137","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f","type":"relationship","created":"2019-09-03T19:45:48.492Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SWB Exodus March 2019","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."}],"modified":"2019-10-14T17:15:52.637Z","description":" [Exodus](https://attack.mitre.org/software/S0405) One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.(Citation: SWB Exodus March 2019) ","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-BrainTest","description":"Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.","url":"https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[BrainTest](https://attack.mitre.org/software/S0293) stores a secondary Android app package (APK) in its assets directory in encrypted form, and decrypts the payload at runtime.(Citation: Lookout-BrainTest)","relationship_type":"uses","source_ref":"malware--e13d084c-382f-40fd-aa9a-98d69e20301e","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf","type":"relationship","created":"2020-09-11T15:43:49.309Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Threat Fabric Cerberus","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."}],"modified":"2020-09-11T15:43:49.309Z","description":"[Cerberus](https://attack.mitre.org/software/S0480) can send SMS messages from a device.(Citation: Threat Fabric Cerberus)","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--792ae0c6-8b0c-4adf-9c7f-83ebee84bb57","created":"2023-12-18T19:04:37.052Z","revoked":false,"external_references":[{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T19:04:37.052Z","description":"[AhRat](https://attack.mitre.org/software/S1095) can enumerate files on external storage.(Citation: welivesecurity_ahrat_0523)","relationship_type":"uses","source_ref":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--794c3cb4-1a1f-4d7e-969f-c97dfcd006c7","created":"2020-11-24T17:55:12.889Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos GPlayed","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:22:27.554Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) can request device administrator permissions.(Citation: Talos GPlayed)","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7965128c-89d6-411e-b765-c60e0cae96c6","created":"2023-02-06T19:40:36.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:36:23.084Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) can manipulate clipboard data to replace cryptocurrency addresses.(Citation: threatfabric_sova_0921)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--797e82a0-0132-4adc-8885-c9e9d88386dd","created":"2024-03-28T18:26:51.242Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T21:39:32.169Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to record phone calls.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--79c3fe5d-585b-401a-8bb4-84bfdc7252a1","created":"2022-04-06T13:52:46.831Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Android 7 changed how the Device Administrator password APIs function.","modified":"2022-04-06T13:52:46.831Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--79ef0025-3e1c-4914-9873-19808c2a5bec","created":"2023-02-28T21:44:22.373Z","revoked":false,"external_references":[{"source_name":"cloudmark_tanglebot_0921","description":"Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.","url":"https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-28T21:44:22.373Z","description":"[TangleBot](https://attack.mitre.org/software/S1069) can record the screen and stream the data off the device.(Citation: cloudmark_tanglebot_0921)","relationship_type":"uses","source_ref":"malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2018-10-17T00:14:20.652Z","relationship_type":"revoked-by","source_ref":"attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df","target_ref":"attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--7a50961b-9be4-4042-a6a0-878b612c520e","type":"relationship","created":"2019-07-10T15:25:57.602Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Dark Caracal Jan 2018","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}],"modified":"2019-08-12T17:30:07.571Z","description":"[FinFisher](https://attack.mitre.org/software/S0182) uses the device microphone to record phone conversations.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--a5528622-3a8a-4633-86ce-8cdaf8423858","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7a860f1b-fd19-48aa-b0b3-fbaa3d045dac","created":"2023-12-18T18:14:01.632Z","revoked":false,"external_references":[{"source_name":"cleafy_brata_0122","description":"Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.","url":"https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:14:01.632Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can search for specifically installed security applications.(Citation: cleafy_brata_0122)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--7a8e1611-1a7e-45a0-b518-6efd744fce4f","type":"relationship","created":"2020-12-24T22:04:28.002Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T22:04:28.002Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has sent messages to an attacker-controlled number.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--7accde36-cb29-43c6-8c66-6486efd867a8","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-StealthMango","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}],"modified":"2019-10-10T15:27:22.157Z","description":"[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather GPS coordinates.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--35aae10a-97c5-471a-9c67-02c231a7a31a","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-Pegasus","description":"Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}],"modified":"2018-10-17T00:14:20.652Z","description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the victim for status and disables other access to the phone by other jailbreaking software.(Citation: Lookout-Pegasus)","relationship_type":"uses","source_ref":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7b1477bc-8fd0-45ce-8eaa-b3b307f18024","created":"2022-04-15T18:11:06.097Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Skycure-Profiles","description":"Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016.","url":"https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:28:11.000Z","description":"Most [KeyRaider](https://attack.mitre.org/software/S0288) samples hook SSLRead and SSLWrite functions in the itunesstored process to intercept device communication with the Apple App Store.(Citation: Skycure-Profiles)","relationship_type":"uses","source_ref":"malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50","target_ref":"attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7b3fa5cb-bd70-47e0-acfb-7db99e29e70f","created":"2022-04-01T18:49:19.284Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them. Android 7 introduced updates that revoke standard device administrators’ ability to reset the device’s passcode.","modified":"2022-04-01T18:49:19.284Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7b45e72f-5741-4942-aa28-ee7abb6f7046","created":"2022-04-05T17:14:35.469Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T17:14:35.469Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","target_ref":"attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7b611c76-0ea1-49c5-9b9a-2e504a0bbe14","created":"2020-06-26T15:32:25.043Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Threat Fabric Cerberus","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:53:04.417Z","description":"[Cerberus](https://attack.mitre.org/software/S0480) disables Google Play Protect to prevent its discovery and deletion in the future.(Citation: Threat Fabric Cerberus)","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb","created":"2019-08-09T16:19:02.782Z","x_mitre_version":"1.0","external_references":[{"source_name":"Android Capture Sensor 2019","url":"https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access","description":"Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"Android 9 and above restricts access to microphone, camera, and other sensors from background applications.(Citation: Android Capture Sensor 2019) ","modified":"2022-04-01T15:21:13.296Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531","type":"relationship","created":"2019-08-07T15:57:13.417Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Kaspersky Riltok June 2019","url":"https://securelist.com/mobile-banker-riltok/91374/","description":"Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."}],"modified":"2019-09-15T15:36:42.340Z","description":"[Riltok](https://attack.mitre.org/software/S0403) can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.(Citation: Kaspersky Riltok June 2019)","relationship_type":"uses","source_ref":"malware--c0efbaae-9e7d-4716-a92d-68373aac7424","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--7ba30703-c3aa-425a-9482-9e9941fd7038","type":"relationship","created":"2020-12-24T21:45:56.961Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T21:45:56.961Z","description":"[SilkBean](https://attack.mitre.org/software/S0549) can access the camera on the device.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7ba4fb2e-99ff-41ff-8b07-f02e9f74e890","created":"2023-01-18T19:09:40.955Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_drinik_1022","description":"Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.","url":"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:58:45.439Z","description":"[Drinik](https://attack.mitre.org/software/S1054) can record the screen via the `MediaProjection` library to harvest user credentials, including biometric PINs.(Citation: cyble_drinik_1022)","relationship_type":"uses","source_ref":"malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-Pegasus","description":"Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:34:08.372Z","description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) gathers contacts from the system by dumping the victim's address book.(Citation: Lookout-Pegasus)","relationship_type":"uses","source_ref":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7bbbd2aa-104f-443a-907e-6e1fbcf0a73e","created":"2023-07-21T19:34:29.630Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:34:29.630Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can take and exfiltrate screenshots.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7bc6460d-b36e-41ed-baa0-82d54ec19e57","created":"2023-08-04T18:58:19.825Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T18:58:58.480Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can exfiltrate data back to the C2 server using HTTP.(Citation: lookout_hornbill_sunbird_0221) ","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7bf2e05e-496f-49d1-8a37-48cc3ff8d6cc","created":"2020-04-08T15:41:19.400Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.109Z","description":"[Anubis](https://attack.mitre.org/software/S0422) can modify administrator settings and disable Play Protect.(Citation: Cofense Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7c4a4766-cb63-4a3c-85ef-a1dba3be4a47","created":"2023-06-09T19:19:56.840Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-06-09T19:19:56.840Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) has monitored for SMS and WhatsApp notifications.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--7c6207c7-d738-4a17-8380-595c86574b64","type":"relationship","created":"2020-09-11T16:22:03.298Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout ViperRAT","url":"https://blog.lookout.com/viperrat-mobile-apt","description":"M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."}],"modified":"2020-09-11T16:22:03.298Z","description":"[ViperRAT](https://attack.mitre.org/software/S0506) can track the device’s location.(Citation: Lookout ViperRAT)","relationship_type":"uses","source_ref":"malware--f666e17c-b290-43b3-8947-b96bd5148fbb","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7cae8c80-c603-4352-a704-f3a2f4aa4a56","created":"2019-09-03T20:08:00.737Z","x_mitre_version":"1.0","external_references":[{"source_name":"Talos Gustuff Apr 2019","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html","description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Gustuff](https://attack.mitre.org/software/S0406) abuses accessibility features to intercept all interactions between a user and the device.(Citation: Talos Gustuff Apr 2019)","modified":"2022-04-15T17:39:08.123Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7d2f869d-a117-4b1f-a783-c6d3fc002562","created":"2023-07-21T19:38:52.085Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:38:52.085Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) uses unencrypted HTTP traffic between the victim and C2 infrastructure.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7d481598-ece7-469c-b231-619a804c25e5","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-Pegasus","description":"Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:34:25.318Z","description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures SMS messages that the victim sends or receives.(Citation: Lookout-Pegasus)","relationship_type":"uses","source_ref":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7d6bba99-ea81-42bc-b02a-e5e98b34a688","created":"2020-05-07T15:33:32.910Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CheckPoint Agent Smith","description":"A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.","url":"https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:19:44.427Z","description":"[Agent Smith](https://attack.mitre.org/software/S0440) can hide its icon from the application launcher.(Citation: CheckPoint Agent Smith)","relationship_type":"uses","source_ref":"malware--a6228601-03f6-4949-ae22-c1087627a637","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7db33293-6971-4c0d-88e0-18f505ebd943","created":"2022-04-05T20:11:51.188Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Recent OS versions have made it more difficult for applications to register as VPN providers. ","modified":"2022-04-05T20:11:51.188Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7de1af68-d893-40a0-b27a-c9010f5cdc62","created":"2023-03-20T18:57:14.194Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T14:49:51.309Z","description":"Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.","relationship_type":"detects","source_ref":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","target_ref":"attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f","type":"relationship","created":"2020-12-24T22:04:28.005Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T22:04:28.005Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has taken photos with the device camera.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7defdb15-65d1-40ca-a9da-5c0484892484","created":"2020-04-24T17:46:31.616Z","x_mitre_version":"1.0","external_references":[{"source_name":"SecurityIntelligence TrickMo","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[TrickMo](https://attack.mitre.org/software/S0427) can be controlled via encrypted SMS message.(Citation: SecurityIntelligence TrickMo)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7e00d3ac-a97a-4db0-9699-7474d81413a8","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T15:41:33.831Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"revoked-by","source_ref":"attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881","target_ref":"attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed","created":"2019-07-10T15:35:43.668Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Dark Caracal Jan 2018","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:55:00.294Z","description":"[Pallas](https://attack.mitre.org/software/S0399) accesses the device contact list.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7e8956e3-7d90-412d-a82f-d61e43239923","created":"2023-03-20T18:44:01.387Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:21:32.437Z","description":"Application vetting services may indicate precisely what content was requested during application execution.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad","type":"relationship","created":"2020-11-20T16:37:28.429Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Symantec GoldenCup","url":"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans","description":"R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."}],"modified":"2020-11-20T16:37:28.429Z","description":"[Golden Cup](https://attack.mitre.org/software/S0535) can collect images, videos, and attacker-specified files.(Citation: Symantec GoldenCup)","relationship_type":"uses","source_ref":"malware--f3975cc0-72bc-4308-836e-ac701b83860e","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7ee49e53-e75d-4e65-a71f-79919ebb08f4","created":"2020-04-08T15:41:19.340Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.109Z","description":"[Anubis](https://attack.mitre.org/software/S0422) can use its ransomware module to encrypt device data and hold it for ransom.(Citation: Cofense Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7ef9f4cf-863b-4bc4-bdaf-55055263c030","created":"2022-03-30T20:42:04.251Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be advised to be extra scrutinous of applications that request location, and to deny any permissions requests for applications they do not recognize.","modified":"2022-03-30T20:42:04.251Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7f3f4abd-f097-4ab5-b9ae-7ffc1a2e015e","created":"2023-12-18T18:15:38.261Z","revoked":false,"external_references":[{"source_name":"mcafee_brata_0421","description":"Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:15:38.261Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can check to see if it has been installed in a virtual environment.(Citation: mcafee_brata_0421)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7f4e1ac1-145e-4983-b735-7f70003893aa","created":"2023-08-04T18:29:35.223Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T18:29:35.223Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate call logs.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--7fa860d3-fa92-4953-8e79-05238b7dff99","created":"2024-03-29T15:04:39.189Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-29T15:04:39.189Z","description":"","relationship_type":"subtechnique-of","source_ref":"attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002","target_ref":"attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","external_references":[{"source_name":"BankInfoSecurity-BackDoor","url":"http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534","description":"Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017."},{"source_name":"NYTimes-BackDoor","url":"https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html","description":"Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Adups](https://attack.mitre.org/software/S0309) was pre-installed on Android devices from some vendors.(Citation: NYTimes-BackDoor)(Citation: BankInfoSecurity-BackDoor)","modified":"2022-04-19T15:46:20.166Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf","target_ref":"attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--7fe8ab9f-b207-4c39-ab5c-e929a1c949f9","created":"2019-07-16T14:33:12.113Z","x_mitre_version":"1.0","external_references":[{"source_name":"Krebs-Triada June 2019","url":"https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/","description":"Krebs, B. (2019, June 25). Tracing the Supply Chain Attack on Android. Retrieved July 16, 2019."},{"source_name":"Google Triada June 2019","url":"https://security.googleblog.com/2019/06/pha-family-highlights-triada.html","description":"Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Triada](https://attack.mitre.org/software/S0424) was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.(Citation: Google Triada June 2019)(Citation: Krebs-Triada June 2019)","modified":"2022-04-19T15:47:32.152Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--f082fc59-0317-49cf-971f-a1b6296ebb52","target_ref":"attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--806a9338-be20-4eef-aa54-067633ac0e58","created":"2020-04-08T15:41:19.421Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.110Z","description":"[Anubis](https://attack.mitre.org/software/S0422) can retrieve the device’s GPS location.(Citation: Cofense Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--80778a1e-715d-477b-87fa-e92181b31659","created":"2020-12-24T21:45:56.967Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:15:22.472Z","description":"[SilkBean](https://attack.mitre.org/software/S0549) can delete various piece of device data, such as contacts, call logs, applications, SMS messages, email, plugins, and files in external storage.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9","type":"relationship","created":"2021-01-05T20:16:20.502Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Zscaler TikTok Spyware","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."}],"modified":"2021-01-05T20:16:20.502Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can take screenshots.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--80eb5ebc-ae6f-461e-8e78-a18702249343","created":"2023-12-18T18:14:53.862Z","revoked":false,"external_references":[{"source_name":"mcafee_brata_0421","description":"Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:14:53.862Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can hide incoming calls by setting ring volume to 0 and showing a blank screen overlay.(Citation: mcafee_brata_0421)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--812490b8-2160-47e9-9e1e-c1749b7ee86d","created":"2023-09-28T17:40:03.722Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Zimperium FlyTrap","description":"A. Yaswant. (2021, August 9). FlyTrap Android Malware Compromises Thousands of Facebook Accounts. Retrieved September 28, 2023.","url":"https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/"},{"source_name":"Trend Micro FlyTrap","description":"Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts — Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.","url":"https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T19:13:17.011Z","description":"[FlyTrap](https://attack.mitre.org/software/S1093) can collect Facebook account information, such as Facebook ID, email address, cookies, and login tokens.(Citation: Trend Micro FlyTrap)(Citation: Zimperium FlyTrap)","relationship_type":"uses","source_ref":"malware--8338393c-cb2e-4ee6-b944-34672499c785","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--81722aad-f503-4a74-91d5-1843adf8a995","created":"2023-08-16T16:36:04.747Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:36:04.747Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can prevent application removal by abusing Accessibility Services.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--818b8c2b-bd23-4a83-9970-d42063608699","created":"2020-04-24T15:06:33.393Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"TrendMicro Coronavirus Updates","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:49:04.950Z","description":"[Corona Updates](https://attack.mitre.org/software/S0425) can collect device contacts.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--81db3270-4cb8-4982-8ff8-c28a874e8421","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro-DressCode","description":"Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.","url":"http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[DressCode](https://attack.mitre.org/software/S0300) sets up a \"general purpose tunnel\" that can be used by an adversary to compromise enterprise networks that the mobile device is connected to.(Citation: TrendMicro-DressCode)","relationship_type":"uses","source_ref":"malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca","target_ref":"attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--81dbe111-0f02-49a1-9bba-42a31e6bb416","created":"2023-03-20T18:52:56.247Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T22:33:23.699Z","description":"Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f","created":"2020-06-02T14:32:31.906Z","x_mitre_version":"1.0","external_references":[{"source_name":"Volexity Insomnia","url":"https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/","description":"A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[INSOMNIA](https://attack.mitre.org/software/S0463) has communicated with the C2 using HTTPS requests over ports 43111, 43223, and 43773.(Citation: Volexity Insomnia)","modified":"2022-04-20T16:40:05.898Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CheckPoint-Judy","description":"CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.","url":"https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[Judy](https://attack.mitre.org/software/S0325) bypasses Google Play's protections by downloading a malicious payload at runtime after installation.(Citation: CheckPoint-Judy)","relationship_type":"uses","source_ref":"malware--172444ab-97fc-4d94-b142-179452bfb760","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8244700e-6f96-463a-a9c3-810c489a2c60","created":"2023-03-20T15:20:24.554Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T14:54:57.884Z","description":"Application vetting services could detect applications trying to modify files in protected parts of the operating system.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--82555171-8b78-40f3-84d9-058359ae808a","type":"relationship","created":"2020-09-24T15:34:51.244Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-Dendroid","description":"Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.","url":"https://blog.lookout.com/blog/2014/03/06/dendroid/"}],"modified":"2020-09-24T15:34:51.244Z","description":"[Dendroid](https://attack.mitre.org/software/S0301) can send and block SMS messages.(Citation: Lookout-Dendroid)","relationship_type":"uses","source_ref":"malware--317a2c10-d489-431e-b6b2-f0251fddc88e","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--825ffecc-090f-44c8-87be-f7b72e07f987","created":"2022-04-01T18:43:15.716Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.","modified":"2022-04-01T18:43:15.716Z","relationship_type":"mitigates","source_ref":"course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433","target_ref":"attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--826e3bad-fa02-4fd9-b8f1-1d23f374b43d","created":"2024-02-20T23:45:08.561Z","revoked":false,"external_references":[{"source_name":"Securelist Asacub","description":"T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.","url":"https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:45:08.561Z","description":"[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device network configuration information, such as mobile network operator.(Citation: Securelist Asacub)","relationship_type":"uses","source_ref":"malware--a76b837b-93cc-417d-bf28-c47a6a284fa4","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--828417ec-c444-41c8-95b4-c339c5ecf62b","created":"2022-03-30T20:48:00.360Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.","modified":"2022-03-30T20:48:00.360Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--82a51cc3-7a91-43b0-9147-df5983e52b41","created":"2020-12-14T15:02:35.208Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Securelist Asacub","description":"T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.","url":"https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:08:11.798Z","description":"[Asacub](https://attack.mitre.org/software/S0540) has communicated with the C2 using HTTP POST requests.(Citation: Securelist Asacub)","relationship_type":"uses","source_ref":"malware--a76b837b-93cc-417d-bf28-c47a6a284fa4","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--82b58c75-239e-4dac-b848-bc1f3354adc4","created":"2023-03-20T18:41:18.288Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Samsung Knox Mobile Threat Defense","description":"Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.","url":"https://partner.samsungknox.com/mtd"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T22:14:04.455Z","description":"Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--82e93a9e-6968-497f-8043-a08d0f35bd32","created":"2023-10-10T15:33:57.378Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Trend Micro Anubis","description":"K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.","url":"https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html"},{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.110Z","description":"[Anubis](https://attack.mitre.org/software/S0422) has requested accessibility service privileges while masquerading as \"Google Play Protect\" and has disguised additional malicious application installs as legitimate system updates.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--82f12052-783e-40e4-8079-d9c030c310fd","created":"2022-03-30T20:08:40.223Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Android and iOS include system partition integrity mechanisms that could detect unauthorized modifications. ","modified":"2022-03-30T20:08:40.223Z","relationship_type":"mitigates","source_ref":"course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321","target_ref":"attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--82f51cc6-6ce4-459e-b598-7b2b77983469","created":"2020-04-24T15:06:33.526Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"TrendMicro Coronavirus Updates","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:28:18.530Z","description":"[Corona Updates](https://attack.mitre.org/software/S0425) can collect SMS messages.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--83358774-0857-429c-9f7a-151403e52881","created":"2023-10-10T15:33:59.912Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Threat Fabric Exobot","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:59.912Z","description":"[Exobot](https://attack.mitre.org/software/S0522) has used names like WhatsApp and Netflix.(Citation: Threat Fabric Exobot)","relationship_type":"uses","source_ref":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"PaloAlto-Xbot","description":"Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.","url":"http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:28:32.568Z","description":"[Xbot](https://attack.mitre.org/software/S0298) steals all SMS message and contact information as well as intercepts and parses certain SMS messages.(Citation: PaloAlto-Xbot)","relationship_type":"uses","source_ref":"tool--da21929e-40c0-443d-bdf4-6b60d15448b4","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"TrendMicro-XLoader","description":"Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:28:46.820Z","description":"[XLoader for Android](https://attack.mitre.org/software/S0318) collects SMS messages.(Citation: TrendMicro-XLoader)","relationship_type":"uses","source_ref":"malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8375c6f6-4450-4aa5-ae26-672aecf91d1b","created":"2024-04-02T19:14:02.841Z","revoked":false,"external_references":[{"source_name":"Meta Adversarial Threat Report 2022","description":"Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.","url":"https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-02T19:14:02.842Z","description":"[HilalRAT](https://attack.mitre.org/software/S1128) can retrieve a device’s SMS messages.(Citation: Meta Adversarial Threat Report 2022)","relationship_type":"uses","source_ref":"malware--55714f87-6178-4b89-b3e5-d3a643f647ca","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Kaspersky-WUC","description":"Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.","url":"https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"}],"modified":"2019-10-15T19:54:10.285Z","description":"[Android/Chuli.A](https://attack.mitre.org/software/S0304) gathered system information including phone number, OS version, phone model, and SDK version.(Citation: Kaspersky-WUC)","relationship_type":"uses","source_ref":"malware--d05f7357-4cbe-47ea-bf83-b8604226d533","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--83d95d05-7545-4295-894b-f33a2ba1063b","created":"2020-12-17T20:15:22.492Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Palo Alto HenBox","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:47:45.408Z","description":"[HenBox](https://attack.mitre.org/software/S0544) has registered several broadcast receivers.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--848581bc-bf8f-40e2-871e-cd67042b4adf","created":"2023-01-18T19:14:40.120Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_drinik_1022","description":"Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.","url":"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:59:26.448Z","description":"[Drinik](https://attack.mitre.org/software/S1054) can use overlays to steal user banking credentials entered into legitimate sites.(Citation: cyble_drinik_1022)","relationship_type":"uses","source_ref":"malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8499ffce-1045-4a8a-9e09-ec53d535a021","created":"2023-10-10T15:33:58.887Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Palo Alto HenBox","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:58.887Z","description":"[HenBox](https://attack.mitre.org/software/S0544) has masqueraded as VPN and Android system apps.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--84dbe7c6-421b-4bfb-b022-6c585c2e50c4","created":"2023-10-10T15:33:59.401Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Trend Micro Bouncing Golf 2019","description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:59.401Z","description":"[Bouncing Golf](https://attack.mitre.org/groups/G0097) distributed malware as repackaged legitimate applications, with the malicious code in the `com.golf` package.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--84ece53a-eb31-4c2e-9257-a055e0a190c0","created":"2024-03-26T19:05:36.787Z","revoked":false,"external_references":[{"source_name":"fb_arid_viper","description":"Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T19:05:36.787Z","description":"[Phenakite](https://attack.mitre.org/software/S1126) can download additional malware to the victim device.(Citation: fb_arid_viper) ","relationship_type":"uses","source_ref":"malware--f97e2718-af50-41df-811f-215ebab45691","target_ref":"attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--850e249d-c0a1-4608-9a60-bcf9c02b741c","created":"2024-02-21T20:53:10.203Z","revoked":false,"external_references":[{"source_name":"Google Project Zero Insomnia","description":"I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.","url":"https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T20:53:10.203Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device’s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).(Citation: Google Project Zero Insomnia)","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8570b7ef-a84d-480e-b1ca-b15f15d12103","created":"2019-09-23T13:36:08.341Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"securelist rotexy 2018","description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T16:58:27.974Z","description":"[Rotexy](https://attack.mitre.org/software/S0411) can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging.(Citation: securelist rotexy 2018)","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8578441b-00d2-4416-a011-380647e6ccdd","created":"2024-02-21T20:44:44.955Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T20:44:44.955Z","description":"","relationship_type":"subtechnique-of","source_ref":"attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CheckPoint-Charger","description":"Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.","url":"http://blog.checkpoint.com/2017/01/24/charger-malware/"}],"modified":"2019-10-09T14:51:42.845Z","description":"[Charger](https://attack.mitre.org/software/S0323) checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia, or Belarus.(Citation: CheckPoint-Charger)","relationship_type":"uses","source_ref":"malware--d1c600f8-0fb6-4367-921b-85b71947d950","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--85e0d8c5-b9d6-4a10-963a-aeb54eba4f02","created":"2020-06-26T15:32:25.144Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CheckPoint Cerberus","description":"A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.","url":"https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:10:26.480Z","description":"[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 server using HTTP.(Citation: CheckPoint Cerberus)","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8611661c-04b4-4a82-9669-2d0e26b7b3f3","created":"2020-07-15T20:20:59.287Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Bitdefender Mandrake","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:53:17.865Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can disable Play Protect.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--86170d29-0e41-44d0-94b0-de7d23718302","created":"2022-04-05T19:42:39.957Z","x_mitre_version":"0.1","external_references":[{"source_name":"Android 12 Features","url":"https://developer.android.com/about/versions/12/features","description":"Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022."}],"x_mitre_deprecated":false,"revoked":false,"description":"The `HIDE_OVERLAY_WINDOWS` permission was introduced in Android 12 allowing apps to hide overlay windows of type `TYPE_APPLICATION_OVERLAY` drawn by other apps with the `SYSTEM_ALERT_WINDOW` permission, preventing other applications from creating overlay windows on top of the current application.(Citation: Android 12 Features)","modified":"2022-04-05T19:51:47.956Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8634a732-1c5e-4931-a24f-cdcc2f81c788","created":"2020-05-07T15:33:32.903Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CheckPoint Agent Smith","description":"A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.","url":"https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:20:05.166Z","description":"[Agent Smith](https://attack.mitre.org/software/S0440) deletes infected applications’ update packages when they are detected on the system, preventing updates.(Citation: CheckPoint Agent Smith)","relationship_type":"uses","source_ref":"malware--a6228601-03f6-4949-ae22-c1087627a637","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--8650e2e8-d8bd-472d-8b9b-54befbea05b8","created":"2022-04-05T19:49:59.027Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T19:49:59.027Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--867b4929-20f2-47cd-9ab3-43a5a6ea98b5","created":"2023-06-09T19:19:38.523Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T19:11:52.875Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) has a list of file extensions that it may use to log certain operations (creation, open, close, modification, movement, deletion) on files of those types.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--86afe8cc-6d6d-4952-8fee-619e95d53a7f","created":"2022-04-06T13:39:39.883Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T13:39:39.883Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6","target_ref":"attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3","type":"relationship","created":"2020-05-04T14:04:56.189Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Google Bread","url":"https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html","description":"A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."}],"modified":"2020-05-04T15:40:21.081Z","description":"[Bread](https://attack.mitre.org/software/S0432) collects the device’s IMEI, carrier, mobile country code, and mobile network code.(Citation: Google Bread)","relationship_type":"uses","source_ref":"malware--108b2817-bc01-404e-8e1b-8cdeec846326","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--8726b157-3575-450f-bb7f-f17bb18e6aef","created":"2022-03-30T20:41:43.314Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"New OS releases frequently contain additional limitations or controls around device location access.","modified":"2022-03-30T20:41:43.314Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--873b98de-d7cf-471b-9aa2-229eb03c9165","type":"relationship","created":"2020-09-15T15:18:12.459Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Cybereason FakeSpy","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."}],"modified":"2020-09-15T15:18:12.459Z","description":"[FakeSpy](https://attack.mitre.org/software/S0509) can collect device information, including OS version and device model.(Citation: Cybereason FakeSpy)","relationship_type":"uses","source_ref":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--875dc21d-92c3-45bf-be37-faa44f4449bf","created":"2020-06-02T14:32:31.891Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Google Project Zero Insomnia","description":"I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.","url":"https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:51:44.262Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device’s contact list.(Citation: Google Project Zero Insomnia)","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--876fc8ee-aeae-4d4b-b4ce-541b432e5298","created":"2020-12-14T15:02:35.297Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Securelist Asacub","description":"T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.","url":"https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T18:06:30.456Z","description":"[Asacub](https://attack.mitre.org/software/S0540) can collect the device’s contact list.(Citation: Securelist Asacub)","relationship_type":"uses","source_ref":"malware--a76b837b-93cc-417d-bf28-c47a6a284fa4","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--886849fc-f83c-4d69-b700-bfad0def765d","created":"2023-03-16T18:32:30.054Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T22:12:27.186Z","description":"On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--8870c211-820a-46a1-96fc-02f4e6eaec03","type":"relationship","created":"2020-11-10T16:50:39.134Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2021-04-19T15:40:36.387Z","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) has collected device network information, including 16-bit GSM Cell Identity, 16-bit Location Area Code, Mobile Country Code (MCC), and Mobile Network Code (MNC). [CarbonSteal](https://attack.mitre.org/software/S0529) has also called `netcfg` to get stats.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--88de8869-2b01-4702-8518-e4e78fde44d9","created":"2023-07-12T20:45:18.766Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-12T20:45:18.766Z","description":"","relationship_type":"subtechnique-of","source_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","target_ref":"attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--88ded3fb-759e-4e96-946b-e7148c54856e","created":"2022-04-08T16:29:30.371Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-08T16:29:30.371Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9","target_ref":"attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--88e33687-e999-42c8-b46b-49d2adfa17d0","created":"2022-04-01T15:02:04.528Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Apple regularly provides security updates for known OS vulnerabilities. ","modified":"2022-04-01T15:02:04.528Z","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--88ea5004-8bdb-4af4-a2dc-a8c56236ff03","type":"relationship","created":"2020-12-17T20:15:22.449Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Palo Alto HenBox","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."}],"modified":"2020-12-17T20:15:22.449Z","description":"[HenBox](https://attack.mitre.org/software/S0544) can access the device’s microphone.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--891edea2-817c-4eeb-9991-b6e095c269a8","created":"2020-06-02T14:32:31.903Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Google Project Zero Insomnia","description":"I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.","url":"https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:40:06.957Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) can retrieve the call history.(Citation: Google Project Zero Insomnia)","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0","type":"relationship","created":"2020-04-24T15:12:11.185Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro Coronavirus Updates","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."}],"modified":"2020-04-24T15:12:11.185Z","description":"[Concipit1248](https://attack.mitre.org/software/S0426) requests permissions to use the device camera.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--89c3dbf6-f281-41b7-be1d-a0e641014853","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--89565753-23c4-422d-a9ba-39f4101cd819","type":"relationship","created":"2020-11-20T16:37:28.485Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Symantec GoldenCup","url":"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans","description":"R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."}],"modified":"2020-11-20T16:37:28.485Z","description":"[Golden Cup](https://attack.mitre.org/software/S0535) can track the device’s location.(Citation: Symantec GoldenCup)","relationship_type":"uses","source_ref":"malware--f3975cc0-72bc-4308-836e-ac701b83860e","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--89d0de37-87ba-4aa8-832a-a2305e658a7d","created":"2023-03-20T15:55:09.279Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:44:32.659Z","description":"Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--89fcec02-8696-4c41-a7b1-8a75236a4c05","created":"2024-03-26T19:03:34.834Z","revoked":false,"external_references":[{"source_name":"fb_arid_viper","description":"Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T19:03:34.834Z","description":"[Phenakite](https://attack.mitre.org/software/S1126) can record phone calls.(Citation: fb_arid_viper)","relationship_type":"uses","source_ref":"malware--f97e2718-af50-41df-811f-215ebab45691","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8a255d63-a770-4b9d-911c-bd906733ceef","created":"2023-01-18T19:24:36.689Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_drinik_1022","description":"Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.","url":"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:05:42.846Z","description":"[Drinik](https://attack.mitre.org/software/S1054) has C2 commands that can move the malware in and out of the foreground. (Citation: cyble_drinik_1022)","relationship_type":"uses","source_ref":"malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe","target_ref":"attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--8a55c28d-9cdd-4b6f-91e7-bcb3b05f6724","created":"2022-04-01T15:02:21.344Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Device attestation can often detect jailbroken devices. ","modified":"2022-04-01T15:02:21.344Z","relationship_type":"mitigates","source_ref":"course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c","target_ref":"attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8a89f675-4e43-4fe1-8bbd-8e49e07d11be","created":"2023-07-21T19:35:34.846Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:35:34.846Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can access browser history and bookmarks, and can list all files and folders on the device.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3","type":"relationship","created":"2020-09-11T14:54:16.615Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Desert Scorpion","url":"https://blog.lookout.com/desert-scorpion-google-play","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."}],"modified":"2020-09-11T14:54:16.615Z","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) can record videos.(Citation: Lookout Desert Scorpion)","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--8b27a786-b4d9-4014-a249-3725442f9f1d","type":"relationship","created":"2021-01-05T20:16:20.499Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Zscaler TikTok Spyware","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."}],"modified":"2021-01-05T20:16:20.499Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can obtain a list of installed applications.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8b2c2716-a62b-4c3a-a211-d72bb5ed29b9","created":"2020-09-11T14:54:16.649Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Desert Scorpion","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.","url":"https://blog.lookout.com/desert-scorpion-google-play"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:52:05.260Z","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect the device’s contact list.(Citation: Lookout Desert Scorpion)","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8b3e74ad-7cc4-4ed2-84d2-c745e6997711","created":"2023-02-06T20:12:17.434Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_drinik_1022","description":"Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.","url":"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:04:59.445Z","description":"[Drinik](https://attack.mitre.org/software/S1054) can request the `READ_CALL_LOG` permission.(Citation: cyble_drinik_1022)","relationship_type":"uses","source_ref":"malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8b5baec3-60bf-4663-bc5c-ec9ad821c785","created":"2024-04-03T20:10:01.390Z","revoked":false,"external_references":[{"source_name":"CitizenLab Great iPwn","description":"Marczak, B., et al. (2020, December 20). The Great iPwn. Retrieved April 3, 2024.","url":"https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-03T20:10:01.390Z","description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) has been distributed via malicious links in SMS messages.(Citation: CitizenLab Great iPwn)","relationship_type":"uses","source_ref":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","target_ref":"attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781","type":"relationship","created":"2020-04-24T15:06:33.503Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro Coronavirus Updates","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."}],"modified":"2020-04-24T15:06:33.503Z","description":"[Corona Updates](https://attack.mitre.org/software/S0425) can record MP4 files and monitor calls.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8b8a9c44-c8a4-4f30-a3d8-a23310f6c090","created":"2023-03-20T18:58:30.773Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T16:43:56.718Z","description":"On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.","relationship_type":"detects","source_ref":"x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4","target_ref":"attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8bc0abc2-a413-4c05-b2b8-2a92d9cc5556","created":"2019-09-04T15:38:56.678Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FlexiSpy-Features","description":"FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.","url":"https://www.flexispy.com/en/features-overview.htm"},{"source_name":"FortiGuard-FlexiSpy","description":"K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.","url":"https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:44:31.870Z","description":"[FlexiSpy](https://attack.mitre.org/software/S0408) is capable of hiding SuperSU's icon if it is installed and visible.(Citation: FortiGuard-FlexiSpy) [FlexiSpy](https://attack.mitre.org/software/S0408) can also hide its own icon to make detection and the uninstallation process more difficult.(Citation: FlexiSpy-Features)","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8bc21e5d-b6bb-4c93-9419-19a12061de52","created":"2023-01-19T18:07:52.146Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"trendmicro_tianyspy_0122","description":"Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.","url":"https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:19:25.438Z","description":"[TianySpy](https://attack.mitre.org/software/S1056) can exfiltrate collected user data, including credentials and authorized cookies, via email.(Citation: trendmicro_tianyspy_0122) ","relationship_type":"uses","source_ref":"malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6","target_ref":"attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8bcc9da8-c390-4151-b72d-30604820673e","created":"2023-08-04T19:05:04.644Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T19:05:04.644Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can search for installed applications such as WhatsApp.(Citation: lookout_hornbill_sunbird_0221) ","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8c034c66-18ad-4b30-9f17-ed574c10918f","created":"2023-03-20T18:56:20.203Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T22:08:44.242Z","description":"The user can view permissions granted to an application in device settings. ","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8c3296f6-3520-4d1b-8b57-bdd48a5aac91","created":"2020-12-18T20:14:47.369Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"WhiteOps TERRACOTTA","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:48:00.045Z","description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) has registered several broadcast receivers.(Citation: WhiteOps TERRACOTTA)","relationship_type":"uses","source_ref":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8c50e9e7-e13c-4814-98d0-088d73b10005","created":"2023-03-03T16:21:24.531Z","revoked":false,"external_references":[{"source_name":"paloalto_yispecter_1015","description":"Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.","url":"https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-03T16:21:24.531Z","description":"[YiSpecter](https://attack.mitre.org/software/S0311) has modified Safari’s default search engine, bookmarked websites, opened pages, and accessed contacts and authorization tokens of the IM program “QQ” on infected devices.(Citation: paloalto_yispecter_1015)","relationship_type":"uses","source_ref":"malware--a15c9357-2be0-4836-beec-594f28b9b4a9","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8c656539-aa1e-42db-9016-d38f1daaae16","created":"2023-01-18T19:20:26.156Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_drinik_1022","description":"Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.","url":"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:06:05.822Z","description":"[Drinik](https://attack.mitre.org/software/S1054) can collect user SMS messages.(Citation: cyble_drinik_1022)","relationship_type":"uses","source_ref":"malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8c7598a6-6046-491d-99a7-52c31974a9a9","created":"2023-03-20T18:57:40.504Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T15:36:24.934Z","description":"Application vetting services could look for misuse of dynamic libraries.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e","type":"relationship","created":"2021-01-05T20:16:20.512Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Zscaler TikTok Spyware","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."}],"modified":"2021-01-05T20:16:20.512Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can check the device’s battery status.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8c9dbc53-27d2-420c-b698-98c23a7ead2b","created":"2020-09-11T14:54:16.638Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Desert Scorpion","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.","url":"https://blog.lookout.com/desert-scorpion-google-play"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:36:55.810Z","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) can delete copies of itself if additional APKs are downloaded to external storage.(Citation: Lookout Desert Scorpion)","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1","created":"2017-12-14T16:46:06.044Z","x_mitre_version":"1.0","external_references":[{"source_name":"TrendMicro-RCSAndroid","url":"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/","description":"Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"[RCSAndroid](https://attack.mitre.org/software/S0295) can use SMS for command and control.(Citation: TrendMicro-RCSAndroid)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--8d027310-93a0-4046-b7ad-d1f461f30838","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/","description":"Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.","source_name":"TrendMicro-RCSAndroid"}],"modified":"2019-08-09T17:53:48.783Z","description":"[RCSAndroid](https://attack.mitre.org/software/S0295) has the ability to dynamically download and execute new code at runtime.(Citation: TrendMicro-RCSAndroid)","relationship_type":"uses","source_ref":"malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8d3ca04e-867f-4274-bc61-f18c0282a0a9","created":"2023-08-04T18:29:54.503Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-26T12:53:15.952Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate a device's contacts.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8d71e646-74d1-4d62-8989-2ad4ddf7a67b","created":"2023-02-06T19:47:08.535Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cleafy_sova_1122","description":"Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.","url":"https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-30T15:13:44.210Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) has code to encrypt device data with AES.(Citation: cleafy_sova_1122)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8d72c224-0cf5-4b9b-a98a-76ee3a406803","created":"2023-02-06T19:05:00.862Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:20:37.796Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can obtain a list of installed applications.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8e67f2e0-65da-4d27-9d41-e2f9a174331b","created":"2023-10-10T15:33:58.186Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ThreatFabric Ginp","description":"ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.","url":"https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:58.186Z","description":"[Ginp](https://attack.mitre.org/software/S0423) has masqueraded as “Adobe Flash Player” and “Google Play Verificator”.(Citation: ThreatFabric Ginp)","relationship_type":"uses","source_ref":"malware--6146be90-470c-4049-bb3a-9986b8ffb65b","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--8e6b9c1e-5e28-4519-95c3-6b4a836661de","created":"2023-01-18T19:16:45.773Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_drinik_1022","description":"Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.","url":"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:07:34.581Z","description":"[Drinik](https://attack.mitre.org/software/S1054) has used custom encryption to hide strings, potentially to evade antivirus products.(Citation: cyble_drinik_1022)","relationship_type":"uses","source_ref":"malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--8ea39534-6fe9-404c-94b7-0f320af95404","created":"2022-04-01T15:17:21.511Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-01T15:17:21.511Z","relationship_type":"revoked-by","source_ref":"attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58","target_ref":"attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc","type":"relationship","created":"2019-09-23T13:36:08.441Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/","source_name":"securelist rotexy 2018"}],"modified":"2019-09-23T13:36:08.441Z","description":"[Rotexy](https://attack.mitre.org/software/S0411) retrieves a list of installed applications and sends it to the command and control server.(Citation: securelist rotexy 2018)","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"NYTimes-BackDoor","description":"Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.","url":"https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"}],"modified":"2018-10-17T00:14:20.652Z","description":"[Adups](https://attack.mitre.org/software/S0309) transmitted location information.(Citation: NYTimes-BackDoor)","relationship_type":"uses","source_ref":"malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8f142643-0448-4b04-8260-8e4e62ad80bb","created":"2023-08-04T18:34:42.357Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-26T12:54:48.541Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can download adversary specified content from FTP shares.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--8f22a4ce-f075-4343-acb0-1d45c56e91e8","created":"2022-03-30T18:06:21.355Z","x_mitre_version":"0.1","external_references":[{"source_name":"Symantec-iOSProfile2","url":"https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles","description":"Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018."},{"source_name":"Android-TrustedCA","url":"https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html","description":"Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018."}],"x_mitre_deprecated":false,"revoked":false,"description":"Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.(Citation: Symantec-iOSProfile2)(Citation: Android-TrustedCA)","modified":"2022-03-30T18:06:21.355Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8f2929a9-cd25-4e07-b402-447da68aaa56","created":"2020-04-24T15:06:33.455Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"TrendMicro Coronavirus Updates","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:10:43.246Z","description":"[Corona Updates](https://attack.mitre.org/software/S0425) communicates with the C2 server using HTTP requests.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc","type":"relationship","created":"2020-07-15T20:20:59.298Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"modified":"2020-07-15T20:20:59.298Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) obfuscates its hardcoded C2 URLs.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8f4c7030-f3e2-4c7d-b5b1-dc6815055c68","created":"2023-06-09T19:15:30.280Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T19:07:51.438Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can collect voice notes and messages from WhatsApp, if installed.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8f52e1ab-284e-4d0c-bae1-3a8544a22f57","created":"2020-11-24T17:55:12.826Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos GPlayed","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:22:41.797Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) can wipe the device.(Citation: Talos GPlayed)","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8f72a070-cfcb-4d75-ace6-b4427f3ba8d3","created":"2020-04-08T15:41:19.404Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.111Z","description":"[Anubis](https://attack.mitre.org/software/S0422) can steal the device’s contact list.(Citation: Cofense Anubis) ","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5","type":"relationship","created":"2019-09-03T19:45:48.501Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SWB Exodus March 2019","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."}],"modified":"2019-10-14T16:47:53.197Z","description":" [Exodus](https://attack.mitre.org/software/S0405) Two can record audio from the compromised device's microphone and can record call audio in 3GP format.(Citation: SWB Exodus March 2019) ","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--8fd05d96-552d-4ef9-98e3-ea70dc84f6a9","created":"2022-03-30T14:26:02.359Z","x_mitre_version":"0.1","external_references":[{"source_name":"Android Changes to System Broadcasts","url":"https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts","description":"Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"Android 8 introduced additional limitations on the implicit intents that an application can register for.(Citation: Android Changes to System Broadcasts) ","modified":"2022-03-30T14:26:02.359Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--8ff45341-60d6-40d3-bb38-566814a466f9","created":"2020-07-20T13:27:33.552Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos-WolfRAT","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:51:31.121Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) can perform primitive emulation checks.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--901492b5-b074-4631-ad6e-4178caa4164a","type":"relationship","created":"2020-12-24T22:04:28.017Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T22:04:28.017Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has recorded calls and environment audio in .amr format.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--907db911-b39c-4230-b6ad-a0ba5ef6926a","created":"2023-09-28T17:39:24.890Z","revoked":false,"external_references":[{"source_name":"Trend Micro FlyTrap","description":"Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts — Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.","url":"https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:39:24.890Z","description":"[FlyTrap](https://attack.mitre.org/software/S1093) can collect device geolocation data.(Citation: Trend Micro FlyTrap)","relationship_type":"uses","source_ref":"malware--8338393c-cb2e-4ee6-b944-34672499c785","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--90d4d964-efa2-46ac-adc2-759886e07158","created":"2020-10-29T17:48:27.325Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Threat Fabric Exobot","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:11:02.157Z","description":"[Exobot](https://attack.mitre.org/software/S0522) has used HTTPS for C2 communication.(Citation: Threat Fabric Exobot)","relationship_type":"uses","source_ref":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--90d58c65-acb9-4d7b-89b9-f4b35593c861","created":"2021-02-08T16:36:20.711Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"BlackBerry Bahamut","description":"The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:06:46.369Z","description":"[Windshift](https://attack.mitre.org/groups/G0112) has included SMS message exfiltration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Zscaler-SuperMarioRun","description":"Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017.","url":"https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:24:53.701Z","description":"[DroidJack](https://attack.mitre.org/software/S0320) captures SMS data.(Citation: Zscaler-SuperMarioRun)","relationship_type":"uses","source_ref":"malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--91831379-b0da-4019-a7bb-17e53cda9d0b","type":"relationship","created":"2020-12-31T18:25:05.131Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CYBERWARCON CHEMISTGAMES","url":"https://www.youtube.com/watch?v=xoNSbm1aX_w","description":"B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."}],"modified":"2020-12-31T18:25:05.131Z","description":"[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has utilized native code to decrypt its malicious payload.(Citation: CYBERWARCON CHEMISTGAMES)","relationship_type":"uses","source_ref":"malware--a0d774e4-bafc-4292-8651-3ec899391341","target_ref":"attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--919a13bc-74be-4660-af63-454abee92635","type":"relationship","created":"2019-03-11T15:13:40.408Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.","url":"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A","source_name":"TrendMicro-Anserver2"}],"modified":"2019-08-05T20:05:25.571Z","description":"\n[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device IMEI and IMSI.(Citation: TrendMicro-Anserver2)","relationship_type":"uses","source_ref":"malware--4bf6ba32-4165-42c1-b911-9c36165891c8","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--91a4924f-2519-4662-91f2-b7ef715a459f","created":"2023-03-20T18:59:55.756Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Samsung Knox Mobile Threat Defense","description":"Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.","url":"https://partner.samsungknox.com/mtd"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T17:10:20.748Z","description":"Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27","type":"relationship","created":"2020-07-20T13:27:33.488Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos-WolfRAT","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."}],"modified":"2020-08-10T21:57:54.704Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489)’s code is obfuscated.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--92129d5b-7822-4e84-8a69-f96b598fba9e","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-StealthMango","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}],"modified":"2019-10-10T15:27:22.175Z","description":"[Tangelo](https://attack.mitre.org/software/S0329) accesses databases from WhatsApp, Viber, Skype, and Line.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--35aae10a-97c5-471a-9c67-02c231a7a31a","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--922fa6eb-7274-477c-821e-ae6684c08934","created":"2024-04-02T19:28:17.558Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"fb_arid_viper","description":"Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-17T16:33:17.876Z","description":"[Phenakite](https://attack.mitre.org/software/S1126) has used phishing sites for iCloud and Facebook if either of those were used for authentication during the chat sign up process.(Citation: fb_arid_viper)","relationship_type":"uses","source_ref":"malware--f97e2718-af50-41df-811f-215ebab45691","target_ref":"attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--92879f0e-d1db-4407-9cc6-c1dbcc47caea","created":"2019-10-18T14:52:53.193Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"Device attestation could detect devices with unauthorized or unsafe modifications. ","modified":"2022-03-30T20:07:50.094Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c","target_ref":"attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb","type":"relationship","created":"2020-06-26T14:55:13.261Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Cybereason EventBot","url":"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born","description":"D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."}],"modified":"2020-06-26T14:55:13.261Z","description":"[EventBot](https://attack.mitre.org/software/S0478) can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.(Citation: Cybereason EventBot)","relationship_type":"uses","source_ref":"malware--aecc0097-c9f8-4786-9b39-e891ff173f54","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0","created":"2019-08-07T15:57:13.453Z","x_mitre_version":"1.0","external_references":[{"source_name":"Kaspersky Riltok June 2019","url":"https://securelist.com/mobile-banker-riltok/91374/","description":"Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Riltok](https://attack.mitre.org/software/S0403) can open a fake Google Play screen requesting bank card credentials and mimic the screen of relevant mobile banking apps to request user/bank card details.(Citation: Kaspersky Riltok June 2019)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--c0efbaae-9e7d-4716-a92d-68373aac7424","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--935d2296-2a9d-42dd-af8c-2d8873dd7e8f","created":"2024-03-28T18:11:37.535Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T21:39:42.031Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to modify permissions on a rooted device and tried to disable the SecurityLogAgent application.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","external_references":[{"source_name":"PaloAlto-SpyDealer","url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018."}],"x_mitre_deprecated":false,"revoked":false,"description":"[SpyDealer](https://attack.mitre.org/software/S0324) enables remote control of the victim through SMS channels.(Citation: PaloAlto-SpyDealer)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c","type":"relationship","created":"2019-07-10T15:35:43.631Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","source_name":"Lookout Dark Caracal Jan 2018"}],"modified":"2019-08-09T18:06:11.741Z","description":"[Pallas](https://attack.mitre.org/software/S0399) queries the device for metadata, such as device ID, OS version, and the number of cameras.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--9373912a-affa-4a3c-ad97-1b8311e228ee","type":"relationship","created":"2019-09-04T14:28:15.991Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf","source_name":"Lookout-Monokle"}],"modified":"2019-09-04T14:32:12.803Z","description":"[Monokle](https://attack.mitre.org/software/S0407) checks if the device is connected via Wi-Fi or mobile data.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--9398bf9d-be77-4ac2-acea-893152cafd16","created":"2022-03-30T14:43:46.034Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T14:43:46.034Z","relationship_type":"revoked-by","source_ref":"attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--93b2474b-0ba6-469e-a4e8-d17a41d0d016","created":"2022-04-15T18:12:53.512Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Xiao-KeyRaider","description":"Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.","url":"http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:28:29.839Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can install attacker-specified certificates to the device's trusted certificate store, enabling an adversary to perform adversary-in-the-middle attacks.(Citation: Xiao-KeyRaider)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--93b6bf37-5614-4317-8ed7-42f098152c40","created":"2023-02-28T20:39:18.320Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"proofpoint_flubot_0421","description":"Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.","url":"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-31T22:10:38.672Z","description":"[FluBot](https://attack.mitre.org/software/S1067) can use a SOCKS proxy to evade C2 IP detection.(Citation: proofpoint_flubot_0421)","relationship_type":"uses","source_ref":"malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc","target_ref":"attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--93c16b23-305c-418d-9792-6e44525ed85a","created":"2024-04-02T19:14:26.097Z","revoked":false,"external_references":[{"source_name":"Meta Adversarial Threat Report 2022","description":"Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.","url":"https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-02T19:14:26.097Z","description":"[HilalRAT](https://attack.mitre.org/software/S1128) can access a device’s location.(Citation: Meta Adversarial Threat Report 2022)","relationship_type":"uses","source_ref":"malware--55714f87-6178-4b89-b3e5-d3a643f647ca","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--93c20f43-6684-471c-910f-d9577f289677","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","external_references":[{"source_name":"Lookout-StealthMango","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018."}],"x_mitre_deprecated":false,"revoked":false,"description":"In at least one case, [Stealth Mango](https://attack.mitre.org/software/S0328) may have been installed using physical access to the device by a repair shop.(Citation: Lookout-StealthMango)","modified":"2022-04-19T15:47:05.436Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--085eb36d-697d-4d9a-bac3-96eb879fe73c","target_ref":"attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-Pegasus","description":"Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}],"modified":"2018-10-17T00:14:20.652Z","description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) update and sends the location of the phone.(Citation: Lookout-Pegasus)","relationship_type":"uses","source_ref":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9424ebbb-d375-4bfa-96f9-a24d00dfbd6a","created":"2024-03-29T15:05:34.232Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-29T15:05:34.232Z","description":"Certain enterprise policies can be applied to prevent users from adding certificates to the device and to prevent applications from being able to install their own certificates. ","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--9432fabf-9487-469c-86c9-b9d26b013c85","created":"2022-04-01T13:13:10.587Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Call Log access an uncommonly needed permission, so users should be instructedto use extra scrutiny when granting access to their call logs. ","modified":"2022-04-01T13:13:10.587Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--945db15a-b356-4e05-a6a0-9b24ca9aa348","created":"2022-04-20T17:42:11.714Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Wandera-RedDrop","description":"Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.","url":"https://www.wandera.com/reddrop-malware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:40:15.440Z","description":"[RedDrop](https://attack.mitre.org/software/S0326) uses standard HTTP for exfiltration.(Citation: Wandera-RedDrop)","relationship_type":"uses","source_ref":"malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--947e2398-4565-4ae0-8cc2-fb0ef5f9c73f","created":"2019-12-10T16:07:41.083Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecureList DVMap June 2017","description":"R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.","url":"https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:21:03.081Z","description":"[Dvmap](https://attack.mitre.org/software/S0420) can enable installation of apps from unknown sources.(Citation: SecureList DVMap June 2017)","relationship_type":"uses","source_ref":"malware--22b596a6-d288-4409-8520-5f2846f85514","target_ref":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--94bf07c4-3bf0-4ecc-8043-644e59fb9ec4","created":"2022-03-28T19:30:27.364Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Security updates may contain patches to integrity checking mechanisms that can detect unauthorized hardware modifications.","modified":"2022-03-28T19:30:27.364Z","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--94e111fa-81d1-4882-ae73-4d6ad6367b9f","created":"2022-03-28T19:25:38.355Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Security updates may contain patches that inhibit system software compromises.","modified":"2022-03-28T19:25:38.355Z","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--950e1476-83ca-4e81-b542-c91a19b206d7","type":"relationship","created":"2020-04-24T17:46:31.466Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecurityIntelligence TrickMo","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."}],"modified":"2020-04-24T17:46:31.466Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) can collect device information such as network operator, model, brand, and OS version.(Citation: SecurityIntelligence TrickMo)","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--95725b00-f40e-4a3a-af2a-92156595cd37","created":"2024-04-03T20:07:44.446Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CitizenLab Great iPwn","description":"Marczak, B., et al. (2020, December 20). The Great iPwn. Retrieved April 3, 2024.","url":"https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-03T20:12:37.698Z","description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) has used zero-day iMessage exploits for initial access.(Citation: CitizenLab Great iPwn)","relationship_type":"uses","source_ref":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","target_ref":"attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--95bf4e8b-f388-48a0-b236-c2077252e71e","type":"relationship","created":"2019-09-03T20:08:00.757Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html","source_name":"Talos Gustuff Apr 2019"}],"modified":"2019-09-15T15:35:33.380Z","description":"[Gustuff](https://attack.mitre.org/software/S0406) gathers the device IMEI to send to the command and control server.(Citation: Talos Gustuff Apr 2019)","relationship_type":"uses","source_ref":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--95fec5e4-d48a-471f-8223-711cd32659b8","created":"2022-04-01T18:49:51.050Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-01T18:49:51.050Z","relationship_type":"revoked-by","source_ref":"attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1","target_ref":"attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--96298aed-9e9f-4836-b29b-04c88e79e53e","created":"2022-04-01T18:42:37.987Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Security updates often contain patches for vulnerabilities that could be exploited for root access. Root access is often a requirement to impairing defenses.","modified":"2022-04-01T18:42:37.987Z","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--9634001c-575b-47aa-acd2-c3b1e900bd0b","type":"relationship","created":"2020-12-17T20:15:22.397Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Palo Alto HenBox","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."}],"modified":"2020-12-17T20:15:22.397Z","description":"[HenBox](https://attack.mitre.org/software/S0544) can steal data from various sources, including chat, communication, and social media apps.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--96475ee5-39ed-46c5-85f6-f08462875a9e","created":"2024-03-26T18:43:39.910Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T18:43:39.910Z","description":"","relationship_type":"uses","source_ref":"intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394","target_ref":"malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306","type":"relationship","created":"2020-05-07T15:33:32.778Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CheckPoint Agent Smith","url":"https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/","description":"A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."}],"modified":"2020-05-07T15:33:32.778Z","description":"[Agent Smith](https://attack.mitre.org/software/S0440) exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.(Citation: CheckPoint Agent Smith)","relationship_type":"uses","source_ref":"malware--a6228601-03f6-4949-ae22-c1087627a637","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--96569099-db95-4f3c-8ded-6d9cf023e55e","created":"2019-09-03T20:08:00.717Z","x_mitre_version":"1.0","external_references":[{"source_name":"Talos Gustuff Apr 2019","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html","description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":" [Gustuff](https://attack.mitre.org/software/S0406) can use SMS for command and control from a defined admin phone number.(Citation: Talos Gustuff Apr 2019) ","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--96ec33c8-78b6-421f-bab3-bd9d0564db31","created":"2022-09-29T20:11:55.474Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cylance Dust Storm","description":"Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.","url":"https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-30T18:39:16.003Z","description":"During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors capable of enumerating specific files on the infected devices.(Citation: Cylance Dust Storm)","relationship_type":"uses","source_ref":"campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--97158eda-5092-4939-8b5c-1ef5ab918089","type":"relationship","created":"2020-04-24T15:12:11.189Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro Coronavirus Updates","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."}],"modified":"2020-04-24T15:12:11.189Z","description":"[Concipit1248](https://attack.mitre.org/software/S0426) can collect device photos.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--89c3dbf6-f281-41b7-be1d-a0e641014853","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf","type":"relationship","created":"2020-09-11T14:54:16.617Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Desert Scorpion","url":"https://blog.lookout.com/desert-scorpion-google-play","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."}],"modified":"2020-09-11T14:54:16.617Z","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect account information stored on the device.(Citation: Lookout Desert Scorpion)","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--97408547-bacd-4308-a8be-556e9ff04951","created":"2023-03-20T18:55:23.628Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T16:43:16.137Z","description":"Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--97417113-1840-4e00-98d3-bb222e1a1f60","type":"relationship","created":"2020-07-27T14:14:56.980Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Google Security Zen","url":"https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html","description":"Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."}],"modified":"2020-08-10T22:18:20.815Z","description":"[Zen](https://attack.mitre.org/software/S0494) base64 encodes one of the strings it searches for.(Citation: Google Security Zen)","relationship_type":"uses","source_ref":"malware--22faaa56-a8ac-4292-9be6-b571b255ee40","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--97738857-d496-4d39-9809-1921e0ad10b7","type":"relationship","created":"2020-12-31T18:25:05.125Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CYBERWARCON CHEMISTGAMES","url":"https://www.youtube.com/watch?v=xoNSbm1aX_w","description":"B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."}],"modified":"2020-12-31T18:25:05.125Z","description":"[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can collect files from the filesystem and account information from Google Chrome.(Citation: CYBERWARCON CHEMISTGAMES)","relationship_type":"uses","source_ref":"malware--a0d774e4-bafc-4292-8651-3ec899391341","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--980430c1-6173-440e-b75e-c1cdb4c41560","created":"2023-09-28T17:40:16.985Z","revoked":false,"external_references":[{"source_name":"Zimperium FlyTrap","description":"A. Yaswant. (2021, August 9). FlyTrap Android Malware Compromises Thousands of Facebook Accounts. Retrieved September 28, 2023.","url":"https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:40:16.985Z","description":"[FlyTrap](https://attack.mitre.org/software/S1093) can use HTTP to exfiltrate data to the C2 server.(Citation: Zimperium FlyTrap)","relationship_type":"uses","source_ref":"malware--8338393c-cb2e-4ee6-b944-34672499c785","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"forcepoint_bitter","description":"Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.","url":"https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"},{"source_name":"Lookout-EnterpriseApps","description":"Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.","url":"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T16:16:47.577Z","description":"[AndroRAT](https://attack.mitre.org/software/S0292) captures SMS messages.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ","relationship_type":"uses","source_ref":"malware--a3dad2be-ce62-4440-953b-00fbce7aba93","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9814ecd5-911a-4776-9dc0-4a4ae0bf6a39","created":"2020-04-08T15:41:19.364Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.111Z","description":"[Anubis](https://attack.mitre.org/software/S0422) can take screenshots.(Citation: Cofense Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9819974c-f093-482b-8b2b-93a05ab7382e","created":"2023-08-04T18:31:48.507Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T18:31:48.507Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate browser history, BlackBerry Messenger files, IMO instant messaging content, and WhatsApp voice notes.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--98360714-5239-442f-9619-d562b4b7ce76","created":"2024-01-26T17:36:10.275Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"checkpoint_flixonline_0421","description":"Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.","url":"https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-16T15:55:55.477Z","description":"[FlixOnline](https://attack.mitre.org/software/S1103) can steal data from a user’s WhatsApp account(s).(Citation: checkpoint_flixonline_0421)","relationship_type":"uses","source_ref":"malware--0ec9593f-3221-49b1-b597-37f307c19f13","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--9858ae0b-140b-4dd2-8ba9-1ef22183dec3","created":"2021-02-08T16:36:20.788Z","x_mitre_version":"1.0","external_references":[{"source_name":"BlackBerry Bahamut","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf","description":"The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Windshift](https://attack.mitre.org/groups/G0112) has included keylogging capabilities as part of Operation ROCK.(Citation: BlackBerry Bahamut)","modified":"2022-04-15T17:35:26.197Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--98632824-9fe4-4992-aafe-31c5eac66ec1","created":"2023-12-18T18:18:22.618Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cleafy_brata_0122","description":"Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.","url":"https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-16T15:47:55.600Z","description":"[BRATA](https://attack.mitre.org/software/S1094) has exfiltrated data to the C2 server using HTTP requests.(Citation: cleafy_brata_0122)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--98a4a746-e7bf-494c-9ee3-584403d76d3e","created":"2023-02-28T20:34:18.504Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"proofpoint_flubot_0421","description":"Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.","url":"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-31T22:12:45.147Z","description":"[FluBot](https://attack.mitre.org/software/S1067) can use HTTP POST requests on port 80 for communicating with its C2 server.(Citation: proofpoint_flubot_0421)","relationship_type":"uses","source_ref":"malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--98ae9cb2-1141-48c6-81fd-f16adb430031","created":"2023-01-18T19:17:07.565Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_drinik_1022","description":"Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.","url":"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:07:52.850Z","description":"[Drinik](https://attack.mitre.org/software/S1054) can request the `READ_EXTERNAL_STORAGE` and `WRITE_EXTERNAL_STORAGE` Android permissions.(Citation: cyble_drinik_1022)","relationship_type":"uses","source_ref":"malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--98aee077-156a-4d11-94fe-b5b7c4945ff9","created":"2023-12-18T18:17:36.795Z","revoked":false,"external_references":[{"source_name":"mcafee_brata_0421","description":"Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"},{"source_name":"securelist_brata_0819","description":"Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.","url":"https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:17:36.796Z","description":"[BRATA](https://attack.mitre.org/software/S1094) has masqueraded as legitimate WhatsApp updates and app security scanners.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--98b14660-79e1-4244-99c2-3dedd84eb68d","type":"relationship","created":"2020-09-11T14:54:16.582Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Desert Scorpion","url":"https://blog.lookout.com/desert-scorpion-google-play","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."}],"modified":"2020-09-11T14:54:16.582Z","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) can track the device’s location.(Citation: Lookout Desert Scorpion)","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--98dec4bf-6753-4d7a-8983-d4fd6d1d892a","created":"2020-11-20T16:37:28.475Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Symantec GoldenCup","description":"R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.","url":"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:52:20.309Z","description":"[Golden Cup](https://attack.mitre.org/software/S0535) can collect the device’s contact list.(Citation: Symantec GoldenCup)","relationship_type":"uses","source_ref":"malware--f3975cc0-72bc-4308-836e-ac701b83860e","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--98fb2884-c912-42ff-9c87-4fbabfa70115","created":"2023-08-08T16:14:01.661Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T16:14:01.661Z","description":"Application vetting services may potentially determine if an application contains suspicious code and/or metadata.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--99011840-f920-44d1-82f9-a6ff0d4f8c07","created":"2024-03-26T19:05:15.623Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"fb_arid_viper","description":"Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-16T16:35:49.743Z","description":"[Phenakite](https://attack.mitre.org/software/S1126) can collect device metadata.(Citation: fb_arid_viper) ","relationship_type":"uses","source_ref":"malware--f97e2718-af50-41df-811f-215ebab45691","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--991ef2f2-c196-4d5d-bd29-504ea25831f4","type":"relationship","created":"2021-10-01T14:42:48.815Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList BusyGasper","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021."}],"modified":"2021-10-01T14:42:48.815Z","description":"[BusyGasper](https://attack.mitre.org/software/S0655) can record from the device’s camera.(Citation: SecureList BusyGasper)","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9951d8c0-d210-4776-808b-421b613f244f","created":"2019-09-23T13:36:08.463Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"securelist rotexy 2018","description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T16:55:41.638Z","description":"[Rotexy](https://attack.mitre.org/software/S0411) hides its icon after first launch.(Citation: securelist rotexy 2018)","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--99b4be95-74f2-48f7-b4e9-8b4d88ecd31f","created":"2020-09-11T14:54:16.642Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Desert Scorpion","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.","url":"https://blog.lookout.com/desert-scorpion-google-play"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:21:19.617Z","description":"If running on a Huawei device, [Desert Scorpion](https://attack.mitre.org/software/S0505) adds itself to the protected apps list, which allows it to run with the screen off.(Citation: Lookout Desert Scorpion)","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9a575420-cdce-4a9f-9ea9-2ae5c469cad9","created":"2023-09-25T19:44:41.503Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"MoustachedBouncer ESET August 2023","description":"Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.","url":"https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-30T22:22:13.142Z","description":"[MoustachedBouncer](https://attack.mitre.org/groups/G1019) has used legitimate looking filenames for malicious executables including MicrosoftUpdate845255.exe.(Citation: MoustachedBouncer ESET August 2023)","relationship_type":"uses","source_ref":"intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9b34ae1e-027f-4b52-9a4f-1e58f6efdc25","created":"2023-06-09T19:16:28.560Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-22T20:48:05.605Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can take screenshots and can abuse accessibility services to scrape WhatsApp messages, contacts, and notifications.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9b56528f-cf04-4d81-80ee-7bacb862383a","created":"2023-03-20T18:57:33.693Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T20:52:56.065Z","description":"Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9b5ec339-28f3-40b2-b5b2-450e1e303e78","created":"2024-04-02T19:13:50.668Z","revoked":false,"external_references":[{"source_name":"Meta Adversarial Threat Report 2022","description":"Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.","url":"https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-02T19:13:50.668Z","description":"[HilalRAT](https://attack.mitre.org/software/S1128) can activate a device’s camera.(Citation: Meta Adversarial Threat Report 2022)","relationship_type":"uses","source_ref":"malware--55714f87-6178-4b89-b3e5-d3a643f647ca","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9b8b51fb-c380-4516-b109-821f015506d4","created":"2023-03-20T15:40:26.994Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T22:16:28.207Z","description":"Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application’s manifest, or `NSContactsUsageDescription` in an iOS application’s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9bbfa759-5555-4048-a79d-fed27a1efd93","created":"2023-06-09T19:14:21.299Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-06-09T19:14:21.299Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can access images stored on external storage.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--9c284d41-21ef-4009-bb47-3ae09b08f38d","created":"2022-04-01T17:06:06.950Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to location information. Users should also protect their account credentials and enable multi-factor authentication options when available. ","modified":"2022-04-01T17:06:06.950Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--9c302eb1-1810-48a5-b34d-6aae303d2097","created":"2022-04-01T15:16:26.387Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be instructed to not open links in applications they don’t recognize.","modified":"2022-04-01T15:16:26.387Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9c545cbb-4949-4695-8d6b-b480478d3e20","created":"2023-12-18T18:08:42.383Z","revoked":false,"external_references":[{"source_name":"securelist_brata_0819","description":"Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.","url":"https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:08:42.383Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can turn off or fake turning off the screen while performing malicious activities.(Citation: securelist_brata_0819)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Kaspersky-WUC","description":"Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.","url":"https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"}],"modified":"2019-10-15T19:54:10.284Z","description":"[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole geo-location data.(Citation: Kaspersky-WUC)","relationship_type":"uses","source_ref":"malware--d05f7357-4cbe-47ea-bf83-b8604226d533","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--9c853c22-7607-4cbd-b114-08aaa4625c35","type":"relationship","created":"2020-12-17T20:15:22.405Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Palo Alto HenBox","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."}],"modified":"2020-12-28T18:47:52.600Z","description":"[HenBox](https://attack.mitre.org/software/S0544) can collect device information and can check if the device is running MIUI on a Xiaomi device.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9caf7cd5-fa15-45f0-8e1e-75917ea33af2","created":"2023-03-20T18:50:32.580Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T16:45:40.815Z","description":"Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9cfc30de-3e68-4361-a213-3c37ce27b70e","created":"2023-03-20T18:52:52.011Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T14:51:29.206Z","description":"On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9cfcda7d-bb82-4122-a38b-fec4f5532856","created":"2020-05-04T14:04:56.211Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Google Bread","description":"A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.","url":"https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:03:51.504Z","description":"[Bread](https://attack.mitre.org/software/S0432) communicates with the C2 server using HTTP requests.(Citation: Google Bread)","relationship_type":"uses","source_ref":"malware--108b2817-bc01-404e-8e1b-8cdeec846326","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--9d264e84-27b2-4867-82c8-55486a969d7c","type":"relationship","created":"2020-12-17T20:15:22.489Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Palo Alto HenBox","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."}],"modified":"2020-12-17T20:15:22.489Z","description":"[HenBox](https://attack.mitre.org/software/S0544) can obtain a list of running processes.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9d2a9348-5d0a-43b0-8776-e9bbddc659c7","created":"2023-03-20T18:48:56.995Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T15:53:41.268Z","description":"Application vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de","type":"relationship","created":"2019-10-14T20:49:24.571Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/","source_name":"securelist rotexy 2018"}],"modified":"2019-10-14T20:49:24.571Z","description":"[Rotexy](https://attack.mitre.org/software/S0411) collects information about running processes.(Citation: securelist rotexy 2018)","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9d72c60b-d5d1-4b50-a01f-3882ddb335d9","created":"2019-09-04T14:28:15.316Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-Monokle","description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:26:48.912Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can remount the system partition as read/write to install attacker-specified certificates.(Citation: Lookout-Monokle) ","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c","type":"relationship","created":"2019-09-04T15:38:56.562Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.","url":"https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf","source_name":"FortiGuard-FlexiSpy"}],"modified":"2019-10-14T18:08:28.500Z","description":"[FlexiSpy](https://attack.mitre.org/software/S0408) can communicate with the command and control server over ports 12512 and 12514.(Citation: FortiGuard-FlexiSpy)","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/","description":"Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.","source_name":"TrendMicro-RCSAndroid"}],"modified":"2019-08-09T17:53:48.793Z","description":"[RCSAndroid](https://attack.mitre.org/software/S0295) can monitor clipboard content.(Citation: TrendMicro-RCSAndroid)","relationship_type":"uses","source_ref":"malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b","target_ref":"attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--9e458d77-c856-4b02-82a7-50947b232dc3","type":"relationship","created":"2021-10-01T14:42:49.183Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList BusyGasper","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021."}],"modified":"2021-10-06T15:32:46.533Z","description":"[BusyGasper](https://attack.mitre.org/software/S0655) can download a payload or updates from either its C2 server or email attachments in the adversary’s inbox.(Citation: SecureList BusyGasper)","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CrowdStrike-Android","description":"CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.","url":"https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"}],"modified":"2018-10-17T00:14:20.652Z","description":"[X-Agent for Android](https://attack.mitre.org/software/S0314) was believed to have been used to obtain locational data of Ukrainian artillery forces.(Citation: CrowdStrike-Android)","relationship_type":"uses","source_ref":"malware--56660521-6db4-4e5a-a927-464f22954b7c","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9e95ef68-0650-49eb-888f-47c211481be9","created":"2023-03-20T18:51:40.217Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T17:16:36.672Z","description":"Application vetting may be able to identify applications that perform [Discovery](https://attack.mitre.org/tactics/TA0032) or utilize existing connectivity to remotely access hosts within an internal enterprise network. ","relationship_type":"detects","source_ref":"x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0","target_ref":"attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9f83d618-a42d-4797-b9fe-030affdbd13f","created":"2023-01-18T19:46:45.399Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:49:35.020Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) can hide and send SMS messages. [SharkBot](https://attack.mitre.org/software/S1055) can also change which application is the device’s default SMS handler.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9f9a0349-ca95-4bde-8d8d-af524ce19bc7","created":"2022-04-15T16:00:43.483Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecureList DVMap June 2017","description":"R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.","url":"https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:52:33.829Z","description":"[Dvmap](https://attack.mitre.org/software/S0420) can turn off `VerifyApps`, and can grant Device Administrator permissions via commands only, rather than using the UI.(Citation: SecureList DVMap June 2017)","relationship_type":"uses","source_ref":"malware--22b596a6-d288-4409-8520-5f2846f85514","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9fa03a70-ad00-4148-ae5e-8315f3e618d2","created":"2020-07-15T20:20:59.375Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Bitdefender Mandrake","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:29:29.307Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9fb0c414-6216-4b42-a080-cb42ef4011c5","created":"2024-04-17T13:12:54.126Z","revoked":false,"external_references":[{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-17T13:12:54.126Z","description":"[AhRat](https://attack.mitre.org/software/S1095) can communicate with the C2 using HTTPS requests.(Citation: welivesecurity_ahrat_0523)","relationship_type":"uses","source_ref":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","target_ref":"attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--9fdc5fee-2250-4894-8333-466910023533","created":"2024-02-20T23:42:43.674Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:42:43.674Z","description":"Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to. ","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a011bcc6-b5d8-4923-b533-55abec69ff2f","created":"2022-03-30T20:07:33.291Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T20:07:33.291Z","relationship_type":"revoked-by","source_ref":"attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a042d55c-b31e-41c1-9cd0-66070ec9a11d","type":"relationship","created":"2020-10-29T19:21:23.235Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"WeLiveSecurity AdDisplayAshas","url":"https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/","description":"L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020."}],"modified":"2020-10-29T19:21:23.235Z","description":"[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has hidden the C2 server address using base-64 encoding. (Citation: WeLiveSecurity AdDisplayAshas)","relationship_type":"uses","source_ref":"malware--f7e7b736-2cff-4c2a-9232-352cd383463a","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a0464679-71b6-4ab4-a72d-0428e4d75d5e","created":"2022-03-30T13:45:39.184Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Device attestation can often detect jailbroken or rooted devices.","modified":"2022-03-30T13:45:39.184Z","relationship_type":"mitigates","source_ref":"course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c","target_ref":"attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a04ae7d7-1500-49c9-bada-1a75a8670f5c","created":"2019-11-21T19:16:34.820Z","x_mitre_version":"1.0","external_references":[{"source_name":"CheckPoint SimBad 2019","url":"https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/","description":"Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"[SimBad](https://attack.mitre.org/software/S0419) generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.(Citation: CheckPoint SimBad 2019)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--f79c01eb-2954-40d8-a819-00b342f47ce7","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965","type":"relationship","created":"2020-04-08T15:51:25.106Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"ThreatFabric Ginp","url":"https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html","description":"ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."}],"modified":"2020-04-08T15:51:25.106Z","description":"[Ginp](https://attack.mitre.org/software/S0423) can obtain a list of installed applications.(Citation: ThreatFabric Ginp)","relationship_type":"uses","source_ref":"malware--6146be90-470c-4049-bb3a-9986b8ffb65b","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a09f8daa-aa02-45f1-8dac-9bea355c9415","type":"relationship","created":"2020-11-10T17:08:35.819Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-11-10T17:08:35.819Z","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) can access the device’s location and track the device over time.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6","type":"relationship","created":"2019-11-21T16:42:48.501Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.","url":"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/","source_name":"SecureList - ViceLeaker 2019"},{"source_name":"Bitdefender - Triout 2018","url":"https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/","description":"L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020."}],"modified":"2020-01-21T14:20:50.492Z","description":"[ViceLeaker](https://attack.mitre.org/software/S0418) can collect location information, including GPS coordinates.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)","relationship_type":"uses","source_ref":"malware--6fcaf9b0-b509-4644-9f93-556222c81ed2","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a111ab3c-97f2-4b17-b291-f141e9b7613f","created":"2022-04-01T12:50:48.459Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-01T12:50:48.459Z","relationship_type":"revoked-by","source_ref":"attack-pattern--62adb627-f647-498e-b4cc-41499361bacb","target_ref":"attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a120ac54-32fa-43ad-a826-8325823b656d","created":"2023-09-22T19:14:12.741Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-22T19:14:12.741Z","description":"Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9","type":"relationship","created":"2020-07-20T13:27:33.548Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos-WolfRAT","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."}],"modified":"2020-08-10T22:00:43.490Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) uses `dumpsys` to determine if certain applications are running.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a186540d-d235-48f1-8757-d0b46f13c6ce","created":"2023-06-09T19:20:23.377Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-22T20:42:33.371Z","description":"(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f","target_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a1a9db79-4a80-4e65-91bf-72e358d2ce41","created":"2023-01-18T21:43:36.398Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-21T18:44:26.569Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) can download attacker-specified files.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a1c53fcf-a691-4233-a136-0a51d5a3840f","created":"2019-09-03T19:45:48.518Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SWB Exodus March 2019","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:11:03.802Z","description":"[Exodus](https://attack.mitre.org/software/S0405) Two can capture SMS messages.(Citation: SWB Exodus March 2019)","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a1fac829-275a-409a-9060-e7bd7c63057e","type":"relationship","created":"2020-12-18T20:14:47.375Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"WhiteOps TERRACOTTA","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."}],"modified":"2020-12-18T20:14:47.375Z","description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) can obtain a list of installed apps.(Citation: WhiteOps TERRACOTTA)","relationship_type":"uses","source_ref":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a1ff77ee-76fd-4dd3-94aa-dbf35d971e58","created":"2023-12-18T18:11:53.531Z","revoked":false,"external_references":[{"source_name":"cleafy_brata_0122","description":"Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.","url":"https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:11:53.531Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can use both HTTP and WebSockets to communicate with the C2 server.(Citation: cleafy_brata_0122)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a20493e1-4699-405d-a291-c28aae8ed737","created":"2022-04-18T16:53:24.617Z","x_mitre_version":"0.1","external_references":[{"source_name":"Wandera-RedDrop","url":"https://www.wandera.com/reddrop-malware/","description":"Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018."}],"x_mitre_deprecated":false,"revoked":false,"description":"[RedDrop](https://attack.mitre.org/software/S0326) uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. [RedDrop](https://attack.mitre.org/software/S0326) also downloads additional components (APKs, JAR files) from different C2 servers.(Citation: Wandera-RedDrop) ","modified":"2022-04-20T16:33:23.507Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381","target_ref":"attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a20581b4-21fa-4ed9-b056-d139998868e8","created":"2019-09-04T14:28:15.970Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-Monokle","description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:52:44.819Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can retrieve the device's contact list.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-StealthMango","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:53:03.638Z","description":"[Stealth Mango](https://attack.mitre.org/software/S0328) uploads contact lists for various third-party applications such as Yahoo, AIM, GoogleTalk, Skype, QQ, and others.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--085eb36d-697d-4d9a-bac3-96eb879fe73c","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a2365c91-60f6-4249-af13-6bc2fdb80d52","created":"2019-09-23T13:36:08.459Z","x_mitre_version":"1.0","external_references":[{"source_name":"securelist rotexy 2018","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/","description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Rotexy](https://attack.mitre.org/software/S0411) can use phishing overlays to capture users' credit card information.(Citation: securelist rotexy 2018)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a25a0454-d6da-4448-a3c5-33648ee6675a","created":"2023-07-21T19:36:50.262Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:36:50.262Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can collect system information, such as Android version and device identifiers.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Gooligan Citation","description":"Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.","url":"http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"}],"modified":"2019-10-10T15:18:51.121Z","description":"[Gooligan](https://attack.mitre.org/software/S0290) steals authentication tokens that can be used to access data from multiple Google applications.(Citation: Gooligan Citation)","relationship_type":"uses","source_ref":"malware--20d56cd6-8dff-4871-9889-d32d254816de","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a2803d73-f5bf-4815-bfbf-662c372e1f5a","created":"2023-03-20T18:53:52.174Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Android-AppLinks","description":"Android. (n.d.). Handling App Links. Retrieved December 21, 2016.","url":"https://developer.android.com/training/app-links/index.html"},{"source_name":"IETF-OAuthNativeApps","description":"W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.","url":"https://tools.ietf.org/html/rfc8252"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T16:08:37.797Z","description":"When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a285f343-09c3-49af-9c18-1dccf89e9009","type":"relationship","created":"2020-11-20T16:37:28.391Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Symantec GoldenCup","url":"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans","description":"R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."}],"modified":"2020-11-20T16:37:28.391Z","description":"[Golden Cup](https://attack.mitre.org/software/S0535) can collect a directory listing of external storage.(Citation: Symantec GoldenCup)","relationship_type":"uses","source_ref":"malware--f3975cc0-72bc-4308-836e-ac701b83860e","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd","type":"relationship","created":"2019-09-04T15:38:56.597Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.","url":"https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf","source_name":"FortiGuard-FlexiSpy"}],"modified":"2019-09-10T14:59:25.979Z","description":"[FlexiSpy](https://attack.mitre.org/software/S0408) encrypts its configuration file using AES.(Citation: FortiGuard-FlexiSpy)","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-Pegasus","description":"Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}],"modified":"2018-10-17T00:14:20.652Z","description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) accesses sensitive data in files, such as saving Skype calls by reading them out of the Skype database files.(Citation: Lookout-Pegasus)","relationship_type":"uses","source_ref":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a299e0a6-cada-4629-a6c6-ed73dc4422aa","type":"relationship","created":"2020-11-24T17:55:12.903Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos GPlayed","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."}],"modified":"2020-11-24T17:55:12.903Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) has base64-encoded the exfiltrated data, replacing some of the base64 characters to further obfuscate the data.(Citation: Talos GPlayed)","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a2ca7663-5ce0-447f-beeb-ad0f66a1a1e7","created":"2024-03-26T18:39:59.604Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"checkpoint_hamas_android_malware","description":"CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20240226125457/https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"},{"source_name":"sophos_android_apt_spyware","description":"Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231208015605/https://news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"},{"source_name":"welivesecurity_apt-c-23","description":"Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-02T19:23:23.538Z","description":"[APT-C-23](https://attack.mitre.org/groups/G1028) has masqueraded malware as legitimate applications.(Citation: welivesecurity_apt-c-23)(Citation: checkpoint_hamas_android_malware)(Citation: sophos_android_apt_spyware)","relationship_type":"uses","source_ref":"intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1","type":"relationship","created":"2020-06-26T14:55:13.289Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Cybereason EventBot","url":"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born","description":"D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."}],"modified":"2020-06-26T14:55:13.289Z","description":"[EventBot](https://attack.mitre.org/software/S0478) can abuse Android’s accessibility service to capture data from installed applications.(Citation: Cybereason EventBot)","relationship_type":"uses","source_ref":"malware--aecc0097-c9f8-4786-9b39-e891ff173f54","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a34f3873-3df7-4e93-915c-fc2b4af3444d","created":"2020-07-15T20:20:59.380Z","x_mitre_version":"1.0","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Mandrake](https://attack.mitre.org/software/S0485) has used Firebase for C2.(Citation: Bitdefender Mandrake)","modified":"2022-04-18T19:18:24.378Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a3a8b2f2-f1aa-49ba-be55-a674f371f209","created":"2020-04-24T15:06:33.449Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"TrendMicro Coronavirus Updates","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:48:05.159Z","description":"[Corona Updates](https://attack.mitre.org/software/S0425) can collect device network configuration information, such as Wi-Fi SSID and IMSI.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a3c4b392-2879-4f31-9431-3398e034851b","created":"2022-04-06T13:52:37.470Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be cautioned against granting administrative access to applications.","modified":"2022-04-06T13:52:37.470Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a3c9d5d6-acc5-46e9-9e4f-b078aeac553c","created":"2020-12-14T14:52:03.385Z","x_mitre_version":"1.0","external_references":[{"source_name":"Sophos Red Alert 2.0","url":"https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/","description":"J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Red Alert 2.0](https://attack.mitre.org/software/S0539) can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.(Citation: Sophos Red Alert 2.0)","modified":"2022-04-20T17:56:51.457Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--6e282bbf-5f32-476a-b879-ba77eec463c8","target_ref":"attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/","description":"Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.","source_name":"Kaspersky-Skygofree"}],"modified":"2019-08-09T18:08:07.183Z","description":"[Skygofree](https://attack.mitre.org/software/S0327) can download executable code from the C2 server after the implant starts or after a specific command.(Citation: Kaspersky-Skygofree)","relationship_type":"uses","source_ref":"malware--3a913bac-4fae-4d0e-bca8-cae452f1599b","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a427ce33-d1e1-4c38-a024-e44fc00033d3","created":"2020-12-14T14:52:03.283Z","x_mitre_version":"1.0","external_references":[{"source_name":"Sophos Red Alert 2.0","url":"https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/","description":"J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Red Alert 2.0](https://attack.mitre.org/software/S0539) has communicated with the C2 using HTTP requests over port 7878.(Citation: Sophos Red Alert 2.0)","modified":"2022-04-20T16:43:23.973Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--6e282bbf-5f32-476a-b879-ba77eec463c8","target_ref":"attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a451966b-f826-422b-9505-f564b9988a9c","created":"2020-12-24T21:55:56.693Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:27:39.012Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has used both FTP and TCP sockets for data exfiltration.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a466f8f0-c9da-46d1-80d0-b8654e727526","created":"2023-08-04T18:33:37.920Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T18:33:37.920Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate a list of installed applications.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a46c3b05-07d5-461c-b1b1-4a81912b79f8","created":"2023-02-06T18:59:15.881Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:21:10.915Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device information such as manufacturer, model, version, serial number, and telephone number.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a4e72b4f-7ee4-4ee3-82c9-acc3aedb1f2d","created":"2023-12-18T18:09:34.167Z","revoked":false,"external_references":[{"source_name":"mcafee_brata_0421","description":"Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"},{"source_name":"securelist_brata_0819","description":"Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.","url":"https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:09:34.167Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can insert a given string of text into a data field. [BRATA](https://attack.mitre.org/software/S1094) can abuse the Accessibility Service to interact with other installed applications and inject screen taps to grant permissions.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a501b700-250f-4e9a-a20f-656ae9bf90f9","type":"relationship","created":"2020-12-24T21:55:56.753Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T21:55:56.753Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has used exploit tools to gain root, such as TowelRoot.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a503ca06-7f98-4ab4-a8fc-ff55c3da7f0a","created":"2020-10-29T19:21:23.143Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"WeLiveSecurity AdDisplayAshas","description":"L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.","url":"https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:48:18.023Z","description":"[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has registered to receive the `BOOT_COMPLETED` broadcast intent to activate on device startup.(Citation: WeLiveSecurity AdDisplayAshas)","relationship_type":"uses","source_ref":"malware--f7e7b736-2cff-4c2a-9232-352cd383463a","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a54c8c09-c849-4146-a7cc-158887222a6d","created":"2020-12-24T21:45:56.969Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:15:05.454Z","description":"[SilkBean](https://attack.mitre.org/software/S0549) can access SMS messages.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a563fc97-a452-4348-a831-f4fb55c71e35","created":"2023-03-03T16:22:45.712Z","revoked":false,"external_references":[{"source_name":"paloalto_yispecter_1015","description":"Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.","url":"https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-03T16:22:45.712Z","description":"[YiSpecter](https://attack.mitre.org/software/S0311) has used fake Verisign and Symantec certificates to bypass malware detection systems. [YiSpecter](https://attack.mitre.org/software/S0311) has also signed malicious apps with iOS enterprise certificates to work on non-jailbroken iOS devices.(Citation: paloalto_yispecter_1015)","relationship_type":"uses","source_ref":"malware--a15c9357-2be0-4836-beec-594f28b9b4a9","target_ref":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a585e2dd-83c9-461c-8631-25d58c6ba74e","created":"2023-12-05T22:15:36.939Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-05T22:15:36.939Z","description":"Mobile security products can often alert the user if their device is vulnerable to known exploits. ","relationship_type":"detects","source_ref":"x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6","target_ref":"attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a5b37f26-7629-4195-9536-12e349e5843b","created":"2023-03-20T18:51:04.334Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T14:54:47.199Z","description":"Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a5b72279-f99e-4f03-8669-04322b40ee6b","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro-XLoader","description":"Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"}],"modified":"2020-07-20T13:49:03.710Z","description":"[XLoader for Android](https://attack.mitre.org/software/S0318) loads an encrypted DEX code payload.(Citation: TrendMicro-XLoader)","relationship_type":"uses","source_ref":"malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a5dac41f-4a16-44ea-b279-b84c927ce62d","created":"2019-09-03T20:08:00.760Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos Gustuff Apr 2019","description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:11:36.853Z","description":"[Gustuff](https://attack.mitre.org/software/S0406) communicates with the command and control server using HTTP requests.(Citation: Talos Gustuff Apr 2019)","relationship_type":"uses","source_ref":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a5f64f9e-3ed9-442b-a244-9857b926d93b","created":"2023-03-20T18:59:46.622Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T15:03:56.766Z","description":"Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.","relationship_type":"detects","source_ref":"x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6","target_ref":"attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a609b20b-6955-4c59-84d4-a3496d95fba1","created":"2023-12-18T18:18:05.554Z","revoked":false,"external_references":[{"source_name":"cleafy_brata_0122","description":"Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.","url":"https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:18:05.554Z","description":"[BRATA](https://attack.mitre.org/software/S1094) has compressed data with the `zlib` library before exfiltration.(Citation: cleafy_brata_0122)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--e3b936a4-6321-4172-9114-038a866362ec","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a617fa0d-0dfc-432a-95f5-94ee4ae63860","created":"2023-12-18T19:07:14.211Z","revoked":false,"external_references":[{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T19:07:14.211Z","description":"[AhRat](https://attack.mitre.org/software/S1095) can record the screen.(Citation: welivesecurity_ahrat_0523)","relationship_type":"uses","source_ref":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a63bafb6-6647-410f-8673-a53ef2dee5e2","created":"2020-07-27T14:14:57.020Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Google Security Zen","description":"Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.","url":"https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:52:46.975Z","description":"[Zen](https://attack.mitre.org/software/S0494) can modify the SELinux enforcement mode.(Citation: Google Security Zen)","relationship_type":"uses","source_ref":"malware--22faaa56-a8ac-4292-9be6-b571b255ee40","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072","type":"relationship","created":"2020-09-11T15:14:34.064Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SMS KitKat","url":"https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html","description":"S.Main, D. Braun. (2013, October 14).  Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020."}],"modified":"2020-10-22T17:04:15.708Z","description":"Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.(Citation: SMS KitKat)","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a68b17af-5277-4722-9a2d-0924f07ca421","created":"2023-12-18T18:12:15.138Z","revoked":false,"external_references":[{"source_name":"cleafy_brata_0122","description":"Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.","url":"https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:12:15.138Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can view a device through VNC.(Citation: cleafy_brata_0122)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a6bb6c55-3b33-4cd4-981b-055551edc4c2","created":"2023-01-18T21:24:28.714Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:55:39.648Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) can use a Domain Generation Algorithm to decode the C2 server location.(Citation: nccgroup_sharkbot_0322) ","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","source_name":"Lookout-StealthMango"}],"modified":"2019-10-15T19:44:36.177Z","description":"[Stealth Mango](https://attack.mitre.org/software/S0328) collects and uploads information about changes in SIM card or phone numbers on the device.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--085eb36d-697d-4d9a-bac3-96eb879fe73c","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a76d731b-484c-442a-b1a3-255d8398aefd","type":"relationship","created":"2019-10-10T15:22:52.545Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro-RCSAndroid","description":"Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.","url":"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"}],"modified":"2019-10-10T15:22:52.545Z","description":"[RCSAndroid](https://attack.mitre.org/software/S0295) can collect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn.(Citation: TrendMicro-RCSAndroid)","relationship_type":"uses","source_ref":"malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a772d1fc-e2d1-4553-b93f-12412cdc8360","created":"2023-08-08T22:50:32.635Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:52:18.036Z","description":"The user can view applications that have registered accessibility services in the accessibility menu within the device settings.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-PegasusAndroid","description":"Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.","url":"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:13:36.481Z","description":"[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses calendar entries.(Citation: Lookout-PegasusAndroid)","relationship_type":"uses","source_ref":"malware--93799a9d-3537-43d8-b6f4-17215de1657c","target_ref":"attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2018-10-17T00:14:20.652Z","relationship_type":"revoked-by","source_ref":"attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc","target_ref":"attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"NYTimes-BackDoor","description":"Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.","url":"https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:53:24.312Z","description":"[Adups](https://attack.mitre.org/software/S0309) transmitted contact lists.(Citation: NYTimes-BackDoor)","relationship_type":"uses","source_ref":"malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a808c887-b2b8-4b05-9cab-47c918e48d48","type":"relationship","created":"2020-12-14T15:02:35.257Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Securelist Asacub","url":"https://securelist.com/the-rise-of-mobile-banker-asacub/87591/","description":"T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020."}],"modified":"2020-12-14T15:02:35.257Z","description":"[Asacub](https://attack.mitre.org/software/S0540) can send SMS messages from compromised devices.(Citation: Securelist Asacub) ","relationship_type":"uses","source_ref":"malware--a76b837b-93cc-417d-bf28-c47a6a284fa4","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a81431c4-ac34-4b63-9647-eb7c8e529e03","created":"2020-12-24T21:45:56.962Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:14:46.472Z","description":"[SilkBean](https://attack.mitre.org/software/S0549) can access call logs.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7","type":"relationship","created":"2019-03-11T15:13:40.425Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.","url":"https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A","source_name":"TrendMicro-Anserver2"}],"modified":"2019-10-15T19:55:04.517Z","description":"[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device OS version, device build version, manufacturer, and model.(Citation: TrendMicro-Anserver2)","relationship_type":"uses","source_ref":"malware--4bf6ba32-4165-42c1-b911-9c36165891c8","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a8565c17-7054-4d3f-bca5-6e17dc931491","created":"2023-03-03T16:20:08.033Z","revoked":false,"external_references":[{"source_name":"paloalto_yispecter_1015","description":"Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.","url":"https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-03T16:20:08.033Z","description":"[YiSpecter](https://attack.mitre.org/software/S0311) has used private APIs to download and install other pieces of itself, as well as other malicious apps. (Citation: paloalto_yispecter_1015)","relationship_type":"uses","source_ref":"malware--a15c9357-2be0-4836-beec-594f28b9b4a9","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5","type":"relationship","created":"2019-09-03T20:08:00.764Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html","source_name":"Talos Gustuff Apr 2019"}],"modified":"2019-09-15T15:35:33.379Z","description":"[Gustuff](https://attack.mitre.org/software/S0406) gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.(Citation: Talos Gustuff Apr 2019)","relationship_type":"uses","source_ref":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84","type":"relationship","created":"2019-07-10T15:35:43.708Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","source_name":"Lookout Dark Caracal Jan 2018"}],"modified":"2019-08-09T18:06:11.797Z","description":"[Pallas](https://attack.mitre.org/software/S0399) tracks the latitude and longitude coordinates of the infected device.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a8bf6bbd-88f0-4725-ba4f-3b9317dca388","created":"2022-03-30T20:36:18.656Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Attestation can typically detect rooted devices. For MDM-enrolled devices, action can be taken if a device fails an attestation check. ","modified":"2022-03-30T20:36:18.656Z","relationship_type":"mitigates","source_ref":"course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c","target_ref":"attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a8c21a71-f3e9-43e9-9212-faf9181e70ce","created":"2022-04-01T18:42:50.381Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Providing user guidance around commonly abused features, such as the modal that requests for administrator permissions, should aid in preventing impairing defenses.","modified":"2022-04-01T18:42:50.381Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c","type":"relationship","created":"2019-09-23T13:36:08.390Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/","source_name":"securelist rotexy 2018"}],"modified":"2019-10-14T20:49:24.646Z","description":"Starting in 2017, the [Rotexy](https://attack.mitre.org/software/S0411) DEX file was packed with garbage strings and/or operations.(Citation: securelist rotexy 2018)","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--a92a805e-d5f5-4e94-8592-c253e03e4476","created":"2022-03-31T19:51:15.415Z","x_mitre_version":"0.1","external_references":[{"source_name":"Android Package Visibility","url":"https://developer.android.com/training/package-visibility","description":"Google. (n.d.). Package visibility filtering on Android. Retrieved April 11, 2022."}],"x_mitre_deprecated":false,"revoked":false,"description":"Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.(Citation: Android Package Visibility)","modified":"2022-04-11T19:19:34.658Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a93ee044-bd5d-48f3-972e-0abab780c35c","created":"2023-02-08T20:05:06.786Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"trendmicro_tianyspy_0122","description":"Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.","url":"https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:21:22.070Z","description":"[TianySpy](https://attack.mitre.org/software/S1056) can steal information via malicious JavaScript.(Citation: trendmicro_tianyspy_0122)","relationship_type":"uses","source_ref":"malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6","target_ref":"attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a95fe853-d1d1-47dc-a776-b905daacfe32","created":"2020-06-26T20:16:32.181Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ESET DEFENSOR ID","description":"L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.","url":"https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:11:53.609Z","description":"[DEFENSOR ID](https://attack.mitre.org/software/S0479) has used Firebase Cloud Messaging for C2.(Citation: ESET DEFENSOR ID) ","relationship_type":"uses","source_ref":"malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530","type":"relationship","created":"2020-01-27T17:05:58.213Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/","source_name":"Trend Micro Bouncing Golf 2019"}],"modified":"2020-01-27T17:05:58.213Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) can obtain a list of installed applications.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--a98c127b-8da9-4ea5-980e-d154ea541ec9","created":"2022-04-01T17:08:15.158Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CSRIC5-WG10-FinalReport","description":"Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.","url":"https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-15T15:06:03.429Z","description":"Filtering requests by checking request origin information may provide some defense against spurious operators.(Citation: CSRIC5-WG10-FinalReport) ","relationship_type":"mitigates","source_ref":"course-of-action--e829ee51-1caf-4665-ba15-7f8979634124","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--a9e97a14-ea3c-47b1-a865-0a1edea9c81c","type":"relationship","created":"2021-02-17T20:43:52.410Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout FrozenCell","url":"https://blog.lookout.com/frozencell-mobile-threat","description":"Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."}],"modified":"2021-02-17T20:43:52.410Z","description":"[FrozenCell](https://attack.mitre.org/software/S0577) has searched for pdf, doc, docx, ppt, pptx, xls, and xlsx file types for exfiltration.(Citation: Lookout FrozenCell)","relationship_type":"uses","source_ref":"malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0","created":"2019-09-03T20:08:00.711Z","x_mitre_version":"1.0","external_references":[{"source_name":"Group IB Gustuff Mar 2019","url":"https://www.group-ib.com/blog/gustuff","description":"Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019."},{"source_name":"Talos Gustuff Apr 2019","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html","description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Gustuff](https://attack.mitre.org/software/S0406) uses WebView overlays to prompt the user for their device unlock code, as well as banking and cryptocurrency application credentials. [Gustuff](https://attack.mitre.org/software/S0406) can also send push notifications pretending to be from a bank, triggering a phishing overlay.(Citation: Talos Gustuff Apr 2019)(Citation: Group IB Gustuff Mar 2019)","modified":"2022-04-19T19:42:17.904Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--aa40d01f-0741-4bf2-bacd-75e1f3a77af0","created":"2022-04-01T16:52:03.322Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-01T16:52:03.322Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","target_ref":"attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--aa468fe9-e580-41da-a888-100a799e8c6b","created":"2024-04-02T18:59:32.494Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Meta Adversarial Threat Report 2022","description":"Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.","url":"https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-02T19:00:02.189Z","description":"[UNC788](https://attack.mitre.org/groups/G1029) has used phishing and social engineering to distribute malware.(Citation: Meta Adversarial Threat Report 2022)","relationship_type":"uses","source_ref":"intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258","target_ref":"attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--aa5877fd-ef7d-435e-86af-c427f086b3c5","created":"2019-08-08T18:47:57.655Z","x_mitre_version":"1.0","external_references":[{"source_name":"Android 10 Privacy Changes","url":"https://developer.android.com/about/versions/10/privacy/changes#clipboard-data","description":"Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"Android 10 introduced changes to prevent applications from accessing clipboard data if they are not in the foreground or set as the device’s default IME.(Citation: Android 10 Privacy Changes) ","modified":"2022-04-01T16:35:38.189Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--aa628e44-ff05-4ac9-bb0b-11c22384a443","created":"2020-07-20T13:49:03.676Z","x_mitre_version":"1.0","external_references":[{"source_name":"TrendMicro-XLoader-FakeSpy","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/","description":"Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[XLoader for Android](https://attack.mitre.org/software/S0318) has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.(Citation: TrendMicro-XLoader-FakeSpy)","modified":"2022-04-20T17:58:16.567Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c","target_ref":"attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Gooligan Citation","description":"Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.","url":"http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"}],"modified":"2019-10-10T15:18:51.154Z","description":"[Gooligan](https://attack.mitre.org/software/S0290) executes Android root exploits.(Citation: Gooligan Citation)","relationship_type":"uses","source_ref":"malware--20d56cd6-8dff-4871-9889-d32d254816de","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"forcepoint_bitter","description":"Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.","url":"https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"},{"source_name":"Lookout-EnterpriseApps","description":"Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.","url":"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T16:16:25.430Z","description":"[AndroRAT](https://attack.mitre.org/software/S0292) collects contact list information.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ","relationship_type":"uses","source_ref":"malware--a3dad2be-ce62-4440-953b-00fbce7aba93","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ab18ee61-f94a-411c-9893-941714ce713e","created":"2023-03-20T18:44:26.642Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:47:05.294Z","description":"Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ab67b233-2c3d-4ac2-a3f0-13b6484ea920","created":"2022-04-05T19:46:22.326Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.","modified":"2022-04-05T19:46:22.326Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ab7cd212-7faa-46a8-9666-92a67ae7a6b0","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T15:41:16.869Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"revoked-by","source_ref":"attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac","target_ref":"attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99","created":"2017-10-25T14:48:53.742Z","x_mitre_version":"1.0","external_references":[{"source_name":"Elcomsoft-iOSRestricted","url":"https://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mode/","description":"Oleg Afonin. (2018, September 20). iOS 12 Enhances USB Restricted Mode. Retrieved September 21, 2018."}],"x_mitre_deprecated":false,"revoked":false,"description":"iOS 11.4.1 and higher introduce USB Restricted Mode, which disables data access through the device's charging port under certain conditions (making the port only usable for power), likely preventing this technique from working.(Citation: Elcomsoft-iOSRestricted)","modified":"2022-04-01T15:35:28.360Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--abf03652-acd0-4361-8a66-f7e70e8e4376","created":"2020-06-02T14:32:31.913Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Volexity Insomnia","description":"A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.","url":"https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:12:12.766Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) communicates with the C2 server using HTTPS requests.(Citation: Volexity Insomnia)","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--abf3b5c8-9ee5-42ff-ba94-2b3a15317783","created":"2023-03-20T18:55:51.580Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T15:57:46.908Z","description":"An Android user can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). ","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ac31f650-4bd2-4bb6-b450-71e66db4888f","created":"2022-03-30T19:28:55.980Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Security updates typically provide patches for vulnerabilities that could be abused by malicious applications.","modified":"2022-03-30T19:28:55.980Z","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ac415e32-e204-4382-b500-2370cec7a608","created":"2023-08-16T16:45:58.547Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:45:58.547Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can download new code at runtime.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2018-10-17T00:14:20.652Z","relationship_type":"revoked-by","source_ref":"attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431","target_ref":"attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77","type":"relationship","created":"2020-06-26T15:32:25.035Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Threat Fabric Cerberus","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."},{"source_name":"CheckPoint Cerberus","url":"https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/","description":"A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020."}],"modified":"2020-06-26T15:32:25.035Z","description":"[Cerberus](https://attack.mitre.org/software/S0480) can collect device information, such as the default SMS app and device locale.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c","type":"relationship","created":"2019-09-03T19:45:48.512Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SWB Exodus March 2019","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."}],"modified":"2019-09-11T13:25:19.210Z","description":"[Exodus](https://attack.mitre.org/software/S0405) Two attempts to connect to port 22011 to provide a remote reverse shell.(Citation: SWB Exodus March 2019)","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ad723fb0-7439-407e-9bf5-1cb3fd7df8aa","created":"2023-02-06T19:05:28.288Z","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-06T19:05:28.288Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can collect files from or inspect the device’s filesystem.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ad76b0ad-fa76-4d56-8a6e-8818bbc6509e","created":"2022-03-30T18:07:07.306Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"On iOS, the `allowEnterpriseAppTrust` and `allowEnterpriseAppTrustModification` configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. ","modified":"2022-03-30T18:07:07.306Z","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ada67532-039d-4b4f-93ab-82ceba13ec56","created":"2023-07-21T19:53:12.605Z","revoked":false,"external_references":[{"source_name":"kaspersky_fakecalls_0422","description":"Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.","url":"https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:53:12.605Z","description":"[Fakecalls](https://attack.mitre.org/software/S1080) can access text message history.(Citation: kaspersky_fakecalls_0422)","relationship_type":"uses","source_ref":"malware--429e1526-6293-495b-8808-af7f9a66c4be","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--adc9957c-fa57-4e81-9231-b60f01b69859","type":"relationship","created":"2020-12-24T22:04:28.010Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T22:04:28.010Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) can download new code to update itself.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ade5c0c5-8b53-4bc5-9d81-0284be2e5fee","created":"2023-07-21T19:51:55.111Z","revoked":false,"external_references":[{"source_name":"kaspersky_fakecalls_0422","description":"Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.","url":"https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:51:55.111Z","description":"[Fakecalls](https://attack.mitre.org/software/S1080) can intercept and imitate phone conversations by breaking the connection and displaying a fake call screen. It can also make outgoing calls and spoof incoming calls.(Citation: kaspersky_fakecalls_0422)","relationship_type":"uses","source_ref":"malware--429e1526-6293-495b-8808-af7f9a66c4be","target_ref":"attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ae5c93a8-fee8-42dc-b3cb-c6864481f025","created":"2024-03-29T15:07:01.237Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-29T15:07:01.237Z","description":"Application vetting services can detect certificate pinning by examining an application’s `network_security_config.xml` file, although this behavior can be benign.","relationship_type":"detects","source_ref":"x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa","target_ref":"attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ae8619a9-9142-4f0f-8778-09756341b472","created":"2024-03-29T15:07:58.597Z","revoked":false,"external_references":[{"source_name":"Lookout eSurv","description":"A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.","url":"https://blog.lookout.com/esurv-research"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-29T15:07:58.597Z","description":"[eSurv](https://attack.mitre.org/software/S0507)’s Android version has used certificate pinning for C2 communication.(Citation: Lookout eSurv)","relationship_type":"uses","source_ref":"malware--680f680c-eef9-4f8a-b5f5-f451bf47e403","target_ref":"attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--aeb2d1a0-2180-4032-a395-7573dbd392f4","created":"2024-02-20T23:39:08.717Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:39:08.717Z","description":"","relationship_type":"subtechnique-of","source_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--aeeadd6b-30d3-4b4f-ac61-fd0bc367b415","created":"2022-03-30T14:50:07.291Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Device attestation could detect unauthorized operating system modifications.","modified":"2022-03-30T14:50:07.291Z","relationship_type":"mitigates","source_ref":"course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c","target_ref":"attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--af06eaaa-161e-4913-8668-49bdd25b2eff","created":"2024-02-21T20:47:45.488Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T20:47:45.488Z","description":"Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f","type":"relationship","created":"2020-07-15T20:20:59.305Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"modified":"2020-07-15T20:20:59.305Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) abuses the accessibility service to prevent removing administrator permissions, accessibility permissions, and to set itself as the default SMS handler.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--afba6b19-7486-4e5a-8fda-e91852b0b354","type":"relationship","created":"2021-09-20T13:42:21.104Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-09-27T18:05:43.107Z","description":"Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--afc0e8b2-2e85-4640-8517-fb2e16831082","created":"2023-01-18T19:45:27.807Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:56:03.190Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) can use a WebView with a fake log in site to capture banking credentials.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-StealthMango","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}],"modified":"2019-10-10T15:27:22.110Z","description":"[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to record calls as well as the victim device's environment.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--35aae10a-97c5-471a-9c67-02c231a7a31a","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--afe9e326-01f7-4296-a11b-09cfffd80120","type":"relationship","created":"2020-07-27T14:14:56.962Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Google Security Zen","url":"https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html","description":"Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."}],"modified":"2020-08-10T22:18:20.747Z","description":"[Zen](https://attack.mitre.org/software/S0494) can simulate user clicks on ads and system prompts to create new Google accounts.(Citation: Google Security Zen)","relationship_type":"uses","source_ref":"malware--22faaa56-a8ac-4292-9be6-b571b255ee40","target_ref":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b018fe06-740b-4864-b30a-f047598506b3","type":"relationship","created":"2020-04-24T15:06:33.510Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro Coronavirus Updates","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."}],"modified":"2020-04-24T15:06:33.510Z","description":"[Corona Updates](https://attack.mitre.org/software/S0425) can collect various pieces of device information, including OS version, phone model, and manufacturer.(Citation: TrendMicro Coronavirus Updates) ","relationship_type":"uses","source_ref":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b01f11f2-064b-4210-a8f2-f5c6360f64e4","created":"2024-03-28T18:30:23.877Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T21:39:52.340Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect the device’s information, such as SIM serial number, SIM serial number, etc.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b05668b9-aa06-4191-a4fa-f7e5a7804694","type":"relationship","created":"2021-01-05T20:16:20.514Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Zscaler TikTok Spyware","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."}],"modified":"2021-01-05T20:16:20.514Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can list all hidden files in the `/DCIM/.dat/` directory.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b0625604-e4c4-402b-b191-f43137d38d99","created":"2020-11-20T15:44:57.481Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Symantec GoldenCup","description":"R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.","url":"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:29:50.160Z","description":"[Golden Cup](https://attack.mitre.org/software/S0535) can collect sent and received SMS messages.(Citation: Symantec GoldenCup)","relationship_type":"uses","source_ref":"malware--f3975cc0-72bc-4308-836e-ac701b83860e","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b0bade50-bcca-4924-9746-c4ed0c3be76c","created":"2023-07-21T19:41:31.114Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:41:31.114Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) has been installed using the package name `com.android.callservice`, pretending to be an Android system service.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b0d0541d-caeb-43c0-906c-2e1e2ec25f69","created":"2019-10-14T19:14:18.673Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Group IB Gustuff Mar 2019","description":"Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named «Gustuff» capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.","url":"https://www.group-ib.com/blog/gustuff"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:32:47.359Z","description":"[Gustuff](https://attack.mitre.org/software/S0406) hides its icon after installation.(Citation: Group IB Gustuff Mar 2019) ","relationship_type":"uses","source_ref":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b0fe69e0-d08f-488d-b1cf-3f0dbb28accc","created":"2023-02-28T20:37:01.639Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"proofpoint_flubot_0421","description":"Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.","url":"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-31T22:13:55.642Z","description":"[FluBot](https://attack.mitre.org/software/S1067) can use `locale.getLanguage()` to choose the language for notifications and avoid user detection.(Citation: proofpoint_flubot_0421)","relationship_type":"uses","source_ref":"malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc","target_ref":"attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b110d919-acd4-4fe0-a46a-ac4819508667","created":"2020-07-20T13:58:53.589Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"TrendMicro-XLoader-FakeSpy","description":"Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:21:35.992Z","description":"[XLoader for iOS](https://attack.mitre.org/software/S0490) has been installed via a malicious configuration profile.(Citation: TrendMicro-XLoader-FakeSpy)","relationship_type":"uses","source_ref":"malware--29944858-da52-4d3d-b428-f8a6eb8dde6f","target_ref":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b162dc6b-6b4e-4bba-928a-00a423b112b3","created":"2023-12-18T18:16:45.155Z","revoked":false,"external_references":[{"source_name":"securelist_brata_0819","description":"Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.","url":"https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:16:45.155Z","description":"[BRATA](https://attack.mitre.org/software/S1094) has abused WhatsApp vulnerability CVE-2019-3568 to achieve initial access.(Citation: securelist_brata_0819)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b19082d2-c151-45dd-8844-82335fbe3ed9","created":"2023-02-28T21:43:54.880Z","revoked":false,"external_references":[{"source_name":"cloudmark_tanglebot_0921","description":"Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.","url":"https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-28T21:43:54.880Z","description":"[TangleBot](https://attack.mitre.org/software/S1069) can send text messages.(Citation: cloudmark_tanglebot_0921)","relationship_type":"uses","source_ref":"malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b1e5bd2f-01e4-402d-a9b6-255110510a83","type":"relationship","created":"2020-12-24T21:45:56.986Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T21:45:56.986Z","description":"[SilkBean](https://attack.mitre.org/software/S0549) can install new applications which are obtained from the C2 server.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b2277deb-0ddb-45a7-9690-4a2168e1026b","created":"2023-10-10T15:33:59.058Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout FrozenCell","description":"Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.","url":"https://blog.lookout.com/frozencell-mobile-threat"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:59.058Z","description":"[FrozenCell](https://attack.mitre.org/software/S0577) has masqueraded as fake updates to chat applications such as Facebook, WhatsApp, Messenger, LINE, and LoveChat, as well as apps targeting Middle Eastern demographics.(Citation: Lookout FrozenCell) ","relationship_type":"uses","source_ref":"malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--b22addc1-6a23-4657-8164-3705e12bb95b","created":"2023-07-21T19:40:41.725Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:40:41.725Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can use SMS to send C2 commands.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b23e1e5d-3acc-456a-b63e-31c0bd5fe4a5","created":"2024-02-21T20:46:00.252Z","revoked":false,"external_references":[{"source_name":"TelephonyManager","description":"Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.","url":"https://developer.android.com/reference/android/telephony/TelephonyManager.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T20:46:00.252Z","description":"Android 10 introduced changes that prevent normal applications from accessing sensitive device identifiers.(Citation: TelephonyManager) ","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2","type":"relationship","created":"2020-06-26T15:32:25.062Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Threat Fabric Cerberus","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."}],"modified":"2020-06-26T15:32:25.062Z","description":"[Cerberus](https://attack.mitre.org/software/S0480) can obtain a list of installed applications.(Citation: Threat Fabric Cerberus)","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b247a4f6-3629-4123-84b0-c7c5b3e7e37e","created":"2022-03-30T20:45:34.433Z","x_mitre_version":"0.1","external_references":[{"source_name":"Android Package Visibility","url":"https://developer.android.com/training/package-visibility","description":"Google. (n.d.). Package visibility filtering on Android. Retrieved April 11, 2022."}],"x_mitre_deprecated":false,"revoked":false,"description":"Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.(Citation: Android Package Visibility)","modified":"2022-04-11T19:19:52.562Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0","created":"2017-12-14T16:46:06.044Z","x_mitre_version":"1.0","external_references":[{"source_name":"ArsTechnica-HummingWhale","url":"http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/","description":"Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017."}],"x_mitre_deprecated":false,"revoked":false,"description":"[HummingWhale](https://attack.mitre.org/software/S0321) generates revenue by displaying fraudulent ads and automatically installing apps. When victims try to close the ads, [HummingWhale](https://attack.mitre.org/software/S0321) runs in a virtual machine, creating a fake ID that allows the perpetrators to generate revenue.(Citation: ArsTechnica-HummingWhale)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b2896068-4d54-41e1-b0f2-db9385615112","type":"relationship","created":"2021-01-05T20:16:20.426Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Zscaler TikTok Spyware","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."}],"modified":"2021-01-05T20:16:20.426Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) has shown a persistent notification to maintain access to device sensors.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b309c25a-6baf-4874-829d-63712a38652c","created":"2023-02-06T19:02:16.194Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:21:41.461Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself camera permissions.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b30fa851-75cf-46ac-aa1b-cfa8b7f36545","created":"2019-09-23T13:36:08.429Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"securelist rotexy 2018","description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T16:56:23.365Z","description":"[Rotexy](https://attack.mitre.org/software/S0411) processes incoming SMS messages by filtering based on phone numbers, keywords, and regular expressions, focusing primarily on banks, payment systems, and mobile network operators. [Rotexy](https://attack.mitre.org/software/S0411) can also send a list of all SMS messages on the device to the command and control server.(Citation: securelist rotexy 2018)","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b356d405-f6b1-485b-bd35-236b9da766d2","type":"relationship","created":"2020-04-24T17:46:31.586Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecurityIntelligence TrickMo","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."}],"modified":"2020-04-27T15:27:26.539Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) can use the `MediaRecorder` class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.(Citation: SecurityIntelligence TrickMo)","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b360a1c8-8939-428e-bc6e-3f4755bd9ee0","created":"2020-10-29T17:48:27.394Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Threat Fabric Exobot","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:30:18.307Z","description":"[Exobot](https://attack.mitre.org/software/S0522) can intercept SMS messages.(Citation: Threat Fabric Exobot)","relationship_type":"uses","source_ref":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b37ebb4e-0536-4de0-8e00-7b3d942a02b7","created":"2023-03-20T15:33:34.181Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T17:19:28.650Z","description":"System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.","relationship_type":"detects","source_ref":"x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6","target_ref":"attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b3866c07-e143-4d0d-9176-c2845f85c5ab","created":"2023-01-18T19:58:21.223Z","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-01-18T19:58:21.223Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) has used RSA to encrypt the symmetric encryption key used for C2 messages.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b3a14001-e0c0-4f13-ac03-04e56dc0e312","created":"2023-10-10T15:33:59.311Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:59.311Z","description":"[SilkBean](https://attack.mitre.org/software/S0549) has been incorporated into trojanized applications, including Uyghur/Arabic focused keyboards, alphabets, and plugins, as well as official-looking Google applications.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"PaloAlto-WireLurker","description":"Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.","url":"https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[WireLurker](https://attack.mitre.org/software/S0312) obfuscates its payload through complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing.(Citation: PaloAlto-WireLurker)","relationship_type":"uses","source_ref":"malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b402664b-a5b4-45e4-832f-02638e6c67a7","created":"2022-04-01T14:59:17.991Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary’s access to password stores. ","modified":"2022-04-01T14:59:17.991Z","relationship_type":"mitigates","source_ref":"course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433","target_ref":"attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b40e34ad-b699-4196-aa07-5bd71fe8f213","created":"2022-04-20T17:31:58.697Z","x_mitre_version":"0.1","external_references":[{"source_name":"TrendMicro Coronavirus Updates","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Corona Updates](https://attack.mitre.org/software/S0425) has exfiltrated data using FTP.(Citation: TrendMicro Coronavirus Updates)","modified":"2022-04-20T17:31:58.697Z","relationship_type":"uses","source_ref":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","target_ref":"attack-pattern--37047267-3e56-453c-833e-d92b68118120","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"forcepoint_bitter","description":"Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.","url":"https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"},{"source_name":"Lookout-EnterpriseApps","description":"Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.","url":"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T16:17:55.260Z","description":"[AndroRAT](https://attack.mitre.org/software/S0292) gathers audio from the microphone.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ","relationship_type":"uses","source_ref":"malware--a3dad2be-ce62-4440-953b-00fbce7aba93","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b43c87a7-de40-4673-9808-57c7ffca7b98","created":"2023-07-21T19:54:21.877Z","revoked":false,"external_references":[{"source_name":"kaspersky_fakecalls_0422","description":"Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.","url":"https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:54:21.877Z","description":"[Fakecalls](https://attack.mitre.org/software/S1080) has masqueraded as popular Korean banking apps.(Citation: kaspersky_fakecalls_0422)","relationship_type":"uses","source_ref":"malware--429e1526-6293-495b-8808-af7f9a66c4be","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b43f4cef-138e-4b5d-8e68-e8eeae3591be","created":"2021-02-17T20:43:52.337Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout FrozenCell","description":"Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.","url":"https://blog.lookout.com/frozencell-mobile-threat"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:30:32.294Z","description":"[FrozenCell](https://attack.mitre.org/software/S0577) has read SMS messages for exfiltration.(Citation: Lookout FrozenCell)","relationship_type":"uses","source_ref":"malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b45cf5e0-7427-4d5c-be2c-22f5231493d1","type":"relationship","created":"2021-10-01T14:42:49.184Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList BusyGasper","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021."}],"modified":"2021-10-01T14:42:49.184Z","description":"[BusyGasper](https://attack.mitre.org/software/S0655) can collect the device’s location information based on cellular network or GPS coordinates.(Citation: SecureList BusyGasper)","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b4735277-516a-4cd2-9607-a3e415945d93","type":"relationship","created":"2020-11-10T17:08:35.800Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2021-09-20T13:54:20.494Z","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) can remotely capture device audio.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b477afcb-7449-4fae-b4aa-c512c22d7500","type":"relationship","created":"2020-09-15T15:18:12.394Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Cybereason FakeSpy","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."}],"modified":"2020-09-15T15:18:12.394Z","description":"[FakeSpy](https://attack.mitre.org/software/S0509) can send SMS messages.(Citation: Cybereason FakeSpy)","relationship_type":"uses","source_ref":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b49ecb71-92b3-4813-be4d-9f8c2aa67ccd","created":"2021-02-08T16:36:20.707Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"BlackBerry Bahamut","description":"The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:05:01.189Z","description":"[Windshift](https://attack.mitre.org/groups/G0112) has installed malicious MDM profiles on iOS devices as part of Operation ROCK.(Citation: BlackBerry Bahamut)","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b4ef35e9-3dba-49c7-8842-a7dff403241f","type":"relationship","created":"2020-12-17T20:15:22.445Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Palo Alto HenBox","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."}],"modified":"2020-12-17T20:15:22.445Z","description":"[HenBox](https://attack.mitre.org/software/S0544) can access the device’s camera.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b536f233-8c43-4671-b8e8-d72a4806946d","created":"2022-04-05T17:14:23.789Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T17:14:23.789Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","target_ref":"attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b53d1c92-b71f-434e-aa4f-08b8db765248","type":"relationship","created":"2019-07-10T15:25:57.604Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Dark Caracal Jan 2018","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}],"modified":"2019-08-12T17:30:07.572Z","description":"[FinFisher](https://attack.mitre.org/software/S0182) tracks the latitude and longitude coordinates of the infected device.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--a5528622-3a8a-4633-86ce-8cdaf8423858","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b5590b50-0aaa-4f43-9b29-f17ee717b551","type":"relationship","created":"2021-02-08T16:36:20.698Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"BlackBerry Bahamut","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf","description":"The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."}],"modified":"2021-05-24T13:16:56.412Z","description":"[Windshift](https://attack.mitre.org/groups/G0112) has included location tracking capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b5e8cef4-e8a1-484f-baae-cf12b26e6070","created":"2020-12-18T20:14:47.302Z","x_mitre_version":"1.0","external_references":[{"source_name":"WhiteOps TERRACOTTA","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) has used Firebase for C2 communication.(Citation: WhiteOps TERRACOTTA)","modified":"2022-04-18T19:18:56.475Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","target_ref":"attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b5f3b110-fc66-4369-89f3-621c945d655f","type":"relationship","created":"2020-04-27T16:52:49.444Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Google Triada June 2019","url":"https://security.googleblog.com/2019/06/pha-family-highlights-triada.html","description":"Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."}],"modified":"2020-04-27T16:52:49.444Z","description":"[Triada](https://attack.mitre.org/software/S0424) encrypts data prior to exfiltration.(Citation: Google Triada June 2019) ","relationship_type":"uses","source_ref":"malware--f082fc59-0317-49cf-971f-a1b6296ebb52","target_ref":"attack-pattern--e3b936a4-6321-4172-9114-038a866362ec","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b610c587-576a-40cc-9f76-6362455c8ff4","created":"2023-03-20T18:43:01.334Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:49:09.975Z","description":"Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b6323cf4-8141-4910-8743-e42cd15b49e9","created":"2023-07-21T19:53:59.148Z","revoked":false,"external_references":[{"source_name":"kaspersky_fakecalls_0422","description":"Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.","url":"https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:53:59.148Z","description":"[Fakecalls](https://attack.mitre.org/software/S1080) can send exfiltrated data back to the C2 server.(Citation: kaspersky_fakecalls_0422)","relationship_type":"uses","source_ref":"malware--429e1526-6293-495b-8808-af7f9a66c4be","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b641e5b8-5981-452a-99f0-3598c783e5ee","created":"2019-08-07T15:57:13.443Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Kaspersky Riltok June 2019","description":"Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.","url":"https://securelist.com/mobile-banker-riltok/91374/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:30:47.506Z","description":"[Riltok](https://attack.mitre.org/software/S0403) can intercept incoming SMS messages.(Citation: Kaspersky Riltok June 2019)","relationship_type":"uses","source_ref":"malware--c0efbaae-9e7d-4716-a92d-68373aac7424","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b6726136-3c20-4921-a0cb-75a66f59107c","type":"relationship","created":"2020-09-11T16:22:03.296Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout ViperRAT","url":"https://blog.lookout.com/viperrat-mobile-apt","description":"M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."}],"modified":"2020-09-11T16:22:03.296Z","description":"[ViperRAT](https://attack.mitre.org/software/S0506) can collect network configuration data from the device, including phone number, SIM operator, and network operator.(Citation: Lookout ViperRAT)","relationship_type":"uses","source_ref":"malware--f666e17c-b290-43b3-8947-b96bd5148fbb","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro-Obad","description":"Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.","url":"http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[OBAD](https://attack.mitre.org/software/S0286) contains encrypted code along with an obfuscated decryption routine to make it difficult to analyze.(Citation: TrendMicro-Obad)","relationship_type":"uses","source_ref":"malware--ca4f63b9-a358-4214-bb26-8c912318cfde","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b697a198-8949-43e0-b2b8-23498373c920","created":"2023-03-20T18:37:13.628Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:28:09.643Z","description":"Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.","relationship_type":"detects","source_ref":"x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0","target_ref":"attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b6feb018-65e3-46ff-b872-e4385b6f3b34","created":"2023-08-23T22:48:11.931Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-23T22:50:11.248Z","description":"[Gustuff](https://attack.mitre.org/software/S0406) may prevent application removal by abusing Android’s ` performGlobalAction(int)` API call. ","relationship_type":"uses","source_ref":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","target_ref":"attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"PaloAlto-DualToy","description":"Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.","url":"https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[DualToy](https://attack.mitre.org/software/S0315) side loads malicious or risky apps to both Android and iOS devices via a USB connection.(Citation: PaloAlto-DualToy)","relationship_type":"uses","source_ref":"malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878","target_ref":"attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-Pegasus","description":"Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}],"modified":"2018-10-17T00:14:20.652Z","description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) has the ability to record audio.(Citation: Lookout-Pegasus)","relationship_type":"uses","source_ref":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b7a31a11-6c84-4c28-a548-4751e4d71134","created":"2020-05-04T14:04:56.158Z","x_mitre_version":"1.0","external_references":[{"source_name":"Google Bread","url":"https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html","description":"A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Bread](https://attack.mitre.org/software/S0432) can perform SMS fraud on older versions of the malware, and toll fraud on newer versions.(Citation: Google Bread)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--108b2817-bc01-404e-8e1b-8cdeec846326","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b7c8abf7-d4e4-40a4-aa2a-ee995a6f4f10","created":"2023-03-03T15:36:15.840Z","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-03T15:36:15.840Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can access device call logs.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b7cf1c31-8722-4eeb-ae59-66936c15fa87","type":"relationship","created":"2021-01-05T20:16:20.495Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Zscaler TikTok Spyware","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."}],"modified":"2021-01-05T20:16:20.495Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect device photos and credentials from other applications.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b81a284d-34ec-4e61-a073-bf6cd85e4c3f","created":"2020-10-29T19:01:13.839Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Microsoft MalLockerB","description":"D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.","url":"https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:54:05.374Z","description":"[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) can prevent the user from interacting with the UI by using a carefully crafted \"call\" notification screen. This is coupled with overriding the `onUserLeaveHint()` callback method to spawn a new notification instance when the current one is dismissed. (Citation: Microsoft MalLockerB)","relationship_type":"uses","source_ref":"malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce","target_ref":"attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","external_references":[{"source_name":"HackerNews-Allwinner","url":"https://thehackernews.com/2016/05/android-kernal-exploit.html","description":"Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018."}],"x_mitre_deprecated":false,"revoked":false,"description":"A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) reportedly contained an simple backdoor that could be used to obtain root access. It was believed to have been left in the kernel by mistake by the authors.(Citation: HackerNews-Allwinner)","modified":"2022-04-15T15:16:35.892Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--08784a9d-09e9-4dce-a839-9612398214e8","target_ref":"attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b81f9698-b9d1-4a6a-b836-f7e29232693a","created":"2023-09-28T17:26:10.893Z","revoked":false,"external_references":[{"source_name":"kaspersky_fakecalls_0422","description":"Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.","url":"https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:26:10.893Z","description":"[Fakecalls](https://attack.mitre.org/software/S1080) can manipulate a device’s call log, including deleting incoming calls.(Citation: kaspersky_fakecalls_0422)","relationship_type":"uses","source_ref":"malware--429e1526-6293-495b-8808-af7f9a66c4be","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b8606318-8c12-4381-ba33-5b2321772ea0","created":"2022-03-30T20:31:57.183Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be advised to be extra scrutinous of applications that request location or sensitive phone information permissions, and to deny any permissions requests for applications they do not recognize.","modified":"2022-03-30T20:31:57.183Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--498e7b81-238d-404c-aa5e-332904d63286","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--b96e8699-4bd2-4793-8f9c-88d6e4c50e98","created":"2023-09-28T17:39:35.622Z","revoked":false,"external_references":[{"source_name":"Trend Micro FlyTrap","description":"Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts — Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.","url":"https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:39:35.622Z","description":"[FlyTrap](https://attack.mitre.org/software/S1093) has used infected applications with Facebook login prompts to steal credentials.(Citation: Trend Micro FlyTrap)","relationship_type":"uses","source_ref":"malware--8338393c-cb2e-4ee6-b944-34672499c785","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--b98fa6ef-a5f2-4867-8108-8daf8534cc3c","created":"2022-04-01T16:51:20.688Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should scrutinize every device administration permission request. If the request is not expected or the user does not recognize the application, the application should be uninstalled immediately.","modified":"2022-04-01T16:51:20.688Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc","type":"relationship","created":"2020-06-02T14:32:31.871Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Google Project Zero Insomnia","url":"https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html","description":"I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."}],"modified":"2020-06-24T18:24:35.795Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.(Citation: Google Project Zero Insomnia)","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--b9b9ce86-89f6-41ea-8ba1-9520985acb49","type":"relationship","created":"2020-12-24T22:04:28.004Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T22:04:28.004Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has checked for system root.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ba02a1dc-d5b9-41cb-9adf-883119e1aa51","created":"2020-12-14T14:52:03.359Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Sophos Red Alert 2.0","description":"J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.","url":"https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:12:27.624Z","description":"[Red Alert 2.0](https://attack.mitre.org/software/S0539) has communicated with the C2 using HTTP.(Citation: Sophos Red Alert 2.0)","relationship_type":"uses","source_ref":"malware--6e282bbf-5f32-476a-b879-ba77eec463c8","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ba116807-ef1c-4621-84c8-9921fa7b735e","created":"2023-09-28T17:19:21.499Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:19:21.499Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can request the `GET_ACCOUNTS` permission to get the list of accounts on the device, and can collect media files.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6","type":"relationship","created":"2020-07-15T20:20:59.296Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"modified":"2020-07-15T20:20:59.296Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can collect the device’s location.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae","type":"relationship","created":"2020-11-10T17:08:35.746Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-01T19:48:44.878Z","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) has searched device storage for various files, including .amr files (audio recordings) and superuser binaries.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d","type":"relationship","created":"2020-07-15T20:20:59.294Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"modified":"2020-07-15T20:20:59.294Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can obtain a list of installed applications.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--baad8ab8-f05f-4e31-9671-44c009ae3ecf","created":"2023-08-09T14:38:34.721Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T14:38:34.721Z","description":"Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--bb006be2-7d2c-4bb3-ab48-7c95e0ab8106","type":"relationship","created":"2020-12-14T14:52:03.255Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Sophos Red Alert 2.0","url":"https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/","description":"J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."}],"modified":"2020-12-14T14:52:03.255Z","description":"[Red Alert 2.0](https://attack.mitre.org/software/S0539) has stored data embedded in the strings.xml resource file.(Citation: Sophos Red Alert 2.0)","relationship_type":"uses","source_ref":"malware--6e282bbf-5f32-476a-b879-ba77eec463c8","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bb11b7d1-e661-49af-9746-9fa4c56324bf","created":"2023-03-20T18:59:14.759Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T16:31:10.270Z","description":"Application vetting services can detect unnecessary and potentially abused API calls.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630","created":"2020-07-15T20:20:59.300Z","x_mitre_version":"1.0","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Mandrake](https://attack.mitre.org/software/S0485) can manipulate visual components to trick the user into granting dangerous permissions, and can use phishing overlays and JavaScript injection to capture credentials.(Citation: Bitdefender Mandrake)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"FireEye-RuMMS","description":"Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.","url":"https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"}],"modified":"2018-10-17T00:14:20.652Z","description":"[RuMMS](https://attack.mitre.org/software/S0313) gathers device model and operating system version information and transmits it to a command and control server.(Citation: FireEye-RuMMS)","relationship_type":"uses","source_ref":"malware--936be60d-90eb-4c36-9247-4b31128432c4","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bb77cfbe-ac95-4cc2-acbc-8cefa15b9387","created":"2023-06-09T19:09:30.333Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T19:15:08.695Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can gather device call logs.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bb83ee25-8875-4806-9f69-ac39bf7cb402","created":"2021-10-01T14:42:49.178Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecureList BusyGasper","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021.","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:25:39.509Z","description":"[BusyGasper](https://attack.mitre.org/software/S0655) can collect SMS messages.(Citation: SecureList BusyGasper)","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--bba8b056-acbe-4fed-b890-965a446d7a3c","created":"2022-04-01T18:45:00.923Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be warned against granting access to accessibility features and device administration services, and to carefully scrutinize applications that request these dangerous permissions. Users should be taught how to boot into safe mode to uninstall malicious applications that may be interfering with the uninstallation process.","modified":"2022-04-01T18:45:00.923Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bbc6308e-f7f6-40c7-80cb-f760d623c8af","created":"2023-01-18T21:20:01.333Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:56:41.614Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) can use HTTP to send C2 messages to infected devices.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bbd619c8-bd9a-4107-a60f-7a3a9f953735","created":"2024-03-28T18:32:33.555Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"trendmicro_strongpity","description":"Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023.","url":"https://www.trendmicro.com/en_za/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html"},{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T21:40:02.581Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to exfiltrate to the C2 server using HTTPS.(Citation: welivesec_strongpity)(Citation: trendmicro_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--bbe1af69-7303-4205-82d8-5b03c43e39c1","type":"relationship","created":"2020-11-24T17:55:12.887Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos GPlayed","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."}],"modified":"2020-11-24T17:55:12.887Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) can collect the device’s model, country, and Android version.(Citation: Talos GPlayed)","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","external_references":[{"source_name":"Kaspersky-Skygofree","url":"https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/","description":"Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via binary SMS.(Citation: Kaspersky-Skygofree)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--3a913bac-4fae-4d0e-bca8-cae452f1599b","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bc0d86de-0642-4cbf-a785-7ff70507a9a2","created":"2023-03-20T18:51:44.864Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T17:08:11.867Z","description":"The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application’s icon, they should inspect the application to ensure it is genuine.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Zscaler-SpyNote","description":"Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.","url":"https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"}],"modified":"2019-10-10T15:24:09.378Z","description":"[SpyNote RAT](https://attack.mitre.org/software/S0305) can copy files from the device to the C2 server.(Citation: Zscaler-SpyNote)","relationship_type":"uses","source_ref":"malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bc59883f-672e-4dc8-a7de-f713a26f88e1","created":"2023-08-14T16:31:37.179Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:31:37.179Z","description":"Many properly configured firewalls may naturally block command and control traffic.","relationship_type":"detects","source_ref":"x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba","target_ref":"attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bc79a212-139f-4dce-be72-e90585f38f03","created":"2023-03-16T18:31:37.091Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T21:11:17.731Z","description":"The user can view their default phone app in device settings.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bc79d59b-1828-4133-9f8f-df8cad9543a8","created":"2019-11-21T16:42:48.459Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecureList - ViceLeaker 2019","description":"GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.","url":"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:37:19.124Z","description":"[ViceLeaker](https://attack.mitre.org/software/S0418) can delete arbitrary files from the device.(Citation: SecureList - ViceLeaker 2019)","relationship_type":"uses","source_ref":"malware--6fcaf9b0-b509-4644-9f93-556222c81ed2","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bc870a55-5499-4146-91ef-ea74647c3e10","created":"2023-07-12T20:50:03.159Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-12T20:50:03.159Z","description":"Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--bcc8eb7a-d2a8-41d2-832e-f435e51c685a","created":"2022-03-30T19:54:43.835Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. ","modified":"2022-03-30T19:54:43.835Z","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--bce64ec2-43d5-4501-a0aa-0abe65551a19","type":"relationship","created":"2021-02-17T20:43:52.381Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout FrozenCell","url":"https://blog.lookout.com/frozencell-mobile-threat","description":"Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."}],"modified":"2021-02-17T20:43:52.381Z","description":"[FrozenCell](https://attack.mitre.org/software/S0577) has retrieved account information for other applications.(Citation: Lookout FrozenCell)","relationship_type":"uses","source_ref":"malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bd1e016a-1ebb-4f30-9342-998f656dd8b8","created":"2022-04-15T15:57:32.958Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Bitdefender Mandrake","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:21:49.009Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can enable app installation from unknown sources.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bd29ce15-1771-470c-a74b-5ea90832ce23","created":"2020-12-24T22:04:27.911Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:31:11.269Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has collected SMS messages.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--bd351b17-e995-4528-bbea-e1138c51476a","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.","source_name":"PaloAlto-SpyDealer"}],"modified":"2019-08-09T17:56:05.683Z","description":"[SpyDealer](https://attack.mitre.org/software/S0324) exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.(Citation: PaloAlto-SpyDealer)","relationship_type":"uses","source_ref":"malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bd6829ee-dc51-477b-9739-1cd1cd304b6c","created":"2020-09-11T14:54:16.646Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Desert Scorpion","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.","url":"https://blog.lookout.com/desert-scorpion-google-play"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:45:14.199Z","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) can hide its icon.(Citation: Lookout Desert Scorpion)","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--bd889077-d4bd-4475-8e1f-6f507a7bedb9","created":"2022-04-01T13:19:41.207Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-01T13:19:41.207Z","relationship_type":"revoked-by","source_ref":"attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bd952153-4902-4fc4-8e2e-b7c7b8bad7f1","created":"2023-01-18T19:13:15.991Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_drinik_1022","description":"Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.","url":"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:11:24.686Z","description":"[Drinik](https://attack.mitre.org/software/S1054) has code to use Firebase Cloud Messaging for receiving C2 instructions.(Citation: cyble_drinik_1022)","relationship_type":"uses","source_ref":"malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe","target_ref":"attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f","type":"relationship","created":"2019-09-04T15:38:56.799Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CyberMerchants-FlexiSpy","url":"http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html","description":"Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."}],"modified":"2019-09-10T14:59:26.138Z","description":"[FlexiSpy](https://attack.mitre.org/software/S0408) can record video.(Citation: CyberMerchants-FlexiSpy)","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bdb29822-63c5-4dd0-961b-cdf3f2482adf","created":"2023-03-16T18:28:28.144Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T22:11:45.377Z","description":"On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. ","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bdc59dcf-0e0a-4d47-b289-0c298115215f","created":"2023-08-23T22:17:13.986Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-23T22:17:13.986Z","description":"Security updates frequently contain patches to vulnerabilities. ","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--be07d829-9a12-4d90-ad8c-9e56782af120","created":"2023-12-18T19:05:57.050Z","revoked":false,"external_references":[{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T19:05:57.050Z","description":"[AhRat](https://attack.mitre.org/software/S1095) can record audio using a device’s microphone.(Citation: welivesecurity_ahrat_0523)","relationship_type":"uses","source_ref":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--be136fd1-6949-4de6-be37-6d76f8def41a","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.","source_name":"PaloAlto-SpyDealer"}],"modified":"2019-10-15T19:37:21.366Z","description":"[SpyDealer](https://attack.mitre.org/software/S0324) harvests location data from victims.(Citation: PaloAlto-SpyDealer)","relationship_type":"uses","source_ref":"malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--be17dc63-5b0a-491a-be5f-132058444c3a","type":"relationship","created":"2019-08-09T17:52:13.352Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-PegasusAndroid","description":"Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.","url":"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}],"modified":"2019-08-09T17:52:31.877Z","description":"[Pegasus for Android](https://attack.mitre.org/software/S0316) has the ability to take pictures using the device camera.(Citation: Lookout-PegasusAndroid)","relationship_type":"uses","source_ref":"malware--93799a9d-3537-43d8-b6f4-17215de1657c","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce","type":"relationship","created":"2019-09-04T14:28:15.975Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf","source_name":"Lookout-Monokle"}],"modified":"2019-10-14T17:51:38.054Z","description":"[Monokle](https://attack.mitre.org/software/S0407) queries the device for metadata such as make, model, and power levels.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--be27a303-5748-4b72-ba69-a328e2f6cc08","type":"relationship","created":"2020-12-31T18:25:05.177Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CYBERWARCON CHEMISTGAMES","url":"https://www.youtube.com/watch?v=xoNSbm1aX_w","description":"B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."}],"modified":"2020-12-31T18:25:05.177Z","description":"[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can download new modules while running.(Citation: CYBERWARCON CHEMISTGAMES)","relationship_type":"uses","source_ref":"malware--a0d774e4-bafc-4292-8651-3ec899391341","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--be39c012-7201-4757-8cd6-c855bc945a9e","type":"relationship","created":"2019-07-10T15:25:57.623Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Dark Caracal Jan 2018","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}],"modified":"2019-08-12T17:30:07.568Z","description":"[FinFisher](https://attack.mitre.org/software/S0182) comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--a5528622-3a8a-4633-86ce-8cdaf8423858","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--be526f3a-480f-4ede-b772-2b29b8a3ca2b","created":"2024-03-28T18:33:20.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T21:40:12.349Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to exfiltrate encrypted data to the C2 server.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--e3b936a4-6321-4172-9114-038a866362ec","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--be7c3f83-b164-4d53-bfac-65f7437dabec","created":"2023-03-20T18:54:36.266Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T17:13:28.972Z","description":"The user can view a list of device administrators and applications that have registered accessibility services in device settings. The user can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--be8d0cd6-be77-456e-bcfb-6325cb8ba137","created":"2023-09-28T17:20:15.010Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:20:15.010Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can access external storage.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c","type":"relationship","created":"2020-06-26T14:55:13.380Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Cybereason EventBot","url":"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born","description":"D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."}],"modified":"2020-06-26T14:55:13.380Z","description":"[EventBot](https://attack.mitre.org/software/S0478) dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. [EventBot](https://attack.mitre.org/software/S0478) also utilizes ProGuard to obfuscate the generated APK file.(Citation: Cybereason EventBot)","relationship_type":"uses","source_ref":"malware--aecc0097-c9f8-4786-9b39-e891ff173f54","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CheckPoint-Charger","description":"Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.","url":"http://blog.checkpoint.com/2017/01/24/charger-malware/"}],"modified":"2019-10-09T14:51:42.827Z","description":"[Charger](https://attack.mitre.org/software/S0323) encodes strings into binary arrays to make it difficult to inspect them. It also loads code from encrypted resources dynamically and includes meaningless commands that mask the actual commands passing through.(Citation: CheckPoint-Charger)","relationship_type":"uses","source_ref":"malware--d1c600f8-0fb6-4367-921b-85b71947d950","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--bee919a6-c488-49a0-9848-fff19aa2c276","type":"relationship","created":"2021-09-24T14:47:34.449Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-04T20:08:48.556Z","description":"Mobile security products can often detect rooted devices.","relationship_type":"mitigates","source_ref":"course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433","target_ref":"attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bef936d5-736e-491a-9c30-37b8362a5d96","created":"2023-07-21T19:33:48.439Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:33:48.439Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can access device call logs.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--befa3b5a-e4f4-4ed3-ada1-860a034284d2","created":"2023-09-28T17:19:51.110Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:19:51.110Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can access the device’s call log.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bf19207a-ac71-436d-8ef4-4ab059b533c8","created":"2019-09-04T15:38:56.721Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FortiGuard-FlexiSpy","description":"K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.","url":"https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:48:43.225Z","description":"[FlexiSpy](https://attack.mitre.org/software/S0408) uses root access to establish reboot hooks to re-install the application from `/data/misc/adn`.(Citation: FortiGuard-FlexiSpy) At boot, [FlexiSpy](https://attack.mitre.org/software/S0408) spawns daemons for process monitoring, call monitoring, call managing, and system.(Citation: FortiGuard-FlexiSpy)","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Zscaler-SpyNote","description":"Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.","url":"https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"}],"modified":"2019-10-10T15:24:09.355Z","description":"[SpyNote RAT](https://attack.mitre.org/software/S0305) can activate the victim's microphone.(Citation: Zscaler-SpyNote)","relationship_type":"uses","source_ref":"malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bf33711d-a4d2-4957-9b1f-49c5b83958db","created":"2023-09-21T22:51:40.666Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-21T22:51:40.666Z","description":"[Pegasus for iOS](https://attack.mitre.org/software/S0289) can compromise iPhones running iOS 16.6 without any user interaction.","relationship_type":"uses","source_ref":"malware--33d9d91d-aad9-49d5-a516-220ce101ac8a","target_ref":"attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--bf901bab-3caa-4d05-a859-d9fb4d838304","type":"relationship","created":"2019-10-10T15:27:22.091Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","source_name":"Lookout-StealthMango"}],"modified":"2019-10-10T15:27:22.091Z","description":"[Tangelo](https://attack.mitre.org/software/S0329) accesses browser history, pictures, and videos.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--35aae10a-97c5-471a-9c67-02c231a7a31a","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bfad064a-0a49-44e3-b283-94653edc12af","created":"2023-08-07T17:13:04.270Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T17:13:04.270Z","description":"Mobile security products can often alert the user if their device is vulnerable to known exploits.","relationship_type":"detects","source_ref":"x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6","target_ref":"attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--bfd0d9cb-27e2-42a2-9207-764bb1491962","created":"2022-03-30T19:54:07.548Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Device attestation could detect devices with unauthorized or unsafe modifications. ","modified":"2022-03-30T19:54:07.548Z","relationship_type":"mitigates","source_ref":"course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c","target_ref":"attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--bff3f22c-660d-4ceb-b1bb-dbd064d363c0","created":"2023-03-15T16:39:32.117Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T21:00:59.182Z","description":"Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. ","relationship_type":"detects","source_ref":"x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2","target_ref":"attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c00031dd-0466-4fd2-9724-ab1c04232bad","created":"2023-03-20T18:44:40.722Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T16:28:27.010Z","description":"Application vetting services can detect unnecessary and potentially abused API calls.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--498e7b81-238d-404c-aa5e-332904d63286","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95","type":"relationship","created":"2019-10-18T15:51:48.525Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2019-10-18T15:51:48.525Z","description":"Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary.","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c056b1d4-c70b-403e-b396-18840865ca7d","created":"2024-02-20T23:50:47.088Z","revoked":false,"external_references":[{"source_name":"Threat Fabric Exobot","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:50:47.088Z","description":"[Exobot](https://attack.mitre.org/software/S0522) can obtain the device’s IMEI, phone number, and IP address.(Citation: Threat Fabric Exobot) ","relationship_type":"uses","source_ref":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c0f03d23-03d6-4457-b783-792d1b8f2994","created":"2024-08-20T19:09:27.377Z","revoked":false,"external_references":[{"source_name":"mandiant_apt44_unearthing_sandworm","description":"Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.","url":"https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-08-20T19:09:27.377Z","description":"[Sandworm Team](https://attack.mitre.org/groups/G0034) can collect encrypted Telegram and Signal communications.(Citation: mandiant_apt44_unearthing_sandworm)","relationship_type":"uses","source_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c1453cd9-44bb-4dd2-bdbd-eb06a239d38c","created":"2022-04-06T15:52:07.805Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T15:52:07.805Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e","target_ref":"attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c14efc74-8a5c-4a2d-b9ba-a231738c90dd","created":"2020-12-24T21:41:37.047Z","x_mitre_version":"1.0","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[SilkBean](https://attack.mitre.org/software/S0549) has used HTTPS for C2 communication.(Citation: Lookout Uyghur Campaign)","modified":"2022-04-18T16:04:02.127Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","target_ref":"attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c1512591-7440-4a69-93b9-fe439a4c197e","created":"2022-03-28T19:40:40.860Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-28T19:40:40.860Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc","target_ref":"attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c16c7904-3c85-49de-a0f4-872f4227d775","created":"2023-10-10T15:33:59.143Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecureList - ViceLeaker 2019","description":"GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.","url":"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:59.143Z","description":"[ViceLeaker](https://attack.mitre.org/software/S0418) was embedded into legitimate applications using Smali injection.(Citation: SecureList - ViceLeaker 2019)","relationship_type":"uses","source_ref":"malware--6fcaf9b0-b509-4644-9f93-556222c81ed2","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--c186864b-0af9-42eb-92ba-b8a6952e89b6","created":"2023-07-21T19:36:09.214Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:36:09.214Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can take photos using the device cameras.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c1abb6fd-04b4-4b0e-89f4-fd3f160ea3a6","created":"2024-03-01T18:54:39.815Z","revoked":false,"external_references":[{"source_name":"Leonard TAG 2023","description":"Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.","url":"https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-01T18:54:39.815Z","description":"[Sandworm Team](https://attack.mitre.org/groups/G0034) used SMS-based phishing to target victims with malicious links.(Citation: Leonard TAG 2023)","relationship_type":"uses","source_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","target_ref":"attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c1cafa91-9891-4e65-b75d-d83ef6838653","created":"2023-12-18T18:13:02.691Z","revoked":false,"external_references":[{"source_name":"cleafy_brata_0122","description":"Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.","url":"https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:13:02.691Z","description":"[BRATA](https://attack.mitre.org/software/S1094) can use tailored overlay pages to steal PINs for banking applications.(Citation: cleafy_brata_0122)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c1d78c3d-9ed6-4e3f-9cad-b98b5dfb8ebd","created":"2023-03-20T15:40:11.819Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T22:13:31.468Z","description":"On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. ","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c23d9eff-1d4e-479f-a114-acc535540a23","created":"2023-03-20T18:46:51.895Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T16:29:07.329Z","description":"Application vetting services can detect unnecessary and potentially abused permissions.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--498e7b81-238d-404c-aa5e-332904d63286","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c2536a3c-bb84-42b7-8ac6-05f26205a4ad","created":"2021-10-01T14:42:49.159Z","x_mitre_version":"1.0","external_references":[{"source_name":"SecureList BusyGasper","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021."}],"x_mitre_deprecated":false,"revoked":false,"description":"[BusyGasper](https://attack.mitre.org/software/S0655) can utilize the device’s sensors to determine when the device is in use and subsequently hide malicious activity. When active, it attempts to hide its malicious activity by turning the screen’s brightness as low as possible and muting the device.(Citation: SecureList BusyGasper)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--c264d954-8b5f-4be1-acf0-6387b7f04fae","type":"relationship","created":"2021-02-17T20:43:52.407Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout FrozenCell","url":"https://blog.lookout.com/frozencell-mobile-threat","description":"Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."}],"modified":"2021-02-17T20:43:52.407Z","description":"[FrozenCell](https://attack.mitre.org/software/S0577) has gathered the device manufacturer, model, and serial number.(Citation: Lookout FrozenCell)","relationship_type":"uses","source_ref":"malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c32cbb0c-b5d7-44ad-94aa-43e2fbade91d","created":"2023-12-18T19:05:04.764Z","revoked":false,"external_references":[{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T19:05:04.764Z","description":"[AhRat](https://attack.mitre.org/software/S1095) can obtain device info such as manufacturer, device ID, OS version, and country.(Citation: welivesecurity_ahrat_0523)","relationship_type":"uses","source_ref":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c33b7dfb-82ad-4a7c-a84c-6e7e9849253b","created":"2023-08-14T16:35:55.610Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:35:55.610Z","description":"Many properly configured firewalls may naturally block one-way command and control traffic.","relationship_type":"detects","source_ref":"x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba","target_ref":"attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c340b30d-0ad5-4e90-94ce-b6a6b229a7c4","created":"2020-09-15T15:18:12.362Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cybereason FakeSpy","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:31:30.741Z","description":"[FakeSpy](https://attack.mitre.org/software/S0509) can collect SMS messages.(Citation: Cybereason FakeSpy)","relationship_type":"uses","source_ref":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c3439bdd-a0db-401b-97fd-5e2ec135a396","created":"2023-03-20T18:40:12.814Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T17:15:46.818Z","description":"The user can view a list of active device administrators in the device settings.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6","type":"relationship","created":"2020-10-29T17:48:27.332Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Threat Fabric Exobot","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020."}],"modified":"2020-10-29T17:48:27.332Z","description":"[Exobot](https://attack.mitre.org/software/S0522) can obtain the device’s IMEI, phone number, and IP address.(Citation: Threat Fabric Exobot) ","relationship_type":"uses","source_ref":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--c374c9ce-ff30-4daa-bdec-8015a507746a","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/","description":"Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.","source_name":"Kaspersky-Skygofree"}],"modified":"2019-08-09T18:08:07.145Z","description":"[Skygofree](https://attack.mitre.org/software/S0327) has a capability to obtain files from other installed applications.(Citation: Kaspersky-Skygofree)","relationship_type":"uses","source_ref":"malware--3a913bac-4fae-4d0e-bca8-cae452f1599b","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c393fe8f-5708-40eb-ada9-6ca0d9b16c7d","created":"2023-03-15T16:34:51.794Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:43:05.577Z","description":"Application vetting services could closely scrutinize applications that request Device Administrator permissions.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c3c0ff44-71bb-4774-a850-7b7c9dccb619","created":"2023-03-20T18:44:04.803Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T15:59:29.793Z","description":"On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.","relationship_type":"detects","source_ref":"x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4","target_ref":"attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T15:41:16.871Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"revoked-by","source_ref":"attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2","target_ref":"attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c40cba48-7714-4d03-b748-cadd03360e7a","created":"2024-02-20T23:55:33.981Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:55:33.981Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c41d817e-913e-4574-b8d4-370de9f0034b","created":"2019-11-18T14:47:25.327Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Google Triada June 2019","description":"Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.","url":"https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"},{"source_name":"Kaspersky Triada March 2016","description":"Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.","url":"https://www.kaspersky.com/blog/triada-trojan/11481/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:19:16.331Z","description":"[Triada](https://attack.mitre.org/software/S0424) injects code into the Zygote process to effectively include itself in all forked processes. Additionally, code is injected into the Android Play Store App, web browser applications, and the system UI application.(Citation: Google Triada June 2019)(Citation: Kaspersky Triada March 2016)","relationship_type":"uses","source_ref":"malware--f082fc59-0317-49cf-971f-a1b6296ebb52","target_ref":"attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c43341e3-6fb9-46f1-8ea3-8daede1a4c77","created":"2022-04-06T15:52:41.579Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T15:52:41.579Z","relationship_type":"revoked-by","source_ref":"attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed","target_ref":"attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c438b973-c2f3-43fc-8312-2a5bbde4facb","created":"2023-03-20T18:43:03.537Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T21:11:29.381Z","description":"Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c49bae52-63b4-4e5e-adfd-65a0e852ed76","created":"2023-03-20T18:42:18.058Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T21:12:52.481Z","description":"The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings. ","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd","type":"relationship","created":"2020-05-04T14:04:56.214Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Google Bread","url":"https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html","description":"A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."}],"modified":"2020-05-04T15:40:21.076Z","description":"[Bread](https://attack.mitre.org/software/S0432) has used native code in an attempt to disguise malicious functionality.(Citation: Google Bread)","relationship_type":"uses","source_ref":"malware--108b2817-bc01-404e-8e1b-8cdeec846326","target_ref":"attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c4d71eb8-2099-44b9-be45-758f9e6a771a","created":"2023-10-10T15:33:57.823Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Securelist Asacub","description":"T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.","url":"https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:57.823Z","description":"[Asacub](https://attack.mitre.org/software/S0540) has masqueraded as a client of popular free ads services.(Citation: Securelist Asacub)","relationship_type":"uses","source_ref":"malware--a76b837b-93cc-417d-bf28-c47a6a284fa4","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4","type":"relationship","created":"2020-09-11T15:57:37.770Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecurityIntelligence TrickMo","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."}],"modified":"2020-09-11T15:57:37.770Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) can delete SMS messages.(Citation: SecurityIntelligence TrickMo)","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c50b4da7-f0e1-4f6d-969c-dbc739d49d7c","created":"2021-01-05T20:16:20.508Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Zscaler TikTok Spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:40:43.898Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect the device’s call logs.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c53170a0-ca7f-4827-9c3c-1803ecd131f9","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T15:41:33.832Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"revoked-by","source_ref":"attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16","target_ref":"attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c546dd04-2060-44bf-ba1e-d1c1edc54687","created":"2023-10-10T15:33:58.973Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CheckPoint SimBad 2019","description":"Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.","url":"https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:58.973Z","description":"[SimBad](https://attack.mitre.org/software/S0419) was embedded into legitimate applications.(Citation: CheckPoint SimBad 2019)","relationship_type":"uses","source_ref":"malware--f79c01eb-2954-40d8-a819-00b342f47ce7","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--c574251b-93ad-4f55-8b84-2700dfab4622","created":"2020-07-15T20:20:59.280Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Bitdefender Mandrake","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:45:27.443Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can hide its icon on older Android versions.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c","type":"relationship","created":"2019-09-04T15:38:56.946Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"FlexiSpy-Features","url":"https://www.flexispy.com/en/features-overview.htm","description":"FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019."}],"modified":"2019-09-10T14:59:26.136Z","description":" [FlexiSpy](https://attack.mitre.org/software/S0408) can retrieve a list of installed applications.(Citation: FlexiSpy-Features) ","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c5cb9fb4-2593-412f-82f8-a04a125bd429","created":"2022-04-01T18:51:28.859Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Security updates frequently contain patches to vulnerabilities that can be exploited for root access.","modified":"2022-04-01T18:51:28.859Z","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2","type":"relationship","created":"2019-11-21T16:42:48.497Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList - ViceLeaker 2019","url":"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/","description":"GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."}],"modified":"2019-11-21T16:42:48.497Z","description":"[ViceLeaker](https://attack.mitre.org/software/S0418) can take photos from both the front and back cameras.(Citation: SecureList - ViceLeaker 2019)","relationship_type":"uses","source_ref":"malware--6fcaf9b0-b509-4644-9f93-556222c81ed2","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c61c16a9-8d1a-4329-b784-ba71f8421b33","created":"2023-03-20T19:00:09.608Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T17:11:30.820Z","description":"Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running.","relationship_type":"detects","source_ref":"x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f","target_ref":"attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081","type":"relationship","created":"2019-09-04T14:28:16.000Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf","source_name":"Lookout-Monokle"}],"modified":"2019-09-04T14:32:12.856Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can track the device's location.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c6464a84-e23b-412f-b435-5b23853d3643","created":"2020-09-14T13:35:45.909Z","x_mitre_version":"1.0","external_references":[{"source_name":"ESET-Twitoor","url":"http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/","description":"ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Twitoor](https://attack.mitre.org/software/S0302) encrypts its C2 communication.(Citation: ESET-Twitoor)","modified":"2022-04-20T12:58:23.550Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c","target_ref":"attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Zscaler-SuperMarioRun","description":"Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 – DroidJack RAT. Retrieved January 20, 2017.","url":"https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:24:32.173Z","description":"[DroidJack](https://attack.mitre.org/software/S0320) captures call data.(Citation: Zscaler-SuperMarioRun)","relationship_type":"uses","source_ref":"malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695","type":"relationship","created":"2020-09-11T16:23:16.363Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Desert Scorpion","url":"https://blog.lookout.com/desert-scorpion-google-play","description":"A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."}],"modified":"2020-09-11T16:23:16.363Z","description":"[Desert Scorpion](https://attack.mitre.org/software/S0505) can send SMS messages.(Citation: Lookout Desert Scorpion)","relationship_type":"uses","source_ref":"malware--3271c107-92c4-442e-9506-e76d62230ee8","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c6770405-985b-4e24-8b09-01bce16426da","created":"2024-03-26T16:17:26.152Z","revoked":false,"external_references":[{"source_name":"forcepoint_bitter","description":"Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.","url":"https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T16:17:26.152Z","description":"[AndroRAT](https://attack.mitre.org/software/S0292) collects the device’s location through GPS or through network settings.(Citation: forcepoint_bitter) ","relationship_type":"uses","source_ref":"malware--a3dad2be-ce62-4440-953b-00fbce7aba93","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c6a32f64-3105-4a94-8172-28ac0e10dd93","created":"2023-03-20T18:21:59.396Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T16:24:44.982Z","description":"Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.","relationship_type":"detects","source_ref":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c6adc765-20b4-48ef-ad5a-27fbd26c63c8","created":"2024-03-26T18:42:43.070Z","revoked":false,"external_references":[{"source_name":"checkpoint_hamas_android_malware","description":"CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20240226125457/https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"},{"source_name":"sophos_android_apt_spyware","description":"Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231208015605/https://news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T18:42:43.070Z","description":"[APT-C-23](https://attack.mitre.org/groups/G1028) sends malicious links to victims to download the masqueraded application.(Citation: sophos_android_apt_spyware)(Citation: checkpoint_hamas_android_malware) ","relationship_type":"uses","source_ref":"intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394","target_ref":"attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c720fd30-5694-42b7-bf77-d948f7ba2b6f","created":"2020-06-24T18:24:35.707Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Google Project Zero Insomnia","description":"I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.","url":"https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:30:27.616Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) can extract the device’s keychain.(Citation: Google Project Zero Insomnia)","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c75f3a08-b58f-4681-8ef0-75fa634503b9","created":"2023-12-18T19:04:11.534Z","revoked":false,"external_references":[{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T19:04:11.534Z","description":"[AhRat](https://attack.mitre.org/software/S1095) can register with the `CONNECTIVITY_CHANGE` and `WIFI_STATE_CHANGED` broadcast events to trigger further functionality.(Citation: welivesecurity_ahrat_0523)","relationship_type":"uses","source_ref":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c778593c-1583-48cc-a99d-0ac1b5b537e2","created":"2023-03-20T18:48:39.857Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T15:56:56.738Z","description":"On Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. ","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c78a3e66-b7aa-4feb-bc18-b8af77f27a47","created":"2023-03-20T15:20:11.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Android-VerifiedBoot","description":"Android. (n.d.). Verified Boot. Retrieved December 21, 2016.","url":"https://source.android.com/security/verifiedboot/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T14:54:04.526Z","description":"Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android’s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.","relationship_type":"detects","source_ref":"x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6","target_ref":"attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c7d382f1-6fa7-4d6b-bd18-9a0e9d9ee17c","created":"2024-02-21T22:05:29.733Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T22:05:29.733Z","description":"Ensure that traffic is encrypted to reduce adversaries’ ability to intercept, decrypt and manipulate traffic. ","relationship_type":"mitigates","source_ref":"course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c7f876d4-99f2-41ac-993c-57a3f2b4e0eb","created":"2023-02-06T19:00:42.449Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:22:43.518Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can access a device's location.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c81757a7-16b1-4b48-ae52-3d375f533dfd","created":"2022-04-01T15:03:02.553Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-01T15:03:02.553Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66","target_ref":"attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b","created":"2017-12-14T16:46:06.044Z","x_mitre_version":"1.0","external_references":[{"source_name":"Kaspersky-WUC","url":"https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/","description":"Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Android/Chuli.A](https://attack.mitre.org/software/S0304) used SMS to receive command and control messages.(Citation: Kaspersky-WUC)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--d05f7357-4cbe-47ea-bf83-b8604226d533","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--c8559423-10b0-4d5e-9057-65cbfd7ee1c0","type":"relationship","created":"2021-10-01T14:42:48.728Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList BusyGasper","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021."}],"modified":"2021-10-01T14:42:48.728Z","description":"[BusyGasper](https://attack.mitre.org/software/S0655) can send an SMS message after the device boots, messages containing logs, messages to adversary-specified numbers with custom content, and can delete all SMS messages on the device.(Citation: SecureList BusyGasper)","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--c86918a3-6e41-4dfb-8b18-650fff596801","type":"relationship","created":"2020-09-11T16:22:03.207Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout ViperRAT","url":"https://blog.lookout.com/viperrat-mobile-apt","description":"M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."}],"modified":"2020-09-11T16:22:03.207Z","description":"[ViperRAT](https://attack.mitre.org/software/S0506) can collect device photos, PDF documents, Office documents, browser history, and browser bookmarks.(Citation: Lookout ViperRAT)","relationship_type":"uses","source_ref":"malware--f666e17c-b290-43b3-8947-b96bd5148fbb","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c89d6493-3f33-4568-ac77-ba13b206ae69","created":"2023-03-20T18:52:24.667Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T22:24:12.960Z","description":"The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. ","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c89f8f8d-222b-4b83-9fa4-47fd716a271f","created":"2020-06-26T15:12:40.100Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ESET DEFENSOR ID","description":"L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.","url":"https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:49:00.042Z","description":"[DEFENSOR ID](https://attack.mitre.org/software/S0479) abuses the accessibility service to auto-start the malware on device boot. This is accomplished by receiving the `android.accessibilityservice.AccessibilityService` intent.(Citation: ESET DEFENSOR ID)","relationship_type":"uses","source_ref":"malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c8bfe893-49d8-4d6c-8f7d-5cd9fc932dee","created":"2023-12-18T18:16:16.811Z","revoked":false,"external_references":[{"source_name":"securelist_brata_0819","description":"Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.","url":"https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:16:16.811Z","description":"[BRATA](https://attack.mitre.org/software/S1094) has been distributed using phishing techniques, such as push notifications from compromised websites.(Citation: securelist_brata_0819)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c8d0d360-eb9e-4fb4-97a2-efaf6d4f1059","created":"2023-03-20T18:51:23.032Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-20T18:51:23.032Z","description":"","relationship_type":"detects","source_ref":"x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4","target_ref":"attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9","created":"2022-03-28T19:32:05.234Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Application developers should be cautious when selecting third-party libraries to integrate into their application.","modified":"2022-03-28T19:32:05.234Z","relationship_type":"mitigates","source_ref":"course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1","target_ref":"attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c943d462-fea7-4c01-88b2-de134153095b","created":"2023-03-20T18:56:37.473Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T22:09:50.728Z","description":"Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--c96c3405-1d9b-46e4-8f57-a6c49eb68a31","created":"2022-04-06T13:41:17.517Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T13:41:17.517Z","relationship_type":"revoked-by","source_ref":"attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb","target_ref":"attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c9769c36-d89b-40eb-92cb-8faa7d37a140","created":"2023-09-25T19:54:37.211Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T19:54:37.211Z","description":"When devices are enrolled in an EMM/MDM using device owner (iOS) or fully managed (Android) mode, the EMM/MDM can collect a list of installed applications on the device. An administrator can then act on, for example blocking, specific remote access applications from being installed on managed devices. ","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://www.wandera.com/reddrop-malware/","description":"Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.","source_name":"Wandera-RedDrop"}],"modified":"2019-10-15T19:27:27.997Z","description":"[RedDrop](https://attack.mitre.org/software/S0326) collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.(Citation: Wandera-RedDrop)","relationship_type":"uses","source_ref":"malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--c9c22e0d-c427-42ef-ae76-beb8ae9f6bf2","created":"2020-09-15T15:18:12.460Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cybereason FakeSpy","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:58:31.945Z","description":"[FakeSpy](https://attack.mitre.org/software/S0509) can collect the device’s network information.(Citation: Cybereason FakeSpy)","relationship_type":"uses","source_ref":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","target_ref":"attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ca06c79e-8cbd-480a-92a4-cd7cdaaf81c1","created":"2024-02-21T21:05:12.760Z","revoked":false,"external_references":[{"source_name":"Lookout-PegasusAndroid","description":"Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.","url":"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T21:05:12.760Z","description":"[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.(Citation: Lookout-PegasusAndroid)","relationship_type":"uses","source_ref":"malware--93799a9d-3537-43d8-b6f4-17215de1657c","target_ref":"attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ca0d9894-0c37-4a34-9b24-1887b7cd1106","created":"2023-03-15T16:26:38.465Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T15:29:35.623Z","description":"Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. ","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ca486783-9413-4f39-8d2f-3adcb3e79127","type":"relationship","created":"2020-12-24T21:55:56.657Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T21:55:56.657Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has used an AES encrypted file in the assets folder with an unsuspecting name (e.g. ‘GoogleMusic.png’) for holding configuration and C2 information.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e","type":"relationship","created":"2019-09-23T13:36:08.386Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/","source_name":"securelist rotexy 2018"}],"modified":"2019-09-23T13:36:08.386Z","description":"[Rotexy](https://attack.mitre.org/software/S0411) collects the device's IMEI and sends it to the command and control server.(Citation: securelist rotexy 2018)","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ca568149-9971-4d15-b3db-ff7dabd49695","created":"2023-07-21T19:37:16.030Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:37:16.030Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can capture keystrokes.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ca8c38e6-8343-4f5e-929d-2759a0d49d59","created":"2020-11-24T18:18:33.743Z","x_mitre_version":"1.0","external_references":[{"source_name":"Threat Fabric Exobot","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Exobot](https://attack.mitre.org/software/S0522) has used web injects to capture users’ credentials.(Citation: Threat Fabric Exobot)","modified":"2022-04-15T17:39:22.154Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ca9e5e50-49e9-44cc-a0a4-4ec8633a9506","type":"relationship","created":"2020-11-20T16:37:28.567Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Symantec GoldenCup","url":"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans","description":"R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."}],"modified":"2020-11-20T16:37:28.567Z","description":"[Golden Cup](https://attack.mitre.org/software/S0535) has encrypted exfiltrated data using AES in ECB mode.(Citation: Symantec GoldenCup)","relationship_type":"uses","source_ref":"malware--f3975cc0-72bc-4308-836e-ac701b83860e","target_ref":"attack-pattern--e3b936a4-6321-4172-9114-038a866362ec","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--cacc0b72-9d73-4381-90e9-545ba908722c","type":"relationship","created":"2019-09-15T15:35:33.215Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.","url":"https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html","source_name":"Talos Gustuff Apr 2019"}],"modified":"2019-09-15T15:35:33.215Z","description":"[Gustuff](https://attack.mitre.org/software/S0406) injects the global action `GLOBAL_ACTION_BACK` to mimic pressing the back button to close the application if a call to an open antivirus application is detected.(Citation: Talos Gustuff Apr 2019)","relationship_type":"uses","source_ref":"malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617","target_ref":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cb5465c0-a577-45b1-becf-305e0bd47497","created":"2023-08-23T22:49:18.075Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-23T22:49:18.075Z","description":"[Anubis](https://attack.mitre.org/software/S0422) may prevent malware's uninstallation by abusing Android’s ` performGlobalAction(int)` API call.","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cb5a81bb-a3c6-4d7c-836c-c0bd6227b48f","created":"2023-07-21T19:42:12.649Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:42:12.649Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can inject malicious packages into applications already existing on an infected device.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--cb80178a-5f9c-41bd-95a2-a7c5fe23c12c","created":"2022-04-01T18:48:03.156Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-01T18:48:03.156Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9","target_ref":"attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cbb07bef-f1da-41f6-b786-4a255e8bf985","created":"2023-08-04T18:34:07.176Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T18:34:07.176Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate compressed ZIP files containing gathered info to C2 infrastructure.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cbb48fa1-0677-4a07-bdbf-eda1827e52f1","created":"2020-10-29T17:48:27.175Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Threat Fabric Exobot","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:18:05.613Z","description":"[Exobot](https://attack.mitre.org/software/S0522) can lock the device with a password and permanently disable the screen.(Citation: Threat Fabric Exobot)","relationship_type":"uses","source_ref":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","target_ref":"attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--cbf17fea-141e-44b8-831c-b3cc41066420","type":"relationship","created":"2021-01-20T16:01:19.409Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Trend Micro Anubis","url":"https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html","description":"K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021."}],"modified":"2021-01-20T16:01:19.409Z","description":"[Anubis](https://attack.mitre.org/software/S0422) can download attacker-specified APK files.(Citation: Trend Micro Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cc0b8984-f561-4453-a2be-9be8bd62561e","created":"2023-09-28T17:21:45.855Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:21:45.855Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can monitor a device’s notifications.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cc345ae4-0d60-4f21-98b3-596c15118745","created":"2023-02-06T19:42:46.814Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:38:03.367Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) can send SMS messages.(Citation: threatfabric_sova_0921)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cc3cf438-7206-46df-a4a4-999472ea6a9a","created":"2019-11-21T19:16:34.796Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CheckPoint SimBad 2019","description":"Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.","url":"https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:45:42.081Z","description":"[SimBad](https://attack.mitre.org/software/S0419) hides its icon from the application launcher.(Citation: CheckPoint SimBad 2019)","relationship_type":"uses","source_ref":"malware--f79c01eb-2954-40d8-a819-00b342f47ce7","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cc3e1864-0b7b-4ca1-b123-d9c7553f3398","created":"2024-02-20T23:48:31.513Z","revoked":false,"external_references":[{"source_name":"TrendMicro Coronavirus Updates","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:48:31.513Z","description":"[Corona Updates](https://attack.mitre.org/software/S0425) can collect device network configuration information, such as Wi-Fi SSID and IMSI.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--cc49561f-8364-4908-9111-ad3a6dcd922c","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2018-10-17T00:14:20.652Z","relationship_type":"revoked-by","source_ref":"attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799","target_ref":"attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--cc4ae06f-0258-4fe9-b63a-334d283e766d","type":"relationship","created":"2021-02-08T16:36:20.774Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"BlackBerry Bahamut","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf","description":"The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."}],"modified":"2021-05-24T13:16:56.495Z","description":"[Windshift](https://attack.mitre.org/groups/G0112) has encrypted application strings using AES in ECB mode and Blowfish, and stored strings encoded in hex during Operation BULL. Further, in Operation BULL, encryption keys were stored within the application’s launcher icon file.(Citation: BlackBerry Bahamut)","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--cc81b56c-cf73-4307-b950-e80246985195","created":"2019-10-18T14:50:57.473Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"OS security updates typically contain exploit patches when disclosed.","modified":"2022-03-28T19:20:44.337Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ccb6f906-a785-4695-91a5-f1bc210892dc","created":"2023-08-04T18:35:55.269Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T18:35:55.269Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate collected data as a ZIP file.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--e3b936a4-6321-4172-9114-038a866362ec","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cce1848e-5f32-429a-8c9d-e32367052675","created":"2024-03-26T16:15:44.920Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"blackberry_mobile_malware_apt_esp","description":"BlackBerry Research and Insights Team. (n.d.). Mobile Malware and APT Espionage. Retrieved March 1, 2024.","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf"},{"source_name":"forcepoint_bitter","description":"Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.","url":"https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-04T17:32:51.808Z","description":"[AndroRAT](https://attack.mitre.org/software/S0292) masquerades as legitimate applications.(Citation: forcepoint_bitter)(Citation: blackberry_mobile_malware_apt_esp) ","relationship_type":"uses","source_ref":"malware--a3dad2be-ce62-4440-953b-00fbce7aba93","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cce49043-52b0-407c-b4f0-0f4727351d4b","created":"2024-01-26T17:36:52.812Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"checkpoint_flixonline_0421","description":"Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.","url":"https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-19T18:33:11.697Z","description":"[FlixOnline](https://attack.mitre.org/software/S1103) requests overlay permissions, which can allow it to create fake Login screens for other apps.(Citation: checkpoint_flixonline_0421)","relationship_type":"uses","source_ref":"malware--0ec9593f-3221-49b1-b597-37f307c19f13","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c","type":"relationship","created":"2019-12-10T16:07:41.078Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList DVMap June 2017","url":"https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/","description":"R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019."}],"modified":"2019-12-10T16:07:41.078Z","description":"[Dvmap](https://attack.mitre.org/software/S0420) attempts to gain root access by using local exploits.(Citation: SecureList DVMap June 2017)","relationship_type":"uses","source_ref":"malware--22b596a6-d288-4409-8520-5f2846f85514","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--cce82a76-5390-473d-9e7c-9450d1509d1d","type":"relationship","created":"2020-07-15T20:20:59.314Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"modified":"2020-07-15T20:20:59.314Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can download its second (Loader) and third (Core) stages after the dropper is installed.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac","type":"relationship","created":"2020-01-27T17:05:58.237Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/","source_name":"Trend Micro Bouncing Golf 2019"}],"modified":"2020-01-27T17:05:58.237Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device’s battery level, network operator, connection information, sensor information, and information about the device’s storage and memory.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--cd0f76da-ea06-4710-ab1d-53a7e29a6328","created":"2022-03-30T19:34:09.377Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T19:34:09.377Z","relationship_type":"revoked-by","source_ref":"attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5","target_ref":"attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"PaloAlto-SpyDealer","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.","url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:53:53.384Z","description":"[SpyDealer](https://attack.mitre.org/software/S0324) harvests contact lists from victims.(Citation: PaloAlto-SpyDealer)","relationship_type":"uses","source_ref":"malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3","type":"relationship","created":"2020-01-27T17:05:58.215Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/","source_name":"Trend Micro Bouncing Golf 2019"}],"modified":"2020-01-27T17:05:58.215Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) can obtain a list of running processes.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--cd7a2294-1e14-42e8-b870-d99d73443b88","created":"2022-04-01T12:37:42.068Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be taught the danger behind granting unnecessary permissions to an application and should be advised to use extra scrutiny when an application requests them. ","modified":"2022-04-01T12:37:42.068Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cd8c383a-2a62-45e5-917f-a26efe5ba03c","created":"2023-03-20T18:51:29.814Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T17:08:59.640Z","description":"Application vetting services could potentially detect the usage of APIs intended for suppressing the application’s icon.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cd9e8334-2ff6-4f64-993f-4e11a68ef7ca","created":"2023-03-20T18:58:19.895Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T16:34:37.498Z","description":"Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ","relationship_type":"detects","source_ref":"x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4","target_ref":"attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--cda58372-ae70-4716-8baf-cc06cb884ad6","type":"relationship","created":"2020-12-24T22:04:28.015Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T22:04:28.015Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has collected a list of installed application names.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--cdb9788e-7d16-482e-92b6-cbde0b3de357","type":"relationship","created":"2020-12-17T20:15:22.408Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Palo Alto HenBox","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."}],"modified":"2020-12-17T20:15:22.408Z","description":"[HenBox](https://attack.mitre.org/software/S0544) can track the device’s location.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--cde60121-3d7c-47c8-abeb-582854425599","type":"relationship","created":"2020-07-20T13:27:33.512Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos-WolfRAT","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."}],"modified":"2020-08-10T21:57:54.531Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) can update the running malware.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cdf06664-903e-499b-86b4-b7bcce3c0740","created":"2023-09-28T17:20:27.451Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:20:27.451Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can modify, send, and delete SMS messages.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ce26f077-c47a-4185-8ed7-ec0d9ae2b625","created":"2022-03-31T16:33:55.074Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-31T16:33:55.074Z","relationship_type":"revoked-by","source_ref":"attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2","target_ref":"attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef","created":"2020-07-27T14:14:56.993Z","x_mitre_version":"1.0","external_references":[{"source_name":"Google Security Zen","url":"https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html","description":"Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Zen](https://attack.mitre.org/software/S0494) can simulate user clicks on ads.(Citation: Google Security Zen)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--22faaa56-a8ac-4292-9be6-b571b255ee40","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ce5f506a-8fc9-40a2-a78e-96796c896f1b","created":"2023-03-20T15:56:47.307Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T15:31:45.237Z","description":"The user can see which applications are registered as device administrators in the device settings.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ce645a25-160f-443d-b288-fdd108b78a06","created":"2020-09-11T16:22:03.269Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout ViperRAT","description":"M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.","url":"https://blog.lookout.com/viperrat-mobile-apt"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:41:00.652Z","description":"[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device’s call log.(Citation: Lookout ViperRAT)","relationship_type":"uses","source_ref":"malware--f666e17c-b290-43b3-8947-b96bd5148fbb","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe","created":"2017-10-25T14:48:53.746Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"A locked bootloader could prevent unauthorized modifications to protected operating system files. ","modified":"2022-03-30T20:07:33.678Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58","target_ref":"attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd","type":"relationship","created":"2019-07-10T15:35:43.699Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","source_name":"Lookout Dark Caracal Jan 2018"}],"modified":"2019-08-09T18:06:11.839Z","description":"[Pallas](https://attack.mitre.org/software/S0399) captures audio from the device microphone.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--cea30219-a255-43ae-b731-9512c5044523","created":"2022-04-18T19:46:02.547Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-18T19:46:02.547Z","relationship_type":"revoked-by","source_ref":"attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c","type":"relationship","created":"2020-01-27T17:05:58.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/","source_name":"Trend Micro Bouncing Golf 2019"}],"modified":"2020-01-27T17:05:58.273Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) can record audio and phone calls.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a","type":"relationship","created":"2019-08-09T17:53:48.716Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/","description":"Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.","source_name":"TrendMicro-RCSAndroid"}],"modified":"2019-08-09T17:53:48.716Z","description":"[RCSAndroid](https://attack.mitre.org/software/S0295) can capture photos using the front and back cameras.(Citation: TrendMicro-RCSAndroid)","relationship_type":"uses","source_ref":"malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cf2cfc6e-896a-4c99-b286-41f8dbd6fa4c","created":"2023-09-28T17:21:26.448Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:21:26.448Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can use VNC to remotely control an infected device.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cf4243f5-562a-457f-bb15-d45a2047f7ca","created":"2019-09-03T19:45:48.510Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SWB Exodus March 2019","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:10:15.827Z","description":"[Exodus](https://attack.mitre.org/software/S0405) Two collects a list of nearby base stations.(Citation: SWB Exodus March 2019) ","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cf4fe189-58cf-42aa-89c7-75bd0a83a263","created":"2023-03-15T16:23:59.107Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T15:29:32.423Z","description":"When an application requests administrator permission, the user is presented with a popup and the option to grant or deny the request. ","relationship_type":"detects","source_ref":"x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456","target_ref":"attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cf696296-751a-41e5-a9b0-907c7b991b2a","created":"2023-09-22T19:14:54.719Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-22T19:14:54.719Z","description":"Application vetting services may detect API calls for deleting files.  ","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cf80894a-07e5-4c45-83a6-ed1eed81d2d8","created":"2024-02-20T23:57:43.867Z","revoked":false,"external_references":[{"source_name":"Lookout-PegasusAndroid","description":"Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.","url":"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:57:43.867Z","description":"[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.(Citation: Lookout-PegasusAndroid)","relationship_type":"uses","source_ref":"malware--93799a9d-3537-43d8-b6f4-17215de1657c","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cf879fe8-9c31-48de-9e49-668d6cda67c5","created":"2023-07-12T20:35:36.527Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-12T20:35:36.527Z","description":"Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Kaspersky-WUC","description":"Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.","url":"https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:54:13.685Z","description":"[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole contact list data stored both on the the phone and the SIM card.(Citation: Kaspersky-WUC)","relationship_type":"uses","source_ref":"malware--d05f7357-4cbe-47ea-bf83-b8604226d533","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d01b311d-8741-4b58-b127-88fecb2b0544","created":"2020-04-08T15:41:19.448Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.112Z","description":"[Anubis](https://attack.mitre.org/software/S0422) has a keylogger that works in every application installed on the device.(Citation: Cofense Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d056308f-dca7-493e-b152-6f77fa13155d","created":"2023-12-18T18:17:05.285Z","revoked":false,"external_references":[{"source_name":"securelist_brata_0819","description":"Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.","url":"https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:17:05.285Z","description":"[BRATA](https://attack.mitre.org/software/S1094) has collected account information from compromised devices.(Citation: securelist_brata_0819)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d0669f8d-0aa2-416f-9ec4-a991a2000d3e","created":"2023-09-21T19:37:30.610Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-21T19:37:30.610Z","description":"Some mobile security products offer a loopback VPN used for inspecting traffic. This could proactively block traffic to websites that are known for phishing or appear to be conducting a phishing attack.","relationship_type":"mitigates","source_ref":"course-of-action--78671282-26aa-486c-a7a5-5921e1616b58","target_ref":"attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d09a4d42-45bd-4b2a-aef4-3aa3982115ad","created":"2022-04-05T19:45:03.117Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T19:45:03.117Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","target_ref":"attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2","type":"relationship","created":"2020-09-11T15:53:38.453Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"securelist rotexy 2018","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/","description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019."}],"modified":"2020-09-11T15:53:38.453Z","description":"[Rotexy](https://attack.mitre.org/software/S0411) can automatically reply to SMS messages, and optionally delete them.(Citation: securelist rotexy 2018)","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d0c039cb-c815-4d9c-a100-a45f923bc65b","type":"relationship","created":"2020-12-24T21:45:56.981Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T21:45:56.981Z","description":"[SilkBean](https://attack.mitre.org/software/S0549) has access to the device’s location.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d","type":"relationship","created":"2020-01-21T15:30:39.335Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-Monokle","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf","description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019."}],"modified":"2020-01-21T15:30:39.335Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can download attacker-specified files.(Citation: Lookout-Monokle) ","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d1318f71-7f70-4820-a3fc-0d05af038733","created":"2021-10-01T14:42:49.154Z","x_mitre_version":"1.0","external_references":[{"source_name":"SecureList BusyGasper","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021."}],"x_mitre_deprecated":false,"revoked":false,"description":"[BusyGasper](https://attack.mitre.org/software/S0655) can perform actions when one of two hardcoded magic SMS strings is received.(Citation: SecureList BusyGasper)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d13724d0-a5e2-433b-86bf-ead04359edec","created":"2022-04-01T15:13:10.022Z","x_mitre_version":"0.1","external_references":[{"source_name":"iOS Universal Links","url":"https://developer.apple.com/ios/universal-links/","description":"Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020."},{"source_name":"Android App Links","url":"https://developer.android.com/training/app-links/verify-site-associations","description":"Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020."},{"source_name":"IETF-PKCE","url":"https://tools.ietf.org/html/rfc7636","description":"N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"Developers should use Android App Links(Citation: Android App Links) and iOS Universal Links(Citation: iOS Universal Links) to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE(Citation: IETF-PKCE) should be used to prevent use of stolen authorization codes. ","modified":"2022-04-01T15:13:10.022Z","relationship_type":"mitigates","source_ref":"course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1","target_ref":"attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d170a088-b115-4a86-b093-8aa32666a470","created":"2023-03-15T16:39:55.148Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T21:04:21.890Z","description":"On both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings. ","relationship_type":"detects","source_ref":"x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456","target_ref":"attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d1e11627-23e4-40f3-bcbc-2b832b0bbaa3","created":"2023-02-28T20:31:31.983Z","revoked":false,"external_references":[{"source_name":"proofpoint_flubot_0421","description":"Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.","url":"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-28T20:31:31.983Z","description":"[FluBot](https://attack.mitre.org/software/S1067) can intercept SMS messages and USSD messages from Telcom operators.(Citation: proofpoint_flubot_0421)","relationship_type":"uses","source_ref":"malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d22be48b-90fa-4dba-ab6f-f3ad5e08c03e","created":"2023-09-22T19:15:22.670Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-22T19:15:22.670Z","description":"Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e","type":"relationship","created":"2019-09-03T19:45:48.489Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SWB Exodus March 2019","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."}],"modified":"2019-09-11T13:25:19.128Z","description":"[Exodus](https://attack.mitre.org/software/S0405) Two can extract the GPS coordinates of the device.(Citation: SWB Exodus March 2019)","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d22f2c45-d6fa-419a-8f25-65ea37529ccc","created":"2019-09-04T14:28:15.412Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-Monokle","description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:19:04.639Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can retrieve calendar event information including the event name, when and where it is taking place, and the description.(Citation: Lookout-Monokle) ","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d2749285-47d9-44a4-962f-9215e6fb580e","created":"2020-10-29T17:48:27.380Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Threat Fabric Exobot","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:54:30.569Z","description":"[Exobot](https://attack.mitre.org/software/S0522) can access the device’s contact list.(Citation: Threat Fabric Exobot)","relationship_type":"uses","source_ref":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d2d7476e-66a4-4d46-877c-6e80678bbb38","created":"2022-04-01T18:43:25.764Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.","modified":"2022-04-01T18:43:25.764Z","relationship_type":"mitigates","source_ref":"course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321","target_ref":"attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d300eb82-5ca0-48aa-a45f-d34242545e27","created":"2022-03-30T15:08:28.814Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Device attestation could detect unauthorized operating system modifications. ","modified":"2022-03-30T15:08:28.814Z","relationship_type":"mitigates","source_ref":"course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c","target_ref":"attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d32003ba-959b-4377-aa04-f75275c32abf","created":"2019-07-16T14:33:12.144Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Google Triada June 2019","description":"Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.","url":"https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:40:27.131Z","description":"[Triada](https://attack.mitre.org/software/S0424) utilized HTTP to exfiltrate data through POST requests to the command and control server.(Citation: Google Triada June 2019) ","relationship_type":"uses","source_ref":"malware--f082fc59-0317-49cf-971f-a1b6296ebb52","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d358ac0b-4c67-44e3-939b-24cd36d3c3fb","created":"2020-09-11T16:22:03.294Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout ViperRAT","description":"M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.","url":"https://blog.lookout.com/viperrat-mobile-apt"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:58:57.686Z","description":"[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device’s cell tower information.(Citation: Lookout ViperRAT)","relationship_type":"uses","source_ref":"malware--f666e17c-b290-43b3-8947-b96bd5148fbb","target_ref":"attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d39ceb9c-ef0c-4820-b363-dc8ce0f0d00c","created":"2023-10-10T15:33:58.621Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cybereason FakeSpy","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:58.621Z","description":"[FakeSpy](https://attack.mitre.org/software/S0509) masquerades as local postal service applications.(Citation: Cybereason FakeSpy)","relationship_type":"uses","source_ref":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--d3b4f74a-5183-405b-b64b-b79e1c4bd6fc","created":"2024-02-21T20:50:38.266Z","revoked":false,"external_references":[{"source_name":"TrendMicro Coronavirus Updates","description":"T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T20:50:38.266Z","description":"[Corona Updates](https://attack.mitre.org/software/S0425) can collect device network configuration information, such as Wi-Fi SSID and IMSI.(Citation: TrendMicro Coronavirus Updates)","relationship_type":"uses","source_ref":"malware--366c800f-97a8-48d5-b0a6-79d00198252a","target_ref":"attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d3d901d7-1ddd-476c-af65-15a1affc422f","created":"2024-03-26T19:03:58.841Z","revoked":false,"external_references":[{"source_name":"fb_arid_viper","description":"Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T19:03:58.841Z","description":"[Phenakite](https://attack.mitre.org/software/S1126) can capture pictures and videos.(Citation: fb_arid_viper)","relationship_type":"uses","source_ref":"malware--f97e2718-af50-41df-811f-215ebab45691","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d3e06522-2a30-4d56-801e-9461178b80ce","created":"2021-01-05T20:16:20.412Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Zscaler TikTok Spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:45:54.913Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can hide its icon after launch.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d3e52467-d090-4ebd-b9b1-3022cc6d5df0","created":"2023-02-06T19:42:34.537Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-11T22:08:03.095Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) can resist removal by going to the home screen during uninstall.(Citation: threatfabric_sova_0921)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d3e6bc20-1f9c-41b6-89f0-ef95689add86","created":"2023-03-20T15:16:43.275Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Samsung Knox Mobile Threat Defense","description":"Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.","url":"https://partner.samsungknox.com/mtd"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T22:12:07.772Z","description":"Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d4154247-90ce-43b9-8c17-5c28f67617f5","type":"relationship","created":"2020-12-24T21:55:56.747Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T21:55:56.747Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed browser history, as well as the files for 15 other apps.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d447a927-c8a1-4123-bdac-ff9ab36f49be","created":"2024-02-21T00:01:21.483Z","revoked":false,"external_references":[{"source_name":"Lookout ViperRAT","description":"M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.","url":"https://blog.lookout.com/viperrat-mobile-apt"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T00:01:21.483Z","description":"[ViperRAT](https://attack.mitre.org/software/S0506) can collect network configuration data from the device, including phone number, SIM operator, and network operator.(Citation: Lookout ViperRAT)","relationship_type":"uses","source_ref":"malware--f666e17c-b290-43b3-8947-b96bd5148fbb","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d44b097a-1bba-40bd-8ec8-d717a3f3df0c","created":"2023-03-03T16:24:30.564Z","revoked":false,"external_references":[{"source_name":"paloalto_yispecter_1015","description":"Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.","url":"https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-03T16:24:30.564Z","description":"[YiSpecter](https://attack.mitre.org/software/S0311) has hijacked normal application’s launch routines to display ads.(Citation: paloalto_yispecter_1015)","relationship_type":"uses","source_ref":"malware--a15c9357-2be0-4836-beec-594f28b9b4a9","target_ref":"attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d4a5a902-231e-4878-ad5b-39620498b018","type":"relationship","created":"2019-09-04T14:28:15.941Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf","source_name":"Lookout-Monokle"}],"modified":"2019-09-04T14:32:12.589Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can record audio from the device's microphone and can record phone calls, specifying the output audio quality.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c","type":"relationship","created":"2020-12-18T20:14:47.381Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"WhiteOps TERRACOTTA","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."}],"modified":"2020-12-28T18:59:33.140Z","description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) has collected the device’s phone number and can check if the active network connection is metered.(Citation: WhiteOps TERRACOTTA)","relationship_type":"uses","source_ref":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Xiao-ZergHelper","description":"Claud Xiao. (2016, February 21). Pirated iOS App Store’s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.","url":"http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[ZergHelper](https://attack.mitre.org/software/S0287) attempts to extend its capabilities via dynamic updating of its code.(Citation: Xiao-ZergHelper)","relationship_type":"uses","source_ref":"malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d54d3475-19ee-4ac5-98b0-ec1ae9336dfb","created":"2023-03-20T18:58:14.140Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T17:06:44.919Z","description":"The user can review which applications have location permissions in the operating system’s settings menu.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d5533ca1-d57e-4bbf-bf0c-d114e4b79078","created":"2023-08-04T18:32:39.763Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T18:32:39.763Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can access a device’s camera and take photos.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d562ed4d-ac4d-476b-872e-9e228c580889","type":"relationship","created":"2020-11-20T16:37:28.506Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Symantec GoldenCup","url":"https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans","description":"R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."}],"modified":"2020-11-20T16:37:28.506Z","description":"[Golden Cup](https://attack.mitre.org/software/S0535) can obtain a list of installed applications.(Citation: Symantec GoldenCup)","relationship_type":"uses","source_ref":"malware--f3975cc0-72bc-4308-836e-ac701b83860e","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a","type":"relationship","created":"2020-11-10T17:08:35.713Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-11-10T17:08:35.713Z","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) can collect notes and data from the MiCode app.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d59da983-c521-47b6-83ab-435f7d58611d","created":"2019-11-21T16:42:48.493Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecureList - ViceLeaker 2019","description":"GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.","url":"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"},{"source_name":"Bitdefender - Triout 2018","description":"L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.","url":"https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:12:57.861Z","description":"[ViceLeaker](https://attack.mitre.org/software/S0418) uses HTTP requests for C2 communication.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)","relationship_type":"uses","source_ref":"malware--6fcaf9b0-b509-4644-9f93-556222c81ed2","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d621eba9-676f-47a4-8358-d68eeff2fb9a","created":"2023-03-03T16:25:09.978Z","revoked":false,"external_references":[{"source_name":"paloalto_yispecter_1015","description":"Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.","url":"https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-03T16:25:09.978Z","description":"[YiSpecter](https://attack.mitre.org/software/S0311) is believed to have initially infected devices using internet traffic hijacking to generate abnormal popups.(Citation: paloalto_yispecter_1015) ","relationship_type":"uses","source_ref":"malware--a15c9357-2be0-4836-beec-594f28b9b4a9","target_ref":"attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5","type":"relationship","created":"2020-11-24T17:55:12.897Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos GPlayed","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."}],"modified":"2020-11-24T17:55:12.897Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) can collect the user’s browser cookies.(Citation: Talos GPlayed)","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d63de13b-0253-42f4-b13d-34bccf76ad94","created":"2023-03-20T18:54:50.323Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T15:01:30.483Z","description":"Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d63f27cf-95a3-42bb-86dd-dc18e22cb898","created":"2019-09-04T14:28:16.414Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-Monokle","description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:41:16.423Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can retrieve call history.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d64c4924-76f0-4b2e-858d-b0df733334d0","created":"2023-02-06T19:03:11.265Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:23:09.430Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can modify system settings to give itself device administrator privileges.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d663cb6f-9fc8-48a0-827f-29757b12ae71","created":"2022-03-30T20:53:54.296Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T20:53:54.296Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780","target_ref":"attack-pattern--498e7b81-238d-404c-aa5e-332904d63286","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d66a3e5f-700e-40d0-b16a-bbb3306256c7","created":"2023-03-20T15:16:28.177Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T22:17:39.302Z","description":"Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.","relationship_type":"detects","source_ref":"x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1","target_ref":"attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d6be8665-afbb-4be5-a56a-493af01b120a","created":"2022-03-30T15:52:29.935Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Mobile security products can potentially detect jailbroken or rooted devices.","modified":"2022-03-30T15:52:29.935Z","relationship_type":"mitigates","source_ref":"course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4","type":"relationship","created":"2021-02-17T20:43:52.413Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout FrozenCell","url":"https://blog.lookout.com/frozencell-mobile-threat","description":"Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."}],"modified":"2021-02-17T20:43:52.413Z","description":"[FrozenCell](https://attack.mitre.org/software/S0577) has compressed and encrypted data before exfiltration using password protected .7z archives.(Citation: Lookout FrozenCell)","relationship_type":"uses","source_ref":"malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62","target_ref":"attack-pattern--e3b936a4-6321-4172-9114-038a866362ec","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55","type":"relationship","created":"2020-04-24T17:46:31.603Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecurityIntelligence TrickMo","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."}],"modified":"2020-04-24T17:46:31.603Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) can steal pictures from the device.(Citation: SecurityIntelligence TrickMo)","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d7007bf2-fcd6-4327-9ffb-bdee5bdeb383","created":"2022-04-05T20:17:46.149Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T20:17:46.149Z","relationship_type":"revoked-by","source_ref":"attack-pattern--393e8c12-a416-4575-ba90-19cc85656796","target_ref":"attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d700c625-d0b6-4570-a538-0ba57bd7bda5","created":"2023-03-20T18:50:21.296Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T16:32:32.957Z","description":"Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. ","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0","type":"relationship","created":"2020-12-24T21:55:56.692Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T21:55:56.692Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d716163d-2492-4088-9235-b2310312ba27","created":"2022-04-06T15:44:48.422Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T15:44:48.422Z","relationship_type":"revoked-by","source_ref":"attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63","target_ref":"attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d71fab20-a56c-4404-a65d-aaa37056f16e","created":"2022-04-01T15:16:16.027Z","x_mitre_version":"0.1","external_references":[{"source_name":"Trend Micro iOS URL Hijacking","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/","description":"L. Wu, Y. Zhou, M. Li. (2019, July 12).  iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.","modified":"2022-04-01T15:16:16.027Z","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d724bcf3-25d2-406a-b612-333fea5e2385","created":"2020-10-29T17:48:27.440Z","x_mitre_version":"1.0","external_references":[{"source_name":"Threat Fabric Exobot","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Exobot](https://attack.mitre.org/software/S0522) can show phishing popups when a targeted application is running.(Citation: Threat Fabric Exobot)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d76d838b-bbc7-459a-884a-2da8c36a2ba2","created":"2022-04-08T16:29:55.322Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-08T16:29:55.322Z","relationship_type":"revoked-by","source_ref":"attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6","target_ref":"attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d7aa436a-e66d-4217-be66-4414703dec07","type":"relationship","created":"2020-11-10T17:08:35.634Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-11-10T17:08:35.634Z","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) has used incorrect file extensions and encryption to hide most of its assets, including secondary APKs, configuration files, and JAR or DEX files.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-PegasusAndroid","description":"Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.","url":"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:27:01.081Z","description":"[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to modify the device's system partition.(Citation: Lookout-PegasusAndroid)","relationship_type":"uses","source_ref":"malware--93799a9d-3537-43d8-b6f4-17215de1657c","target_ref":"attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d7ca70d4-2006-4252-b243-e52be760e24d","created":"2022-04-01T13:26:39.773Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Access to SMS messages is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their SMS messages. ","modified":"2022-04-01T13:26:39.773Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d7d78682-c9ad-4880-ae6e-3fc79f3737f1","created":"2019-09-04T15:38:56.809Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CyberMerchants-FlexiSpy","description":"Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.","url":"http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:37:35.704Z","description":"[FlexiSpy](https://attack.mitre.org/software/S0408) can delete data from a compromised device.(Citation: CyberMerchants-FlexiSpy)","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37","type":"relationship","created":"2020-05-07T15:24:49.583Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2020-05-27T13:23:34.544Z","description":"Many vulnerabilities related to injecting code into existing applications have been patched in previous Android releases.","relationship_type":"mitigates","source_ref":"course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564","target_ref":"attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"ArsTechnica-HummingBad","description":"Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.","url":"http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[HummingBad](https://attack.mitre.org/software/S0322) can exploit unfixed vulnerabilities in older Android versions to root victim phones.(Citation: ArsTechnica-HummingBad)","relationship_type":"uses","source_ref":"malware--c8770c81-c29f-40d2-a140-38544206b2b4","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d87b9e3a-9e6b-404d-8fc1-22262ff31157","created":"2023-08-23T22:18:21.774Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-23T22:18:21.774Z","description":"Network traffic analysis may reveal processes communicating with malicious domains.  ","relationship_type":"detects","source_ref":"x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0","target_ref":"attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d886f368-a38b-4cb3-906f-9b284f58b369","type":"relationship","created":"2019-12-10T16:07:41.066Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList DVMap June 2017","url":"https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/","description":"R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019."}],"modified":"2019-12-10T16:07:41.066Z","description":"[Dvmap](https://attack.mitre.org/software/S0420) decrypts executables from archive files stored in the `assets` directory of the installation binary.(Citation: SecureList DVMap June 2017)","relationship_type":"uses","source_ref":"malware--22b596a6-d288-4409-8520-5f2846f85514","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab","type":"relationship","created":"2020-09-11T16:22:03.229Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout ViperRAT","url":"https://blog.lookout.com/viperrat-mobile-apt","description":"M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."}],"modified":"2020-09-11T16:22:03.229Z","description":"[ViperRAT](https://attack.mitre.org/software/S0506) can collect and record audio content.(Citation: Lookout ViperRAT)","relationship_type":"uses","source_ref":"malware--f666e17c-b290-43b3-8947-b96bd5148fbb","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.","source_name":"PaloAlto-SpyDealer"}],"modified":"2019-08-09T17:56:05.686Z","description":"[SpyDealer](https://attack.mitre.org/software/S0324) uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.(Citation: PaloAlto-SpyDealer)","relationship_type":"uses","source_ref":"malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7","type":"relationship","created":"2020-12-14T15:02:35.230Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Securelist Asacub","url":"https://securelist.com/the-rise-of-mobile-banker-asacub/87591/","description":"T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020."}],"modified":"2020-12-14T15:02:35.230Z","description":"[Asacub](https://attack.mitre.org/software/S0540) has encrypted C2 communications using Base64-encoded RC4.(Citation: Securelist Asacub)","relationship_type":"uses","source_ref":"malware--a76b837b-93cc-417d-bf28-c47a6a284fa4","target_ref":"attack-pattern--e3b936a4-6321-4172-9114-038a866362ec","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d956ffe6-9847-45f6-8ebe-479e93aa68d9","created":"2024-01-26T17:37:34.983Z","revoked":false,"external_references":[{"source_name":"checkpoint_flixonline_0421","description":"Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.","url":"https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-01-26T17:37:34.983Z","description":"[FlixOnline](https://attack.mitre.org/software/S1103) can hide its application icon.(Citation: checkpoint_flixonline_0421)","relationship_type":"uses","source_ref":"malware--0ec9593f-3221-49b1-b597-37f307c19f13","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--d995dfff-e4b2-4e07-8e76-b064354f591a","created":"2022-04-01T12:49:32.365Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Calendar access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their device calendar. ","modified":"2022-04-01T12:49:32.365Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--d9aab2e1-31e0-45b2-a40b-0cbe60677b4b","created":"2020-11-24T18:18:33.772Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Threat Fabric Exobot","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:24:43.120Z","description":"[Exobot](https://attack.mitre.org/software/S0522) can request device administrator permissions.(Citation: Threat Fabric Exobot)","relationship_type":"uses","source_ref":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","target_ref":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--da424f3f-8a93-4a66-858c-b33f587108e6","type":"relationship","created":"2020-10-29T17:48:27.225Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Threat Fabric Exobot","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020."}],"modified":"2020-10-29T17:48:27.225Z","description":"[Exobot](https://attack.mitre.org/software/S0522) can obtain the device’s country and carrier name.(Citation: Threat Fabric Exobot)","relationship_type":"uses","source_ref":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--da4296d7-5fdb-45b6-9791-b023d634c08d","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/","description":"Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.","source_name":"TrendMicro-RCSAndroid"}],"modified":"2019-08-09T17:53:48.760Z","description":"[RCSAndroid](https://attack.mitre.org/software/S0295) can record location.(Citation: TrendMicro-RCSAndroid)","relationship_type":"uses","source_ref":"malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--da55ec01-daf2-4fac-ba0b-243f759b73aa","created":"2023-08-14T16:19:34.080Z","revoked":false,"external_references":[{"source_name":"unit42_strat_aged_domain_det","description":"Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.","url":"https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/"},{"source_name":"Data Driven Security DGA","description":"Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.","url":"https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:19:34.080Z","description":"Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.","relationship_type":"detects","source_ref":"x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0","target_ref":"attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dae02ffb-1db5-4b7d-80a9-2a8cbf1bc852","created":"2023-09-28T17:22:13.691Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:22:13.691Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can collect sensitive information, such as Google Authenticator codes.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--db1201f0-f925-4c3c-8673-7524a8c20886","type":"relationship","created":"2021-02-17T20:43:52.274Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout FrozenCell","url":"https://blog.lookout.com/frozencell-mobile-threat","description":"Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."}],"modified":"2021-02-17T20:43:52.274Z","description":"[FrozenCell](https://attack.mitre.org/software/S0577) has recorded calls.(Citation: Lookout FrozenCell)","relationship_type":"uses","source_ref":"malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a","created":"2020-01-27T17:05:58.265Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Trend Micro Bouncing Golf 2019","description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:27:51.998Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device’s call log.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-PegasusAndroid","description":"Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.","url":"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}],"modified":"2019-08-09T17:52:31.748Z","description":"[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.(Citation: Lookout-PegasusAndroid)","relationship_type":"uses","source_ref":"malware--93799a9d-3537-43d8-b6f4-17215de1657c","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dba7bd66-5f8e-41a8-ad67-ae04cfd1c8ff","created":"2023-09-21T22:31:55.337Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-21T22:31:55.337Z","description":"Application vetting services may be able to list domains and/or IP addresses that applications communicate with.","relationship_type":"detects","source_ref":"x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0","target_ref":"attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dbdaa604-b94c-43d1-b8cc-e8e2bbc3fdce","created":"2023-12-18T19:08:25.585Z","revoked":false,"external_references":[{"source_name":"welivesecurity_ahrat_0523","description":"Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.","url":"https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T19:08:25.585Z","description":"[AhRat](https://attack.mitre.org/software/S1095) can send SMS messages.(Citation: welivesecurity_ahrat_0523)","relationship_type":"uses","source_ref":"malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dbef53a9-f9c4-4582-8e93-349ad488de12","created":"2023-02-28T21:42:06.525Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cloudmark_tanglebot_0921","description":"Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.","url":"https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-29T21:27:42.197Z","description":"[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view call logs.(Citation: cloudmark_tanglebot_0921)","relationship_type":"uses","source_ref":"malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dbeff88d-441f-47f9-8afc-60400ee3ab97","created":"2023-02-06T19:06:37.359Z","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-06T19:06:37.359Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can receive files from the C2 at runtime.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dc354395-cccf-471a-9335-8538ce20f1ec","created":"2023-07-21T19:33:28.471Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:33:28.471Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can exfiltrate SMS logs.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357","created":"2019-07-10T15:25:57.572Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Dark Caracal Jan 2018","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:31:46.913Z","description":"[FinFisher](https://attack.mitre.org/software/S0182) captures and exfiltrates SMS messages.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--a5528622-3a8a-4633-86ce-8cdaf8423858","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dc70704a-54b3-4000-8c55-4919044de5c0","created":"2024-03-26T19:03:10.647Z","revoked":false,"external_references":[{"source_name":"fb_arid_viper","description":"Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T19:03:10.647Z","description":"[Phenakite](https://attack.mitre.org/software/S1126) can exfiltrate the victim device’s contact list.(Citation: fb_arid_viper) ","relationship_type":"uses","source_ref":"malware--f97e2718-af50-41df-811f-215ebab45691","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dc7ef843-a073-4e23-b717-c505d4863b02","created":"2023-03-20T18:53:58.856Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:27:15.979Z","description":"If the user sees a notification with text they do not recognize, they should review their list of installed applications.","relationship_type":"detects","source_ref":"x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dcae3b7c-27d2-4377-9dc6-59dae15ac962","created":"2019-09-23T13:36:08.456Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"securelist rotexy 2018","description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T16:58:03.072Z","description":"[Rotexy](https://attack.mitre.org/software/S0411) can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, [Rotexy](https://attack.mitre.org/software/S0411) periodically switches off the phone screen to inhibit permission removal.(Citation: securelist rotexy 2018)","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dcf01e96-1498-4ebf-b46f-d4f4eb796f23","created":"2023-07-21T19:37:42.022Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:37:42.022Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can retrieve the list of installed applications.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dd54e35c-d68b-4aa8-ad2a-acd4c76243c8","created":"2023-01-18T19:58:00.503Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:57:14.522Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) can use RC4 to encrypt C2 payloads.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ddb5ba6d-0549-44bd-a669-972bd48e927b","created":"2020-07-15T20:20:59.307Z","x_mitre_version":"1.0","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Mandrake](https://attack.mitre.org/software/S0485) has used domain generation algorithms.(Citation: Bitdefender Mandrake)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--fd211238-f767-4599-8c0d-9dca36624626","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ddca1254-b404-4850-9566-0be35c6d7564","created":"2020-11-10T17:08:35.771Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:00:11.412Z","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) can access the device’s SMS and MMS messages.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e","created":"2022-03-30T19:29:07.379Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.","modified":"2022-03-30T19:29:07.379Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--de45db46-2251-4a29-b4d7-3fcf679e9484","created":"2019-09-04T15:38:56.877Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CyberMerchants-FlexiSpy","description":"Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.","url":"http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"},{"source_name":"FlexiSpy-Features","description":"FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.","url":"https://www.flexispy.com/en/features-overview.htm"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:32:16.401Z","description":"[FlexiSpy](https://attack.mitre.org/software/S0408) can intercept SMS and MMS messages as well as monitor messages for keywords.(Citation: CyberMerchants-FlexiSpy)(Citation: FlexiSpy-Features)","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--de4ecfa3-fa91-4377-810c-5c567de9688b","created":"2021-01-05T20:16:20.490Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Zscaler TikTok Spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:38:01.842Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can delete attacker-specified files.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--de69fd86-aaef-4a1e-99e9-ee32c71997d6","created":"2022-04-05T19:54:12.660Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T19:54:12.660Z","relationship_type":"revoked-by","source_ref":"attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5","target_ref":"attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--de7e3a71-1152-481c-8e5c-88f53852cab6","created":"2022-04-01T15:16:53.239Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-01T15:16:53.239Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5","target_ref":"attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--def81edd-4410-47b2-a80f-d47b3f353f54","created":"2023-03-16T18:27:42.656Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T14:59:40.699Z","description":"Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--df036f55-f749-4dad-9473-d69535e0f98d","created":"2020-06-26T14:55:13.385Z","x_mitre_version":"1.0","external_references":[{"source_name":"Cybereason EventBot","url":"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born","description":"D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[EventBot](https://attack.mitre.org/software/S0478) can abuse Android’s accessibility service to record the screen PIN.(Citation: Cybereason EventBot)","modified":"2022-04-15T17:39:39.931Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--aecc0097-c9f8-4786-9b39-e891ff173f54","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--df07166f-917e-4bc4-899e-d689d1d3f785","created":"2023-10-10T15:33:58.104Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CheckPoint Agent Smith","description":"A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.","url":"https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:58.104Z","description":"[Agent Smith](https://attack.mitre.org/software/S0440) can impersonate any popular application on an infected device, and the core malware disguises itself as a legitimate Google application. [Agent Smith](https://attack.mitre.org/software/S0440)'s dropper is a weaponized legitimate Feng Shui Bundle.(Citation: CheckPoint Agent Smith) ","relationship_type":"uses","source_ref":"malware--a6228601-03f6-4949-ae22-c1087627a637","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--df337ad4-c88e-425f-b869-ecac29674bf4","type":"relationship","created":"2021-03-25T16:39:40.200Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CYBERWARCON CHEMISTGAMES","url":"https://www.youtube.com/watch?v=xoNSbm1aX_w","description":"B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."}],"modified":"2021-03-25T16:39:40.200Z","description":"(Citation: CYBERWARCON CHEMISTGAMES)","relationship_type":"uses","source_ref":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","target_ref":"malware--a0d774e4-bafc-4292-8651-3ec899391341","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dfdf329f-8fc3-4dcb-89b4-c3f1095cd77a","created":"2023-12-18T18:14:41.248Z","revoked":false,"external_references":[{"source_name":"mcafee_brata_0421","description":"Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.","url":"https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-18T18:14:41.248Z","description":"[BRATA](https://attack.mitre.org/software/S1094) has utilized commercial software packers.(Citation: mcafee_brata_0421)","relationship_type":"uses","source_ref":"malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4","target_ref":"attack-pattern--51636761-2e35-44bf-9e56-e337adf97174","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/","description":"Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.","source_name":"Kaspersky-Skygofree"}],"modified":"2019-08-09T18:08:07.144Z","description":"[Skygofree](https://attack.mitre.org/software/S0327) has the capability to exploit several known vulnerabilities and escalate privileges.(Citation: Kaspersky-Skygofree)","relationship_type":"uses","source_ref":"malware--3a913bac-4fae-4d0e-bca8-cae452f1599b","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dff2d0a7-7579-4091-9bf8-df682bc6506b","created":"2023-12-05T22:17:58.874Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-12-05T22:17:58.874Z","description":"Mobile security products can potentially detect if a device is vulnerable to a known exploit and can alert the user to update their device. ","relationship_type":"mitigates","source_ref":"course-of-action--78671282-26aa-486c-a7a5-5921e1616b58","target_ref":"attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--dff37d8a-b7ca-409b-b4eb-581ca3a74bb5","created":"2020-04-08T15:41:19.445Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Trend Micro Anubis","description":"K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.","url":"https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html"},{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.113Z","description":"[Anubis](https://attack.mitre.org/software/S0422) can retrieve the C2 address from Twitter and Telegram.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea","created":"2023-02-06T19:45:58.793Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-11T22:08:45.192Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) can use the open-source project RetroFit for C2 communication.(Citation: threatfabric_sova_0921)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e012da15-7669-4764-ad9d-8a1d817bcca9","created":"2023-03-20T18:23:04.068Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T16:22:19.012Z","description":"Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities).","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e03b0eb5-32c6-4867-9235-77fe32192983","type":"relationship","created":"2019-09-04T15:38:56.916Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CyberMerchants-FlexiSpy","url":"http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html","description":"Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."}],"modified":"2019-09-10T14:59:26.071Z","description":" [FlexiSpy](https://attack.mitre.org/software/S0408) can track the device's location.(Citation: CyberMerchants-FlexiSpy)","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e03b25b0-0779-48da-b5d7-28f1f6106363","type":"relationship","created":"2020-12-24T22:04:27.992Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T22:04:27.992Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has taken screenshots.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8","type":"relationship","created":"2020-09-24T15:34:51.433Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-Dendroid","description":"Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.","url":"https://blog.lookout.com/blog/2014/03/06/dendroid/"}],"modified":"2020-09-24T15:34:51.433Z","description":"[Dendroid](https://attack.mitre.org/software/S0301) can record audio and outgoing calls.(Citation: Lookout-Dendroid)","relationship_type":"uses","source_ref":"malware--317a2c10-d489-431e-b6b2-f0251fddc88e","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e0c3afc8-4b23-45fc-89cf-2cafbb51291e","created":"2023-03-03T16:25:52.931Z","revoked":false,"external_references":[{"source_name":"paloalto_yispecter_1015","description":"Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.","url":"https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-03T16:25:52.931Z","description":"[YiSpecter](https://attack.mitre.org/software/S0311) has collected information about installed applications.(Citation: paloalto_yispecter_1015)","relationship_type":"uses","source_ref":"malware--a15c9357-2be0-4836-beec-594f28b9b4a9","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Zscaler-SpyNote","description":"Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.","url":"https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:32:29.636Z","description":"[SpyNote RAT](https://attack.mitre.org/software/S0305) can read SMS messages.(Citation: Zscaler-SpyNote)","relationship_type":"uses","source_ref":"malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e0f58ab7-b246-4c41-9afc-89b582590809","type":"relationship","created":"2020-12-18T20:14:47.374Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"WhiteOps TERRACOTTA","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."}],"modified":"2020-12-18T20:14:47.374Z","description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) can download additional modules at runtime via JavaScript `eval` statements.(Citation: WhiteOps TERRACOTTA)","relationship_type":"uses","source_ref":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e135cefa-f019-479d-86eb-438972df73e0","created":"2019-09-04T15:38:56.702Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"FortiGuard-FlexiSpy","description":"K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.","url":"https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:48:30.652Z","description":"[FlexiSpy](https://attack.mitre.org/software/S0408) installs boot hooks into `/system/su.d`.(Citation: FortiGuard-FlexiSpy)","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e14db7d0-4053-4e0a-8b43-b950133e6e36","created":"2023-03-20T18:41:31.300Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T22:18:26.965Z","description":"Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.","relationship_type":"detects","source_ref":"x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1","target_ref":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e1fc106e-1671-4103-b767-47b52c9b0742","created":"2024-03-28T18:29:52.969Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T21:40:23.283Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to access the device’s location.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e245ad04-3fe9-4132-8bb4-77cdc4c3a1eb","created":"2023-10-10T15:33:58.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"TrendMicro-XLoader-FakeSpy","description":"Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:58.272Z","description":"[XLoader for Android](https://attack.mitre.org/software/S0318) has masqueraded as an Android security application.(Citation: TrendMicro-XLoader-FakeSpy)","relationship_type":"uses","source_ref":"malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"type":"relationship","id":"relationship--e245e45a-71a8-408d-8f32-7b7337bffc26","created":"2023-01-18T19:19:58.007Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"cyble_drinik_1022","description":"Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.","url":"https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:10:23.208Z","description":"[Drinik](https://attack.mitre.org/software/S1054) can hide its application icon.(Citation: cyble_drinik_1022)","relationship_type":"uses","source_ref":"malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e269e6a2-a709-4aa1-a260-f3f0d0284056","type":"relationship","created":"2020-12-24T22:04:27.919Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T22:04:27.919Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has extracted messages from chat programs, such as WeChat.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e29d91f0-ebee-481d-9344-702c90775109","type":"relationship","created":"2020-05-07T15:33:32.928Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"CheckPoint Agent Smith","url":"https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/","description":"A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."}],"modified":"2020-05-07T15:33:32.928Z","description":"[Agent Smith](https://attack.mitre.org/software/S0440) can inject fraudulent ad modules into existing applications on a device.(Citation: CheckPoint Agent Smith)","relationship_type":"uses","source_ref":"malware--a6228601-03f6-4949-ae22-c1087627a637","target_ref":"attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e2ee6825-43c2-441f-ba96-404a330a9059","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CheckPoint-Charger","description":"Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.","url":"http://blog.checkpoint.com/2017/01/24/charger-malware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:54:51.590Z","description":"[Charger](https://attack.mitre.org/software/S0323) steals contacts from the victim user's device.(Citation: CheckPoint-Charger)","relationship_type":"uses","source_ref":"malware--d1c600f8-0fb6-4367-921b-85b71947d950","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e3009db5-d1d8-4869-b1ca-d408a052bb4e","created":"2024-01-26T17:34:10.524Z","revoked":false,"external_references":[{"source_name":"checkpoint_flixonline_0421","description":"Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.","url":"https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-01-26T17:34:10.524Z","description":"[FlixOnline](https://attack.mitre.org/software/S1103) can automatically send replies to a user’s incoming WhatsApp messages.(Citation: checkpoint_flixonline_0421)","relationship_type":"uses","source_ref":"malware--0ec9593f-3221-49b1-b597-37f307c19f13","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--e33106e1-16ef-41b8-8d47-78c9f2b4dceb","created":"2020-11-10T17:08:35.846Z","x_mitre_version":"1.0","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[CarbonSteal](https://attack.mitre.org/software/S0529) has used specially crafted SMS messages to control the target device.(Citation: Lookout Uyghur Campaign) ","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e34c8c23-be8f-4da9-b051-5246e5f16ba8","created":"2023-03-01T22:18:19.004Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"proofpoint_flubot_0421","description":"Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.","url":"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-31T22:14:48.174Z","description":"[FluBot](https://attack.mitre.org/software/S1067) can send contact lists to its C2 server.(Citation: proofpoint_flubot_0421)","relationship_type":"uses","source_ref":"malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e35b013b-89e8-41b3-a518-7737234ab71b","type":"relationship","created":"2020-01-27T17:05:58.312Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/","source_name":"Trend Micro Bouncing Golf 2019"}],"modified":"2020-01-27T17:05:58.312Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) can take screenshots.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e39ee008-74d1-4669-b515-4d2bb97968c1","created":"2024-02-20T23:49:23.124Z","revoked":false,"external_references":[{"source_name":"Cybereason EventBot","description":"D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.","url":"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:49:23.124Z","description":"[EventBot](https://attack.mitre.org/software/S0478) can gather device network information.(Citation: Cybereason EventBot) ","relationship_type":"uses","source_ref":"malware--aecc0097-c9f8-4786-9b39-e891ff173f54","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e3a961ec-8184-4143-b8c2-c33ea0503678","type":"relationship","created":"2020-09-24T15:34:51.315Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-Dendroid","description":"Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.","url":"https://blog.lookout.com/blog/2014/03/06/dendroid/"}],"modified":"2020-09-24T15:34:51.315Z","description":"[Dendroid](https://attack.mitre.org/software/S0301) can take photos and record videos.(Citation: Lookout-Dendroid)","relationship_type":"uses","source_ref":"malware--317a2c10-d489-431e-b6b2-f0251fddc88e","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e3d04885-95a5-47cb-a038-b58542cf787d","created":"2019-09-03T19:45:48.487Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SWB Exodus March 2019","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:08:39.524Z","description":"[Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate the call log.(Citation: SWB Exodus March 2019) ","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e4019493-bd52-4011-9355-8902be6ff3f3","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"PaloAlto-SpyDealer","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.","url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:49:19.083Z","description":"[SpyDealer](https://attack.mitre.org/software/S0324) registers the broadcast receiver to listen for events related to device boot-up.(Citation: PaloAlto-SpyDealer)","relationship_type":"uses","source_ref":"malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e419e0c3-8c16-4e7b-99f5-ecd30c93493a","created":"2024-02-20T22:05:26.922Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-26T20:12:58.081Z","description":"[Conceal Multimedia Files](https://attack.mitre.org/techniques/T1628/003) likely should not be mitigated with preventative controls because the `.nomedia` file may be used legitimately.  ","relationship_type":"mitigates","source_ref":"course-of-action--76a32151-5233-465f-a607-7e576c62c932","target_ref":"attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e457921c-4a0b-4d6e-92e7-553929ddf943","created":"2023-02-06T18:51:14.919Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:23:48.120Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can download and install additional malware after initial infection.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e47ea9b6-8e05-4a54-ac6e-ba621dc3b717","created":"2024-02-21T20:54:12.536Z","revoked":false,"external_references":[{"source_name":"Lookout-Monokle","description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T20:54:12.536Z","description":"[Monokle](https://attack.mitre.org/software/S0407) checks if the device is connected via Wi-Fi or mobile data.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e4beccfa-a9a5-447d-8164-d39a1b2c5532","created":"2023-02-06T19:46:43.041Z","revoked":false,"external_references":[{"source_name":"threatfabric_sova_0921","description":"ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.","url":"https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-06T19:46:43.041Z","description":"[S.O.V.A.](https://attack.mitre.org/software/S1062) has included adversary-in-the-middle capabilities.(Citation: threatfabric_sova_0921)","relationship_type":"uses","source_ref":"malware--4b53eb01-57d7-47b4-b078-22766b002b36","target_ref":"attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e4f90a20-f1c6-4820-8c3e-751c79cc82e8","created":"2023-03-20T18:56:24.246Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T15:54:20.664Z","description":"Application vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e50c605a-0cdf-4316-bb49-2deccc69143f","created":"2024-03-26T16:19:01.439Z","revoked":false,"external_references":[{"source_name":"forcepoint_bitter","description":"Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.","url":"https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-26T16:19:01.439Z","description":"[AndroRAT](https://attack.mitre.org/software/S0292) can make phone calls.(Citation: forcepoint_bitter) ","relationship_type":"uses","source_ref":"malware--a3dad2be-ce62-4440-953b-00fbce7aba93","target_ref":"attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--e5113d45-05bd-499f-a2e0-9edc6d7c03b6","created":"2020-09-14T13:35:45.911Z","x_mitre_version":"1.0","external_references":[{"source_name":"ESET-Twitoor","url":"http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/","description":"ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Twitoor](https://attack.mitre.org/software/S0302) can be controlled via Twitter.(Citation: ESET-Twitoor)","modified":"2022-04-20T17:56:24.292Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c","target_ref":"attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e5922453-d9b1-472b-b947-b1eaa426a32e","created":"2024-02-20T23:46:46.698Z","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:46:46.698Z","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e5ccc5c7-11ee-4357-8dd4-bf23ce2111bb","created":"2020-12-24T22:04:28.024Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:41:54.548Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has collected call logs.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e5e4567e-05a3-4d79-beab-191efc336473","type":"relationship","created":"2020-01-27T17:05:58.333Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/","source_name":"Trend Micro Bouncing Golf 2019"}],"modified":"2020-03-26T20:50:07.266Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--e3b936a4-6321-4172-9114-038a866362ec","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e723d78f-b6c3-4ba5-8946-b44e651834e3","created":"2023-03-16T13:32:02.290Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-10T21:06:58.988Z","description":"Android applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized.\n\nIn both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e767fc9e-5211-4e7c-b628-5dd03a24af39","created":"2020-12-14T15:02:35.294Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Securelist Asacub","description":"T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.","url":"https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:32:42.890Z","description":"[Asacub](https://attack.mitre.org/software/S0540) can collect SMS messages as they are received.(Citation: Securelist Asacub)","relationship_type":"uses","source_ref":"malware--a76b837b-93cc-417d-bf28-c47a6a284fa4","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208","type":"relationship","created":"2020-07-20T13:27:33.546Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos-WolfRAT","url":"https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html","description":"W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."}],"modified":"2020-08-10T21:57:54.537Z","description":"[WolfRAT](https://attack.mitre.org/software/S0489) can receive system notifications.(Citation: Talos-WolfRAT)","relationship_type":"uses","source_ref":"malware--dfdac962-9461-47f0-a212-36dfce2a97e6","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e7af5be1-721f-40c5-b647-659243a0a14b","created":"2020-04-08T15:41:19.321Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cofense Anubis","description":"M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.","url":"https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-09-25T15:03:05.114Z","description":"[Anubis](https://attack.mitre.org/software/S0422) can record phone calls and audio.(Citation: Cofense Anubis)","relationship_type":"uses","source_ref":"malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e7b33eb5-6c2e-4743-ac8d-c27d5e7121ac","created":"2020-06-26T15:32:25.060Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Threat Fabric Cerberus","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:35:13.005Z","description":"[Cerberus](https://attack.mitre.org/software/S0480) can uninstall itself from a device on command.(Citation: Threat Fabric Cerberus)","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e7b7e813-4867-46fe-bf86-6f367553d765","type":"relationship","created":"2019-11-21T16:42:48.456Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.","url":"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/","source_name":"SecureList - ViceLeaker 2019"},{"source_name":"Bitdefender - Triout 2018","url":"https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/","description":"L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020."}],"modified":"2020-01-21T14:20:50.455Z","description":"[ViceLeaker](https://attack.mitre.org/software/S0418) can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)","relationship_type":"uses","source_ref":"malware--6fcaf9b0-b509-4644-9f93-556222c81ed2","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-PegasusAndroid","description":"Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.","url":"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:12:22.002Z","description":"[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses contact list information.(Citation: Lookout-PegasusAndroid)","relationship_type":"uses","source_ref":"malware--93799a9d-3537-43d8-b6f4-17215de1657c","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--e8768455-4d0c-4e3c-a901-1fc871227745","created":"2022-03-30T17:54:56.603Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T17:54:56.603Z","relationship_type":"revoked-by","source_ref":"attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"NYTimes-BackDoor","description":"Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.","url":"https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:42:14.121Z","description":"[Adups](https://attack.mitre.org/software/S0309) transmitted call logs.(Citation: NYTimes-BackDoor)","relationship_type":"uses","source_ref":"malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e889782a-f66b-448e-a466-e55b1bce7b64","created":"2023-02-28T20:38:25.598Z","revoked":false,"external_references":[{"source_name":"proofpoint_flubot_0421","description":"Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.","url":"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-28T20:38:25.598Z","description":"[FluBot](https://attack.mitre.org/software/S1067) has encrypted C2 message bodies with RSA and encoded them in base64.(Citation: proofpoint_flubot_0421)","relationship_type":"uses","source_ref":"malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc","target_ref":"attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e8c77126-5279-4c39-ad84-87e4ab8ce37f","created":"2024-02-20T23:46:03.419Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-20T23:46:03.419Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can collect network information, such as IP address, SIM card info, and Wi-Fi info.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e8c833ee-4c7d-45a2-b29b-187fe3661c0d","created":"2020-12-17T20:15:22.496Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Palo Alto HenBox","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:55:35.453Z","description":"[HenBox](https://attack.mitre.org/software/S0544) can access the device’s contact list.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e928c0ce-2b98-4af5-a990-f690f4306681","created":"2023-03-20T18:43:46.070Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T14:56:32.077Z","description":"Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e95ac47c-8822-4ce5-bd65-f61ca873854b","created":"2023-09-28T17:21:15.893Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:21:15.893Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can collect application keylogs.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7","type":"relationship","created":"2019-08-07T15:57:13.388Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Kaspersky Riltok June 2019","url":"https://securelist.com/mobile-banker-riltok/91374/","description":"Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."}],"modified":"2019-09-18T13:44:13.453Z","description":"[Riltok](https://attack.mitre.org/software/S0403) injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen.(Citation: Kaspersky Riltok June 2019)","relationship_type":"uses","source_ref":"malware--c0efbaae-9e7d-4716-a92d-68373aac7424","target_ref":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb","type":"relationship","created":"2020-12-17T20:15:22.444Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Palo Alto HenBox","url":"https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/","description":"A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."}],"modified":"2020-12-17T20:15:22.444Z","description":"[HenBox](https://attack.mitre.org/software/S0544) can load additional Dalvik code while running.(Citation: Palo Alto HenBox)","relationship_type":"uses","source_ref":"malware--aef537ba-10c2-40ed-a57a-80b8508aada4","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e9b262ba-1c32-40b3-8622-121b30d6df50","type":"relationship","created":"2019-10-10T15:14:57.378Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SWB Exodus March 2019","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."}],"modified":"2019-10-10T15:14:57.378Z","description":"[Exodus](https://attack.mitre.org/software/S0405) Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.(Citation: SWB Exodus March 2019)","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e","type":"relationship","created":"2020-12-24T21:55:56.745Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T21:55:56.745Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the list of installed apps.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://www.wandera.com/reddrop-malware/","description":"Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.","source_name":"Wandera-RedDrop"}],"modified":"2019-10-15T19:56:13.162Z","description":"[RedDrop](https://attack.mitre.org/software/S0326) exfiltrates details of the victim device operating system and manufacturer.(Citation: Wandera-RedDrop)","relationship_type":"uses","source_ref":"malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--e9d5992e-04ef-4835-87df-cf6434dcabbc","created":"2023-03-20T18:49:38.917Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T15:51:08.240Z","description":"Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7","type":"relationship","created":"2020-11-24T17:55:12.822Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Talos GPlayed","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."}],"modified":"2020-11-24T17:55:12.822Z","description":"[GPlayed](https://attack.mitre.org/software/S0536) can request the device’s location.(Citation: Talos GPlayed)","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--eb052029-e1c9-4f24-8594-299aaec7f1df","created":"2020-12-14T14:52:03.351Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Sophos Red Alert 2.0","description":"J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.","url":"https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:42:46.952Z","description":"[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect the device’s call log.(Citation: Sophos Red Alert 2.0)","relationship_type":"uses","source_ref":"malware--6e282bbf-5f32-476a-b879-ba77eec463c8","target_ref":"attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93","type":"relationship","created":"2020-09-11T15:50:18.937Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.","url":"https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html","source_name":"ThreatFabric Ginp"}],"modified":"2020-09-11T15:50:18.937Z","description":"[Ginp](https://attack.mitre.org/software/S0423) can send SMS messages.(Citation: ThreatFabric Ginp)","relationship_type":"uses","source_ref":"malware--6146be90-470c-4049-bb3a-9986b8ffb65b","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"TrendMicro-XLoader","description":"Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:24:55.047Z","description":"[XLoader for Android](https://attack.mitre.org/software/S0318) requests Android Device Administrator access.(Citation: TrendMicro-XLoader)","relationship_type":"uses","source_ref":"malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c","target_ref":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--eb58117c-5803-4f72-a499-5fa888a9a7a5","created":"2022-04-06T15:47:06.163Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T15:47:06.163Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee","target_ref":"attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--eb69d3c1-aa16-429e-9b72-c1a993e584fa","created":"2023-07-14T19:11:45.176Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-14T19:11:45.176Z","description":"Unexpected behavior from an application could be an indicator of masquerading.","relationship_type":"detects","source_ref":"x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041","type":"relationship","created":"2017-10-25T14:48:53.742Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2020-06-24T15:08:18.481Z","description":"Enterprise policies should prevent enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development).","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--eb784dcf-4188-47e2-9217-837b262acfb9","created":"2022-04-01T18:43:01.860Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.","modified":"2022-04-01T18:43:01.860Z","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--eba4b561-84c9-4d49-a8b8-1842c3ed94f3","created":"2023-02-06T19:01:39.599Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_abstractemu_1021","description":"P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T17:25:11.903Z","description":"[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself contact list access.(Citation: lookout_abstractemu_1021)","relationship_type":"uses","source_ref":"malware--2aec175b-4429-4048-8e09-3ef6cbecfc64","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ec734b52-a823-495c-9684-c4649269723e","created":"2023-09-28T17:22:03.028Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:22:03.028Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can uninstall itself and other applications.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ec819008-396a-4ca3-b8d3-fda7f28128d0","created":"2023-08-14T16:33:56.635Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:33:56.635Z","description":"Many properly configured firewalls may naturally block command and control traffic.","relationship_type":"detects","source_ref":"x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba","target_ref":"attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42","type":"relationship","created":"2021-10-01T14:42:48.913Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList BusyGasper","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021."}],"modified":"2021-10-06T15:32:46.477Z","description":"[BusyGasper](https://attack.mitre.org/software/S0655) can use its keylogger module to take screenshots of the area of the screen that the user tapped.(Citation: SecureList BusyGasper)","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d","type":"relationship","created":"2019-08-09T18:06:11.672Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","source_name":"Lookout Dark Caracal Jan 2018"}],"modified":"2019-08-09T18:06:11.672Z","description":"[Pallas](https://attack.mitre.org/software/S0399) can take pictures with both the front and rear-facing cameras.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ece70dca-803c-4209-8792-7e56e9901288","created":"2020-07-15T20:20:59.291Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Bitdefender Mandrake","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:38:15.470Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can delete all data from an infected device.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a","type":"relationship","created":"2020-07-15T20:20:59.186Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"modified":"2020-07-15T20:20:59.186Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ed3293cf-de4f-4a73-98af-24325e8187c9","created":"2020-04-24T17:46:31.598Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"SecurityIntelligence TrickMo","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:51:43.135Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) can detect if it is running on a rooted device or an emulator.(Citation: SecurityIntelligence TrickMo)","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ed48a86f-e55f-4abf-8f18-98591b756399","created":"2023-03-03T16:19:30.443Z","revoked":false,"external_references":[{"source_name":"paloalto_yispecter_1015","description":"Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.","url":"https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-03T16:19:30.443Z","description":"[YiSpecter](https://attack.mitre.org/software/S0311) has hidden the app icon from iOS springboard.(Citation: paloalto_yispecter_1015)","relationship_type":"uses","source_ref":"malware--a15c9357-2be0-4836-beec-594f28b9b4a9","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ed6ebdd2-0095-4241-b3fc-7fc22366ec0d","created":"2024-04-02T19:24:58.885Z","revoked":false,"external_references":[{"source_name":"fb_arid_viper","description":"Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-02T19:24:58.885Z","description":"[Phenakite](https://attack.mitre.org/software/S1126) has included exploits for jailbreaking infected devices.(Citation: fb_arid_viper)","relationship_type":"uses","source_ref":"malware--f97e2718-af50-41df-811f-215ebab45691","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ed7e9368-004c-484f-9eed-03b158325564","created":"2023-03-20T18:54:40.401Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T14:39:38.390Z","description":"Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--51636761-2e35-44bf-9e56-e337adf97174","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6","created":"2023-02-28T20:31:55.191Z","revoked":false,"external_references":[{"source_name":"proofpoint_flubot_0421","description":"Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.","url":"https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-02-28T20:31:55.191Z","description":"[FluBot](https://attack.mitre.org/software/S1067) can access app notifications.(Citation: proofpoint_flubot_0421)","relationship_type":"uses","source_ref":"malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--ede5c314-5988-4151-bb30-b6a6983d02c0","created":"2020-12-31T18:25:05.164Z","x_mitre_version":"1.0","external_references":[{"source_name":"CYBERWARCON CHEMISTGAMES","url":"https://www.youtube.com/watch?v=xoNSbm1aX_w","description":"B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.(Citation: CYBERWARCON CHEMISTGAMES)","modified":"2022-04-15T15:16:53.317Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--a0d774e4-bafc-4292-8651-3ec899391341","target_ref":"attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--edfb68d0-5efd-4fb5-93f9-c432535686cb","created":"2019-09-04T15:38:56.881Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"CyberMerchants-FlexiSpy","description":"Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.","url":"http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:56:00.761Z","description":"[FlexiSpy](https://attack.mitre.org/software/S0408) can collect device contacts.(Citation: CyberMerchants-FlexiSpy)","relationship_type":"uses","source_ref":"tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ee095f20-eef5-4dcc-a537-70b387592c2c","created":"2023-02-28T20:38:46.702Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"bitdefender_flubot_0524","description":"Filip TRUȚĂ, Răzvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.","url":"https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-31T22:15:20.089Z","description":"[FluBot](https://attack.mitre.org/software/S1067) can use Accessibility Services to make removal of the malicious app difficult.(Citation: bitdefender_flubot_0524)","relationship_type":"uses","source_ref":"malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc","target_ref":"attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ee92911e-e2a2-4b40-916d-ce01b6e897f9","created":"2020-09-15T15:18:12.419Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cybereason FakeSpy","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:56:18.859Z","description":"[FakeSpy](https://attack.mitre.org/software/S0509) can collect the device’s contact list.(Citation: Cybereason FakeSpy)","relationship_type":"uses","source_ref":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f","type":"relationship","created":"2019-09-23T13:36:08.448Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019.","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/","source_name":"securelist rotexy 2018"}],"modified":"2019-10-15T19:56:50.651Z","description":"[Rotexy](https://attack.mitre.org/software/S0411) collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.(Citation: securelist rotexy 2018)","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--eee008fa-a46f-4542-93e3-8fe5f949130f","created":"2023-01-19T18:06:57.242Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"trendmicro_tianyspy_0122","description":"Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.","url":"https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T21:08:51.234Z","description":"[TianySpy](https://attack.mitre.org/software/S1056) can check to see if Wi-Fi is enabled.(Citation: trendmicro_tianyspy_0122) ","relationship_type":"uses","source_ref":"malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--eef4ffb7-892d-4d3f-826c-0b78d1f22671","created":"2021-02-08T16:36:20.709Z","x_mitre_version":"1.0","external_references":[{"source_name":"BlackBerry Bahamut","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf","description":"The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Windshift](https://attack.mitre.org/groups/G0112) has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)","modified":"2022-04-18T16:07:26.671Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f","created":"2019-07-16T14:33:12.107Z","x_mitre_version":"1.0","external_references":[{"source_name":"Kaspersky Triada June 2016","url":"https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/","description":"Kivva, A. (2016, June 6). Everyone sees not what they want to see. Retrieved July 16, 2019."},{"source_name":"Google Triada June 2019","url":"https://security.googleblog.com/2019/06/pha-family-highlights-triada.html","description":"Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Triada](https://attack.mitre.org/software/S0424) can redirect ad banner URLs on websites visited by the user to specific ad URLs.(Citation: Google Triada June 2019)(Citation: Kaspersky Triada June 2016) ","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--f082fc59-0317-49cf-971f-a1b6296ebb52","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ef792cb5-cb1f-4871-a2ef-20e6150d4005","created":"2023-10-10T15:33:57.735Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:57.735Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has been embedded into trojanized versions of applications such as Voxer, TalkBox, and Amaq News.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--efd35b6f-7a61-4998-97ff-608547e40f66","created":"2019-10-01T14:23:44.054Z","x_mitre_version":"1.0","external_references":[{"source_name":"securelist rotexy 2018","url":"https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/","description":"T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan – banker and ransomware. Retrieved September 23, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":" [Rotexy](https://attack.mitre.org/software/S0411) encrypts JSON HTTP payloads with AES.(Citation: securelist rotexy 2018) ","modified":"2022-04-18T16:07:57.631Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--0626c181-93cb-4860-9cb0-dff3b1c13063","target_ref":"attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f012feab-5612-429f-81bd-ff75d6ffd04e","created":"2022-04-05T17:03:34.941Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-05T17:03:34.941Z","relationship_type":"subtechnique-of","source_ref":"attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f051c943-998c-4db2-9dbc-d4755057bcf0","created":"2022-04-05T19:49:06.417Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.","modified":"2022-04-05T19:49:06.417Z","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f062ebc5-bad0-4b19-8c97-bf3915d687bd","created":"2023-03-20T18:51:58.152Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:23:02.162Z","description":"Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. ","relationship_type":"detects","source_ref":"x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0","target_ref":"attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f0851531-e554-4658-920c-f2342632c19a","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-Adware","description":"Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.","url":"https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[ShiftyBug](https://attack.mitre.org/software/S0294) is packed with at least eight publicly available exploits that can perform rooting.(Citation: Lookout-Adware)","relationship_type":"uses","source_ref":"malware--c80a6bef-b3ce-44d0-b113-946e93124898","target_ref":"attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1","type":"relationship","created":"2020-07-15T20:20:59.284Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Bitdefender Mandrake","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."}],"modified":"2020-07-15T20:20:59.284Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can install attacker-specified components or applications.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f0e39856-4d2d-45c5-bf16-f683ee993010","created":"2022-03-30T18:18:15.915Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T18:18:15.915Z","relationship_type":"revoked-by","source_ref":"attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2","target_ref":"attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f1130c77-3d20-4c41-9e75-1953bf9b8abc","created":"2020-09-14T14:13:45.286Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout eSurv","description":"A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.","url":"https://blog.lookout.com/esurv-research"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:40:48.237Z","description":"[eSurv](https://attack.mitre.org/software/S0507) has exfiltrated data using HTTP PUT requests.(Citation: Lookout eSurv)","relationship_type":"uses","source_ref":"malware--680f680c-eef9-4f8a-b5f5-f451bf47e403","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f157970b-4782-46d0-abdd-000ae6eea14b","created":"2018-10-17T00:14:20.652Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-04-06T15:41:33.832Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"revoked-by","source_ref":"attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b","target_ref":"attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150","type":"relationship","created":"2020-05-11T16:37:36.673Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.","url":"https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html","source_name":"ThreatFabric Ginp"}],"modified":"2020-05-11T16:37:36.673Z","description":" [Ginp](https://attack.mitre.org/software/S0423) can download device logs.(Citation: ThreatFabric Ginp) ","relationship_type":"uses","source_ref":"malware--6146be90-470c-4049-bb3a-9986b8ffb65b","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f259b5a8-bf2f-48c9-ae1b-b20d53daf665","created":"2023-07-21T19:39:51.044Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:39:51.044Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can exfiltrate data when the user boots the app, or on device boot.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f28a2873-281f-405b-bad0-4a93dac8a5ee","created":"2020-11-24T17:55:12.895Z","x_mitre_version":"1.0","external_references":[{"source_name":"Talos GPlayed","url":"https://blog.talosintelligence.com/2018/10/gplayedtrojan.html","description":"V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[GPlayed](https://attack.mitre.org/software/S0536) can show a phishing WebView pretending to be a Google service that collects credit card information.(Citation: Talos GPlayed)","modified":"2022-04-12T10:01:44.682Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--a993495c-9813-4372-b9ec-d168c7f7ec0a","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f2d05b16-3565-453e-9fbb-1c02146e17e1","created":"2020-06-26T15:32:25.002Z","x_mitre_version":"1.0","external_references":[{"source_name":"Threat Fabric Cerberus","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Cerberus](https://attack.mitre.org/software/S0480) can record keystrokes.(Citation: Threat Fabric Cerberus)","modified":"2022-04-15T17:33:17.868Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6","created":"2020-01-21T14:20:50.409Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Bitdefender - Triout 2018","description":"L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.","url":"https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:46:20.857Z","description":"[ViceLeaker](https://attack.mitre.org/software/S0418) includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.(Citation: Bitdefender - Triout 2018)","relationship_type":"uses","source_ref":"malware--6fcaf9b0-b509-4644-9f93-556222c81ed2","target_ref":"attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f3599919-c4d1-4f2e-92d4-b34a04e33132","created":"2022-03-30T14:06:26.530Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Mobile security products can typically detect jailbroken or rooted devices. ","modified":"2022-03-30T14:06:26.530Z","relationship_type":"mitigates","source_ref":"course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433","target_ref":"attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f390ee16-a7c8-4ef2-b6f4-28940a8f0d81","created":"2023-03-20T15:45:44.000Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T15:40:17.754Z","description":"Mobile security products can potentially detect jailbroken devices.","relationship_type":"detects","source_ref":"x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6","target_ref":"attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f3ddf0be-ca7d-4984-b8e2-4e5958a2c83a","created":"2024-01-26T17:35:37.668Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"checkpoint_flixonline_0421","description":"Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.","url":"https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-19T18:32:39.116Z","description":"[FlixOnline](https://attack.mitre.org/software/S1103) requests access to the `NotificationListenerService`, which can allow it to manipulate a device's notifications.(Citation: checkpoint_flixonline_0421)","relationship_type":"uses","source_ref":"malware--0ec9593f-3221-49b1-b597-37f307c19f13","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f3e902fe-7eea-4b85-9067-25d29fd01dc5","created":"2023-03-20T15:21:12.492Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T17:20:13.644Z","description":"Integrity checking mechanisms can potentially detect unauthorized hardware modifications.","relationship_type":"detects","source_ref":"x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6","target_ref":"attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f458166e-7cf8-42ed-afe3-38cbd30d5607","created":"2024-02-21T21:05:56.876Z","revoked":false,"external_references":[{"source_name":"Wandera-RedDrop","description":"Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.","url":"https://www.wandera.com/reddrop-malware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T21:05:56.876Z","description":"[RedDrop](https://attack.mitre.org/software/S0326) collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.(Citation: Wandera-RedDrop)","relationship_type":"uses","source_ref":"malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381","target_ref":"attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f4aeacef-035c-4308-9e85-997703e27809","created":"2020-01-27T17:05:58.305Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Trend Micro Bouncing Golf 2019","description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:27:33.906Z","description":"[GolfSpy](https://attack.mitre.org/software/S0421) can delete arbitrary files on the device.(Citation: Trend Micro Bouncing Golf 2019)","relationship_type":"uses","source_ref":"malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012","type":"relationship","created":"2020-12-14T14:52:03.218Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Sophos Red Alert 2.0","url":"https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/","description":"J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."}],"modified":"2020-12-14T14:52:03.218Z","description":"[Red Alert 2.0](https://attack.mitre.org/software/S0539) can obtain the running application.(Citation: Sophos Red Alert 2.0)","relationship_type":"uses","source_ref":"malware--6e282bbf-5f32-476a-b879-ba77eec463c8","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1","created":"2019-07-10T15:35:43.661Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Dark Caracal Jan 2018","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:32:57.154Z","description":"[Pallas](https://attack.mitre.org/software/S0399) captures and exfiltrates all SMS messages, including future messages as they are received.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"PaloAlto-SpyDealer","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.","url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:33:12.082Z","description":"[SpyDealer](https://attack.mitre.org/software/S0324) harvests SMS and MMS messages from victims.(Citation: PaloAlto-SpyDealer)","relationship_type":"uses","source_ref":"malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f4f4660c-6324-4da4-be2f-ac87fda85a45","created":"2019-09-15T15:32:17.580Z","x_mitre_version":"1.0","external_references":[{"source_name":"Android Notification Listeners","url":"https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setPermittedCrossProfileNotificationListeners(android.content.ComponentName,%20java.util.List%3Cjava.lang.String%3E)","description":"Android. (n.d.).  DevicePolicyManager. Retrieved September 15, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"On Android devices with a work profile, the `DevicePolicyManager.setPermittedCrossProfileNotificationListeners` method can be used to manage the list of applications running within the personal profile that can access notifications generated within the work profile. This policy would not affect notifications generated by the rest of the device. The `DevicePolicyManager.setApplicationHidden` method can be used to disable notification access for unwanted applications, but this method would also block that entire application from running.(Citation: Android Notification Listeners) ","modified":"2022-04-01T14:50:28.686Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f517a7ce-dfdc-4f42-84c1-fef136e2ea19","created":"2020-09-24T15:26:15.607Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"TrendMicro-XLoader-FakeSpy","description":"Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:41:01.468Z","description":"[XLoader for iOS](https://attack.mitre.org/software/S0490) has exfiltrated data using HTTP requests.(Citation: TrendMicro-XLoader-FakeSpy)","relationship_type":"uses","source_ref":"malware--29944858-da52-4d3d-b428-f8a6eb8dde6f","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f5196775-2c99-4dc5-b173-6a10af503c6e","created":"2023-09-25T19:55:13.827Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-25T19:55:13.827Z","description":"Users should be encouraged to be very careful with granting dangerous permissions, such as device administrator or access to device accessibility.","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","source_name":"Lookout-StealthMango"}],"modified":"2019-08-09T17:59:49.112Z","description":"[Stealth Mango](https://attack.mitre.org/software/S0328) uploads information about installed packages.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--085eb36d-697d-4d9a-bac3-96eb879fe73c","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f56b8307-80e3-4d73-869f-1e8b9538dbc4","created":"2022-09-29T21:22:06.716Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cylance Dust Storm","description":"Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.","url":"https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2022-09-30T18:45:10.156Z","description":"During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors to continually forward all SMS messages and call information back to their C2 servers.(Citation: Cylance Dust Storm)","relationship_type":"uses","source_ref":"campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f58d3fc4-e0a2-4924-884d-85d7c8f00b8a","created":"2023-03-20T18:39:10.113Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T17:14:24.009Z","description":"The user can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.","relationship_type":"detects","source_ref":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","target_ref":"attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f5acd046-2943-48bf-836a-2109c4f1a5c4","created":"2023-09-28T17:20:50.748Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:20:50.748Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can record audio from the device’s microphone.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f5d24a31-53d2-4e84-9110-2da0582132cb","created":"2020-05-07T15:33:32.936Z","x_mitre_version":"1.0","external_references":[{"source_name":"CheckPoint Agent Smith","url":"https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/","description":"A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Agent Smith](https://attack.mitre.org/software/S0440)’s core malware is disguised as a JPG file, and encrypted with an XOR cipher.(Citation: CheckPoint Agent Smith)","modified":"2022-04-15T16:44:17.145Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--a6228601-03f6-4949-ae22-c1087627a637","target_ref":"attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f5e9afdc-1aeb-472f-b267-46e7978f9d78","created":"2023-03-20T18:54:09.674Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T15:58:57.985Z","description":"On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.","relationship_type":"detects","source_ref":"x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4","target_ref":"attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-PegasusAndroid","description":"Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.","url":"https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}],"modified":"2019-08-09T17:52:31.854Z","description":"[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses the list of installed applications.(Citation: Lookout-PegasusAndroid)","relationship_type":"uses","source_ref":"malware--93799a9d-3537-43d8-b6f4-17215de1657c","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f6098dca-3a9e-4991-8d51-1310b12161b6","created":"2017-12-14T16:46:06.044Z","x_mitre_version":"1.0","external_references":[{"source_name":"Lookout-PegasusAndroid","url":"https://blog.lookout.com/blog/2017/04/03/pegasus-android/","description":"Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017."}],"x_mitre_deprecated":false,"revoked":false,"description":"[Pegasus for Android](https://attack.mitre.org/software/S0316) uses SMS for command and control.(Citation: Lookout-PegasusAndroid)","modified":"2022-04-19T14:25:41.669Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"uses","source_ref":"malware--93799a9d-3537-43d8-b6f4-17215de1657c","target_ref":"attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f622a267-7a58-4082-a3f5-10e9bb549a5e","created":"2022-03-30T20:43:31.249Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"","modified":"2022-03-30T20:43:31.249Z","relationship_type":"revoked-by","source_ref":"attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31","target_ref":"attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f62e0aaf-e52f-40b9-a059-001f298a0660","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Kaspersky-Skygofree","description":"Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.","url":"https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:19:00.168Z","description":"[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions.(Citation: Kaspersky-Skygofree)","relationship_type":"uses","source_ref":"malware--3a913bac-4fae-4d0e-bca8-cae452f1599b","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794","type":"relationship","created":"2019-11-21T16:42:48.488Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.","url":"https://securelist.com/fanning-the-flames-viceleaker-operation/90877/","source_name":"SecureList - ViceLeaker 2019"},{"source_name":"Bitdefender - Triout 2018","url":"https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/","description":"L. Arsene, C. Ochinca. (2018, August 20). Triout – Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020."}],"modified":"2020-01-21T14:20:50.474Z","description":"[ViceLeaker](https://attack.mitre.org/software/S0418) can record audio from the device’s microphone and can record phone calls together with the caller ID.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)","relationship_type":"uses","source_ref":"malware--6fcaf9b0-b509-4644-9f93-556222c81ed2","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f6417788-0c6e-4172-9010-f20870ec2278","created":"2023-06-09T19:16:07.193Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-06-09T19:16:07.193Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can request device administrator privileges.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f65087b4-adf2-4292-a711-7ae829e91397","type":"relationship","created":"2019-09-04T14:28:16.385Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"description":"Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.","url":"https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf","source_name":"Lookout-Monokle"}],"modified":"2019-09-04T14:32:12.877Z","description":"[Monokle](https://attack.mitre.org/software/S0407) can list applications installed on the device.(Citation: Lookout-Monokle)","relationship_type":"uses","source_ref":"malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.","source_name":"PaloAlto-SpyDealer"}],"modified":"2019-08-09T17:56:05.682Z","description":"[SpyDealer](https://attack.mitre.org/software/S0324) can record phone calls and surrounding audio.(Citation: PaloAlto-SpyDealer)","relationship_type":"uses","source_ref":"malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f69ff81e-22e4-450c-b3dd-7f3f66610663","created":"2023-08-16T16:39:10.564Z","revoked":false,"external_references":[{"source_name":"cyble_chameleon_0423","description":"Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.","url":"https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-16T16:39:10.564Z","description":"[Chameleon](https://attack.mitre.org/software/S1083) can disable Google Play Protect.(Citation: cyble_chameleon_0423)","relationship_type":"uses","source_ref":"malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f","target_ref":"attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f6a451e8-2125-4bbe-be52-e682523cd169","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.","source_name":"PaloAlto-SpyDealer"}],"modified":"2019-10-15T19:37:21.273Z","description":"[SpyDealer](https://attack.mitre.org/software/S0324) harvests the device phone number, IMEI, and IMSI.(Citation: PaloAlto-SpyDealer)","relationship_type":"uses","source_ref":"malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f6f21954-c592-40d8-b7a0-75f332c42eaa","created":"2020-11-10T17:08:35.761Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Uyghur Campaign","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:00:38.611Z","description":"[CarbonSteal](https://attack.mitre.org/software/S0529) has deleted call log entries coming from known C2 sources.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--007ebf84-4e14-44c7-a5aa-151d5de85320","target_ref":"attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1","type":"relationship","created":"2020-07-20T13:49:03.693Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"TrendMicro-XLoader-FakeSpy","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/","description":"Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."}],"modified":"2020-09-24T15:12:24.242Z","description":"[XLoader for Android](https://attack.mitre.org/software/S0318) collects the device’s IMSI and ICCID.(Citation: TrendMicro-XLoader-FakeSpy)","relationship_type":"uses","source_ref":"malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f709a4a5-2d7f-4fa8-bad8-a536fd3cc7fc","created":"2022-04-01T13:18:40.460Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Contact list access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their contact list. ","modified":"2022-04-01T13:18:40.460Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f747ccb7-32c0-45fc-9842-bfb160a9db22","created":"2023-07-21T19:39:20.054Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:39:20.054Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) uses a background service that can restart itself when the parent activity is stopped.(Citation: lookout_bouldspy_0423)     ","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f776a4da-0fa6-414c-a705-e9e8b419e056","type":"relationship","created":"2020-06-26T15:32:25.058Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Threat Fabric Cerberus","url":"https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html","description":"Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."},{"source_name":"CheckPoint Cerberus","url":"https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/","description":"A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild – Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020."}],"modified":"2020-06-26T15:32:25.058Z","description":"[Cerberus](https://attack.mitre.org/software/S0480) can inject input to grant itself additional permissions without user interaction and to prevent application removal.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)","relationship_type":"uses","source_ref":"malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9","target_ref":"attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f781fd2c-209f-43f1-b55a-fb175187415f","created":"2024-03-28T18:28:48.230Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-04-15T21:40:34.141Z","description":"During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect the device’s contact list.(Citation: welivesec_strongpity) ","relationship_type":"uses","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f7bebe78-2e21-466d-878b-f70be6c0e94a","created":"2021-01-07T17:02:31.805Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Zscaler TikTok Spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T19:56:32.861Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can access the device's contact list.(Citation: Zscaler TikTok Spyware) ","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","source_name":"Lookout-StealthMango"}],"modified":"2019-08-09T17:59:49.021Z","description":"[Stealth Mango](https://attack.mitre.org/software/S0328) can perform GPS location tracking as well as capturing coordinates as when an SMS message or call is received.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--085eb36d-697d-4d9a-bac3-96eb879fe73c","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f8151852-5a56-4c91-a691-1e50387a291d","created":"2023-09-28T17:39:14.900Z","revoked":false,"external_references":[{"source_name":"Trend Micro FlyTrap","description":"Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts — Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.","url":"https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:39:14.900Z","description":"[FlyTrap](https://attack.mitre.org/software/S1093) can collect IP address and network configuration information.(Citation: Trend Micro FlyTrap)","relationship_type":"uses","source_ref":"malware--8338393c-cb2e-4ee6-b944-34672499c785","target_ref":"attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f84355c2-b829-4324-821a-b5148734bb6b","created":"2022-04-01T15:21:35.655Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to microphone or audio output. ","modified":"2022-04-01T15:21:35.655Z","relationship_type":"mitigates","source_ref":"course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f857935b-653a-4b9a-a2dc-59c042059a39","created":"2023-03-20T15:56:04.673Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-14T16:28:45.049Z","description":"Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ","relationship_type":"detects","source_ref":"x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0","target_ref":"attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c","type":"relationship","created":"2020-12-18T20:14:47.371Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"WhiteOps TERRACOTTA","url":"https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study","description":"Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."}],"modified":"2020-12-18T21:00:05.246Z","description":"[TERRACOTTA](https://attack.mitre.org/software/S0545) can send SMS messages.(Citation: WhiteOps TERRACOTTA)","relationship_type":"uses","source_ref":"malware--e296b110-46d3-4f7a-894c-cc71ea50168c","target_ref":"attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57","type":"relationship","created":"2020-04-08T15:51:25.120Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"ThreatFabric Ginp","url":"https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html","description":"ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."}],"modified":"2020-04-08T15:51:25.120Z","description":"[Ginp](https://attack.mitre.org/software/S0423) obfuscates its payload, code, and strings.(Citation: ThreatFabric Ginp)","relationship_type":"uses","source_ref":"malware--6146be90-470c-4049-bb3a-9986b8ffb65b","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f92fe9dd-7296-42f6-904e-e245c438376e","created":"2020-12-14T15:02:35.291Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Securelist Asacub","description":"T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.","url":"https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T21:25:06.012Z","description":"[Asacub](https://attack.mitre.org/software/S0540) can request device administrator permissions.(Citation: Securelist Asacub)","relationship_type":"uses","source_ref":"malware--a76b837b-93cc-417d-bf28-c47a6a284fa4","target_ref":"attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f9456868-aa4c-4aa3-9465-c5a18cbcfd23","created":"2024-02-21T20:51:32.634Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T20:52:10.329Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can collect a device's phone number and IMEI, and can check to see if Wi-Fi is enabled.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ArsTechnica-HummingBad","description":"Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.","url":"http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-21T18:51:23.251Z","description":"[HummingBad](https://attack.mitre.org/software/S0322) can create fraudulent statistics inside the official Google Play Store, and has generated revenue from installing fraudulent apps and displaying malicious advertisements.(Citation: ArsTechnica-HummingBad)","relationship_type":"uses","source_ref":"malware--c8770c81-c29f-40d2-a140-38544206b2b4","target_ref":"attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f","created":"2019-10-18T14:50:57.494Z","x_mitre_version":"1.0","x_mitre_deprecated":false,"revoked":false,"description":"Security updates often contain patches for vulnerabilities.","modified":"2022-04-11T14:26:44.192Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d","target_ref":"attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f989562f-41a8-46d3-94ba-fca7269ae592","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","source_name":"Lookout-StealthMango"}],"modified":"2019-08-09T17:59:49.072Z","description":"[Stealth Mango](https://attack.mitre.org/software/S0328) is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--085eb36d-697d-4d9a-bac3-96eb879fe73c","target_ref":"attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f9b3a640-fd24-45f0-845b-22a7bf3e0d2b","created":"2024-02-21T21:09:05.676Z","revoked":false,"external_references":[{"source_name":"trendmicro_tianyspy_0122","description":"Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.","url":"https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-02-21T21:09:05.676Z","description":"[TianySpy](https://attack.mitre.org/software/S1056) can check to see if Wi-Fi is enabled.(Citation: trendmicro_tianyspy_0122) ","relationship_type":"uses","source_ref":"malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6","target_ref":"attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--f9d0cfb5-aeda-4de4-9c72-7098297555ae","created":"2019-09-04T20:01:42.753Z","x_mitre_version":"1.0","external_references":[{"source_name":"Nightwatch screencap April 2016","url":"https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/","description":"Nightwatch Cybersecurity. (2016, April 13). Research: Securing Android Applications from Screen Capture (FLAG_SECURE). Retrieved November 5, 2019."}],"x_mitre_deprecated":false,"revoked":false,"description":"Application developers can apply the `FLAG_SECURE` property to sensitive screens within their apps to make it more difficult for the screen contents to be captured.(Citation: Nightwatch screencap April 2016) ","modified":"2022-04-01T13:31:59.712Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","relationship_type":"mitigates","source_ref":"course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--f9de9819-b131-459e-948b-bdf3fe6f1ef0","type":"relationship","created":"2020-12-24T21:55:56.686Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T21:55:56.686Z","description":"[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed common system information.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--3d6c4389-3489-40a3-beda-c56e650b6f68","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fa13936f-9b9d-4b48-a33f-81044f6cdedb","created":"2020-09-15T15:18:12.466Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cybereason FakeSpy","description":"O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.","url":"https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:17:07.033Z","description":"[FakeSpy](https://attack.mitre.org/software/S0509) exfiltrates data using HTTP requests.(Citation: Cybereason FakeSpy)","relationship_type":"uses","source_ref":"malware--838f647e-8ff8-48bd-bbd5-613cee7736cb","target_ref":"attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--fa1da6db-da32-45d2-98a8-6bbe153166da","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-EnterpriseApps","description":"Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.","url":"https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[AndroRAT](https://attack.mitre.org/software/S0292) tracks the device location.(Citation: Lookout-EnterpriseApps)","relationship_type":"uses","source_ref":"malware--a3dad2be-ce62-4440-953b-00fbce7aba93","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--fa222de8-ba3a-45c1-a7eb-d7502843cc2d","type":"relationship","created":"2021-01-05T20:16:20.417Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Zscaler TikTok Spyware","url":"https://www.zscaler.com/blogs/security-research/tiktok-spyware","description":"S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."}],"modified":"2021-01-05T20:16:20.417Z","description":"[Tiktok Pro](https://attack.mitre.org/software/S0558) can capture photos and videos from the device’s camera.(Citation: Zscaler TikTok Spyware)","relationship_type":"uses","source_ref":"malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fa5f3aea-2131-4690-8833-dc428fae2b22","created":"2023-01-18T21:38:34.350Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"nccgroup_sharkbot_0322","description":"RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a “new” generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.","url":"https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-27T18:57:53.504Z","description":"[SharkBot](https://attack.mitre.org/software/S1055) can intercept notifications to send to the C2 server and take advantage of the Direct Reply feature.(Citation: nccgroup_sharkbot_0322)","relationship_type":"uses","source_ref":"malware--9cd72f5c-bec0-4f7e-bb6d-296937116291","target_ref":"attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--fada5ba5-7449-4878-b555-82f225473c8b","created":"2022-03-30T19:28:42.179Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Attestation can detect unauthorized modifications to devices. Mobile security software can then use this information and take appropriate mitigation action. ","modified":"2022-03-30T19:28:42.179Z","relationship_type":"mitigates","source_ref":"course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c","target_ref":"attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fadd27ec-56ac-4834-af40-76c9e8764eb9","created":"2023-07-21T19:34:53.934Z","revoked":false,"external_references":[{"source_name":"lookout_bouldspy_0423","description":"Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.","url":"https://www.lookout.com/blog/iranian-spyware-bouldspy"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-07-21T19:34:53.934Z","description":"[BOULDSPY](https://attack.mitre.org/software/S1079) can get a device’s location using GPS or network.(Citation: lookout_bouldspy_0423)","relationship_type":"uses","source_ref":"malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1","target_ref":"attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--faf3396c-3a53-478c-b15c-7ff44ef4a5f5","created":"2023-06-09T19:16:53.458Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-06-09T19:16:53.458Z","description":"[Hornbill](https://attack.mitre.org/software/S1077) can access a device’s camera and take photos.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--faff9f9c-9064-4b3a-bdf9-bbeced2447a6","created":"2020-09-11T16:22:03.266Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout ViperRAT","description":"M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.","url":"https://blog.lookout.com/viperrat-mobile-apt"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:33:34.466Z","description":"[ViperRAT](https://attack.mitre.org/software/S0506) can collect SMS messages.(Citation: Lookout ViperRAT)","relationship_type":"uses","source_ref":"malware--f666e17c-b290-43b3-8947-b96bd5148fbb","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--fb2a14c1-bed9-4c3f-a60b-8df384c18b68","type":"relationship","created":"2020-12-24T21:45:56.979Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2021-04-19T14:29:46.650Z","description":"[SilkBean](https://attack.mitre.org/software/S0549) can retrieve files from external storage and can collect browser data.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--ddbe5657-e21e-4a89-8221-2f1362d397ec","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--fb3b32a8-6422-4d44-91e3-27a58e569963","type":"relationship","created":"2019-09-03T19:45:48.494Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SWB Exodus March 2019","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."}],"modified":"2019-09-11T13:25:19.179Z","description":" [Exodus](https://attack.mitre.org/software/S0405) Two can take screenshots of any application in the foreground.(Citation: SWB Exodus March 2019) ","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--fb51161a-ef2e-41a4-b5f9-bd1f64f95674","type":"relationship","created":"2020-12-24T22:04:28.025Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout Uyghur Campaign","url":"https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf","description":"A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."}],"modified":"2020-12-24T22:04:28.025Z","description":"[GoldenEagle](https://attack.mitre.org/software/S0551) has retrieved .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files from external storage.(Citation: Lookout Uyghur Campaign)","relationship_type":"uses","source_ref":"malware--0b9c5d11-651a-4378-b129-5c584d0242c5","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fb587f81-1300-438d-a33b-f8d08530788b","created":"2019-07-10T15:35:43.704Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout Dark Caracal Jan 2018","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:41:13.182Z","description":"[Pallas](https://attack.mitre.org/software/S0399) exfiltrates data using HTTP.(Citation: Lookout Dark Caracal Jan 2018)","relationship_type":"uses","source_ref":"malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878","target_ref":"attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","source_name":"Lookout-StealthMango"}],"modified":"2019-10-15T19:44:36.125Z","description":"[Stealth Mango](https://attack.mitre.org/software/S0328) collected and exfiltrated data from the device, including sensitive letters/documents, stored photos, and stored audio files.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--085eb36d-697d-4d9a-bac3-96eb879fe73c","target_ref":"attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--fb62afa9-d593-44f8-840d-bd5c595a1228","created":"2022-04-01T18:44:46.780Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.","modified":"2022-04-01T18:44:46.780Z","relationship_type":"mitigates","source_ref":"course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee","target_ref":"attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Lookout-StealthMango","description":"Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T16:50:54.500Z","description":"[Stealth Mango](https://attack.mitre.org/software/S0328) uploads SMS messages.(Citation: Lookout-StealthMango)","relationship_type":"uses","source_ref":"malware--085eb36d-697d-4d9a-bac3-96eb879fe73c","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--fbdbddd7-4980-4061-9192-24a887bc6bad","type":"relationship","created":"2020-12-07T14:28:32.141Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Threat Fabric Exobot","url":"https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html","description":"Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020."}],"modified":"2020-12-07T14:28:32.141Z","description":"[Exobot](https://attack.mitre.org/software/S0522) can open a SOCKS proxy connection through the compromised device.(Citation: Threat Fabric Exobot)","relationship_type":"uses","source_ref":"malware--c91cec55-634c-4670-ba10-2dc7ceb28e98","target_ref":"attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fbeef07b-7aa1-461c-884a-d3c4f730d5f7","created":"2023-09-28T17:22:27.968Z","revoked":false,"external_references":[{"source_name":"Bleeipng Computer Escobar","description":"B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.","url":"https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-09-28T17:22:27.968Z","description":"[Escobar](https://attack.mitre.org/software/S1092) can collect credentials using phishing overlays.(Citation: Bleeipng Computer Escobar)","relationship_type":"uses","source_ref":"malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a","target_ref":"attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4","type":"relationship","created":"2019-09-03T19:45:48.485Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SWB Exodus March 2019","url":"https://securitywithoutborders.org/blog/2019/03/29/exodus.html","description":"Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."}],"modified":"2019-09-11T13:25:19.117Z","description":" [Exodus](https://attack.mitre.org/software/S0405) Two can obtain a list of installed applications.(Citation: SWB Exodus March 2019) ","relationship_type":"uses","source_ref":"malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb","target_ref":"attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55","created":"2023-03-03T16:23:56.031Z","revoked":false,"external_references":[{"source_name":"paloalto_yispecter_1015","description":"Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.","url":"https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-03-03T16:23:56.031Z","description":"[YiSpecter](https://attack.mitre.org/software/S0311) has collected the device UUID.(Citation: paloalto_yispecter_1015)","relationship_type":"uses","source_ref":"malware--a15c9357-2be0-4836-beec-594f28b9b4a9","target_ref":"attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--fc816ddc-199d-47b0-93af-c81305d0919f","type":"relationship","created":"2020-06-02T14:32:31.767Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Volexity Insomnia","url":"https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/","description":"A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."}],"modified":"2020-06-02T14:32:31.767Z","description":"[INSOMNIA](https://attack.mitre.org/software/S0463) has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.(Citation: Volexity Insomnia)","relationship_type":"uses","source_ref":"malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901","target_ref":"attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--fcb3a139-f644-45c9-8123-dfea0455143a","type":"relationship","created":"2019-08-09T17:56:05.588Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/","description":"Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.","source_name":"PaloAlto-SpyDealer"}],"modified":"2019-08-09T17:56:05.588Z","description":"[SpyDealer](https://attack.mitre.org/software/S0324) can record video and take photos via front and rear cameras.(Citation: PaloAlto-SpyDealer)","relationship_type":"uses","source_ref":"malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b","target_ref":"attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--fcc42341-ec3a-4e24-a374-46bed72d061f","type":"relationship","created":"2021-10-01T14:42:49.191Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecureList BusyGasper","url":"https://securelist.com/busygasper-the-unfriendly-spy/87627/","description":"Alexey Firsh. (2018, August 29). BusyGasper – the unfriendly spy. Retrieved October 1, 2021."}],"modified":"2021-10-01T14:42:49.191Z","description":"[BusyGasper](https://attack.mitre.org/software/S0655) can collect data from messaging applications, including WhatsApp, Viber, and Facebook.(Citation: SecureList BusyGasper)","relationship_type":"uses","source_ref":"malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4","target_ref":"attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd","created":"2020-06-26T14:55:13.333Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Cybereason EventBot","description":"D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.","url":"https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:49:38.924Z","description":"[EventBot](https://attack.mitre.org/software/S0478) registers for the `BOOT_COMPLETED` intent to auto-start after the device boots.(Citation: Cybereason EventBot)","relationship_type":"uses","source_ref":"malware--aecc0097-c9f8-4786-9b39-e891ff173f54","target_ref":"attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576","type":"relationship","created":"2020-09-14T14:13:45.294Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout eSurv","url":"https://blog.lookout.com/esurv-research","description":"A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."}],"modified":"2020-09-14T15:39:17.961Z","description":"[eSurv](https://attack.mitre.org/software/S0507)’s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is [Exodus](https://attack.mitre.org/software/S0405).(Citation: Lookout eSurv)","relationship_type":"uses","source_ref":"malware--680f680c-eef9-4f8a-b5f5-f451bf47e403","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fd50cda0-66d4-4ae1-864e-9345d8124ce2","created":"2023-08-08T16:14:27.679Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-08T16:14:27.679Z","description":"Application vetting services may potentially determine if an application contains suspicious code and/or metadata.","relationship_type":"detects","source_ref":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901","type":"relationship","created":"2020-04-24T17:46:31.607Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"SecurityIntelligence TrickMo","url":"https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/","description":"P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."}],"modified":"2020-04-24T17:46:31.607Z","description":"[TrickMo](https://attack.mitre.org/software/S0427) contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java’s `PBEWithMD5AndDES` algorithm.(Citation: SecurityIntelligence TrickMo)","relationship_type":"uses","source_ref":"malware--21170624-89db-4e99-bf27-58d26be07c3a","target_ref":"attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549","created":"2023-03-20T18:24:56.396Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-07T17:12:07.475Z","description":"Mobile security products can often alert the user if their device is vulnerable to known exploits.","relationship_type":"detects","source_ref":"x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6","target_ref":"attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394","created":"2021-02-08T16:36:20.639Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"BlackBerry Bahamut","description":"The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:07:15.780Z","description":"[Windshift](https://attack.mitre.org/groups/G0112) has region-locked their malicious applications during their Operation BULL campaign.(Citation: BlackBerry Bahamut)","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1","created":"2020-07-15T20:20:59.227Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Bitdefender Mandrake","description":"R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.","url":"https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T20:33:57.748Z","description":"[Mandrake](https://attack.mitre.org/software/S0485) can access SMS messages.(Citation: Bitdefender Mandrake)","relationship_type":"uses","source_ref":"malware--52c994fa-b6c8-45a8-9586-a4275cf19307","target_ref":"attack-pattern--c6421411-ae61-42bb-9098-73fddb315002","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea","created":"2022-03-30T19:32:43.015Z","x_mitre_version":"0.1","x_mitre_deprecated":false,"revoked":false,"description":"Attestation can detect rooted devices. Mobile security software can then use this information and take appropriate mitigation action. Attestation can detect rooted devices.","modified":"2022-03-30T19:32:43.015Z","relationship_type":"mitigates","source_ref":"course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c","target_ref":"attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"type":"relationship","id":"relationship--fe794ba6-42be-4d42-a16f-a41473874331","created":"2022-03-30T15:08:13.679Z","x_mitre_version":"0.1","external_references":[{"source_name":"Android-VerifiedBoot","url":"https://source.android.com/security/verifiedboot/","description":"Android. (n.d.). Verified Boot. Retrieved December 21, 2016."}],"x_mitre_deprecated":false,"revoked":false,"description":"Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.(Citation: Android-VerifiedBoot) ","modified":"2022-03-30T15:08:13.679Z","relationship_type":"mitigates","source_ref":"course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321","target_ref":"attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831","x_mitre_attack_spec_version":"2.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ff3aa49b-c054-44ec-89da-6c67d4995193","created":"2023-03-20T18:44:44.257Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-09T15:52:15.261Z","description":"Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.","relationship_type":"detects","source_ref":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","target_ref":"attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ff410bea-7b23-4b0c-9979-b7ae3050d938","created":"2023-08-04T18:34:26.118Z","revoked":false,"external_references":[{"source_name":"lookout_hornbill_sunbird_0221","description":"Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.","url":"https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-08-04T18:34:26.118Z","description":"[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate calendar information.(Citation: lookout_hornbill_sunbird_0221)","relationship_type":"uses","source_ref":"malware--feae299d-e34f-4fc9-8545-486d0905bd41","target_ref":"attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--ff55feec-669d-4199-a05c-e8dfaebaaf8f","created":"2023-10-10T15:33:57.463Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Microsoft MalLockerB","description":"D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.","url":"https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-10-10T15:33:57.463Z","description":"[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has masqueraded as popular apps, cracked games, and video players. (Citation: Microsoft MalLockerB)","relationship_type":"uses","source_ref":"malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce","target_ref":"attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ffc24804-42db-4be1-a418-7f5ab9de453c","type":"relationship","created":"2017-12-14T16:46:06.044Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"Lookout-NotCompatible","description":"Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.","url":"https://blog.lookout.com/blog/2014/11/19/notcompatible/"}],"modified":"2018-10-17T00:14:20.652Z","description":"[NotCompatible](https://attack.mitre.org/software/S0299) has the capability to exploit systems on an enterprise network.(Citation: Lookout-NotCompatible)","relationship_type":"uses","source_ref":"malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe","target_ref":"attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ffc82546-f4da-4f47-88ec-b215edb1d695","type":"relationship","created":"2021-02-08T16:36:20.799Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"source_name":"BlackBerry Bahamut","url":"https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf","description":"The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."}],"modified":"2021-05-24T13:16:56.589Z","description":"[Windshift](https://attack.mitre.org/groups/G0112) has included malware functionality capable of downloading new DEX files at runtime during Operation BULL.(Citation: BlackBerry Bahamut)","relationship_type":"uses","source_ref":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","target_ref":"attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055","type":"relationship","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"url":"https://www.wandera.com/reddrop-malware/","description":"Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.","source_name":"Wandera-RedDrop"}],"modified":"2019-09-10T13:14:39.009Z","description":"[RedDrop](https://attack.mitre.org/software/S0326) captures live recordings of the device's surroundings.(Citation: Wandera-RedDrop)","relationship_type":"uses","source_ref":"malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381","target_ref":"attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9","created":"2020-04-08T15:51:25.149Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"ThreatFabric Ginp","description":"ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.","url":"https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2023-04-05T17:30:28.587Z","description":"[Ginp](https://attack.mitre.org/software/S0423) can download the device’s contact list.(Citation: ThreatFabric Ginp)","relationship_type":"uses","source_ref":"malware--6146be90-470c-4049-bb3a-9986b8ffb65b","target_ref":"attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-20T20:22:45.613Z","name":"Host Status","description":"Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)","x_mitre_data_source_ref":"x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159","x_mitre_deprecated":false,"x_mitre_version":"1.1","type":"x-mitre-data-component","id":"x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-13T19:59:14.491Z","name":"API Calls","description":"API calls utilized by an application that could indicate malicious activity","x_mitre_data_source_ref":"x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203","x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","type":"x-mitre-data-component","id":"x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962","created":"2023-03-13T19:59:14.491Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.274Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.274Z","name":"Network Traffic Content","description":"Logged network traffic data showing both protocol header and body values (ex: PCAP)","x_mitre_data_source_ref":"x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-11T15:10:14.209Z","name":"C0033","description":"[C0033](https://attack.mitre.org/campaigns/C0033) was a [PROMETHIUM](https://attack.mitre.org/groups/G0056) campaign during which they used [StrongPity](https://attack.mitre.org/software/S0491) to target Android users. [C0033](https://attack.mitre.org/campaigns/C0033) was the first publicly documented mobile campaign for [PROMETHIUM](https://attack.mitre.org/groups/G0056), who previously used Windows-based techniques.(Citation: welivesec_strongpity)","aliases":["C0033"],"first_seen":"2016-05-01T07:00:00.000Z","last_seen":"2023-01-01T08:00:00.000Z","x_mitre_first_seen_citation":"(Citation: securelist_strongpity)","x_mitre_last_seen_citation":"(Citation: welivesec_strongpity)","x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_contributors":["Hiroki Nagahama, NEC Corporation","Manikantan Srinivasan, NEC Corporation India","Pooja Natarajan, NEC Corporation India"],"type":"campaign","id":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","created":"2024-03-28T18:00:04.123Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/campaigns/C0033","external_id":"C0033"},{"source_name":"securelist_strongpity","description":"Baumgartner, K. (2016, October 3). On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users. Retrieved March 28, 2024.","url":"https://securelist.com/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/76147/"},{"source_name":"welivesec_strongpity","description":"Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.","url":"https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["mobile-attack","enterprise-attack"]},{"modified":"2023-03-13T20:00:08.487Z","name":"Permissions Requests","description":"Permissions declared in an application's manifest or property list file","x_mitre_data_source_ref":"x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203","x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","type":"x-mitre-data-component","id":"x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43","created":"2023-03-13T20:00:08.487Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-13T20:48:14.540Z","name":"System Settings","description":"Settings visible to the user on the device","x_mitre_data_source_ref":"x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8","x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","type":"x-mitre-data-component","id":"x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6","created":"2023-03-13T20:48:14.540Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"aliases":["Bouncing Golf"],"x_mitre_domains":["mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd","type":"intrusion-set","created":"2020-01-27T16:55:39.688Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"G0097","source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0097"},{"source_name":"Trend Micro Bouncing Golf 2019","url":"https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/","description":"E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign ‘Bouncing Golf’ Affects Middle East. Retrieved January 27, 2020."}],"modified":"2020-03-26T20:58:44.722Z","name":"Bouncing Golf","description":"[Bouncing Golf](https://attack.mitre.org/groups/G0097) is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)","x_mitre_version":"1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-13T19:59:42.141Z","name":"Network Communication","description":"Network requests made by an application or domains contacted","x_mitre_data_source_ref":"x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203","x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","type":"x-mitre-data-component","id":"x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0","created":"2023-03-13T19:59:42.141Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.274Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.274Z","name":"Network Traffic Flow","description":"Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)","x_mitre_data_source_ref":"x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"aliases":["Windshift","Bahamut"],"x_mitre_domains":["enterprise-attack","mobile-attack"],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1","type":"intrusion-set","created":"2020-06-25T17:16:39.168Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","external_references":[{"external_id":"G0112","source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0112"},{"source_name":"Bahamut","description":"(Citation: SANS Windshift August 2018)"},{"source_name":"SANS Windshift August 2018","url":"https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf","description":"Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020."},{"source_name":"objective-see windtail1 dec 2018","url":"https://objective-see.com/blog/blog_0x3B.html","description":"Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019."},{"source_name":"objective-see windtail2 jan 2019","url":"https://objective-see.com/blog/blog_0x3D.html","description":"Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019."}],"modified":"2021-04-26T14:37:33.234Z","name":"Windshift","description":"[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)","x_mitre_version":"1.1","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-13T20:47:24.038Z","name":"Permissions Request","description":"System prompts triggered when an application requests new or additional permissions","x_mitre_data_source_ref":"x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8","x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","type":"x-mitre-data-component","id":"x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456","created":"2023-03-13T20:47:24.038Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-07T16:14:39.124Z","name":"Command Execution","description":"The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )","x_mitre_data_source_ref":"x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089","x_mitre_deprecated":false,"x_mitre_version":"1.1","type":"x-mitre-data-component","id":"x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.272Z","name":"Process Metadata","description":"Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.","x_mitre_data_source_ref":"x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-16T15:31:48.747Z","name":"APT-C-23","description":"[APT-C-23](https://attack.mitre.org/groups/G1028) is a threat group that has been active since at least 2014.(Citation: symantec_mantis) [APT-C-23](https://attack.mitre.org/groups/G1028) has primarily focused its operations on the Middle East, including Israeli military assets. [APT-C-23](https://attack.mitre.org/groups/G1028) has developed mobile spyware targeting Android and iOS devices since 2017.(Citation: welivesecurity_apt-c-23)","aliases":["APT-C-23","Mantis","Arid Viper","Desert Falcon","TAG-63","Grey Karkadann","Big Bang APT","Two-tailed Scorpion"],"x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_contributors":["Sittikorn Sangrattanapitak"],"type":"intrusion-set","id":"intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394","created":"2024-03-26T18:38:00.759Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G1028","external_id":"G1028"},{"source_name":"Big Bang APT","description":"(Citation: checkpoint_interactive_map_apt-c-23) "},{"source_name":"Grey Karkadann","description":"(Citation: sentinelone_israel_hamas_war)"},{"source_name":"Mantis","description":"(Citation: symantec_mantis)(Citation: sentinelone_israel_hamas_war)"},{"source_name":"Two-tailed Scorpion","description":"(Citation: welivesecurity_apt-c-23)"},{"source_name":"Arid Viper","description":"(Citation: welivesecurity_apt-c-23)(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)"},{"source_name":"Desert Falcon","description":"(Citation: welivesecurity_apt-c-23)(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)"},{"source_name":"fb_arid_viper","description":"Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"},{"source_name":"sentinelone_israel_hamas_war","description":"Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20240208234008/www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/"},{"source_name":"checkpoint_interactive_map_apt-c-23","description":"Kayal, A. (2018, August 26). Interactive Mapping of APT-C-23. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20230604112435/https://research.checkpoint.com/2018/interactive-mapping-of-apt-c-23/"},{"source_name":"welivesecurity_apt-c-23","description":"Stefanko, L. (2020, September 30). APT‑C‑23 group evolves its Android spyware. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"},{"source_name":"symantec_mantis","description":"Symantec Threat Hunter Team. (2023, April 4). Mantis: New Tooling Used in Attacks Against Palestinian Targets. Retrieved March 4, 2024.","url":"https://web.archive.org/web/20231227054130/https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["mobile-attack","enterprise-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-13T20:47:52.557Z","name":"System Notifications","description":"Notifications generated by the OS","x_mitre_data_source_ref":"x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8","x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","type":"x-mitre-data-component","id":"x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4","created":"2023-03-13T20:47:52.557Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-11T02:42:07.325Z","name":"Dark Caracal","description":"[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)","aliases":["Dark Caracal"],"x_mitre_deprecated":false,"x_mitre_version":"1.4","type":"intrusion-set","id":"intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12","created":"2018-10-17T00:14:20.652Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0070","external_id":"G0070"},{"source_name":"Dark Caracal","description":"(Citation: Lookout Dark Caracal Jan 2018)"},{"source_name":"Lookout Dark Caracal Jan 2018","description":"Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.","url":"https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-04T21:24:48.602Z","name":"Scattered Spider","description":"[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group that has been active since at least 2022.(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, [Scattered Spider](https://attack.mitre.org/groups/G1015) expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.(Citation: MSTIC Octo Tempest Operations October 2023) During campaigns, [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)","aliases":["Scattered Spider","Roasted 0ktapus","Octo Tempest","Storm-0875"],"x_mitre_deprecated":false,"x_mitre_version":"2.0","type":"intrusion-set","id":"intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b","created":"2023-07-05T17:54:54.789Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G1015","external_id":"G1015"},{"source_name":"Roasted 0ktapus","description":"(Citation: CrowdStrike Scattered Spider BYOVD January 2023)"},{"source_name":"Octo Tempest","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"Storm-0875","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"CISA Scattered Spider Advisory November 2023","description":"CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.","url":"https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a"},{"source_name":"CrowdStrike Scattered Spider BYOVD January 2023","description":"CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023.","url":"https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/"},{"source_name":"CrowdStrike Scattered Spider Profile","description":"CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.","url":"https://www.crowdstrike.com/adversaries/scattered-spider/"},{"source_name":"Microsoft Threat Actor Naming July 2023","description":"Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.","url":"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"},{"source_name":"MSTIC Octo Tempest Operations October 2023","description":"Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.","url":"https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/"},{"source_name":"Crowdstrike TELCO BPO Campaign December 2022","description":"Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.","url":"https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-10-10T14:31:01.968Z","name":"APT28","description":"[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.(Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ","aliases":["APT28","IRON TWILIGHT","SNAKEMACKEREL","Swallowtail","Group 74","Sednit","Sofacy","Pawn Storm","Fancy Bear","STRONTIUM","Tsar Team","Threat Group-4127","TG-4127","Forest Blizzard","FROZENLAKE"],"x_mitre_deprecated":false,"x_mitre_version":"5.1","x_mitre_contributors":["Sébastien Ruel, CGI","Drew Church, Splunk","Emily Ratliff, IBM","Richard Gold, Digital Shadows"],"type":"intrusion-set","id":"intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c","created":"2017-05-31T21:31:48.664Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0007","external_id":"G0007"},{"source_name":"SNAKEMACKEREL","description":"(Citation: Accenture SNAKEMACKEREL Nov 2018)"},{"source_name":"Fancy Bear","description":"(Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)"},{"source_name":"Tsar Team","description":"(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)"},{"source_name":"APT28","description":"(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)"},{"source_name":"STRONTIUM","description":"(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)"},{"source_name":"FROZENLAKE","description":"(Citation: Leonard TAG 2023)"},{"source_name":"Forest Blizzard","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"IRON TWILIGHT","description":"(Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)"},{"source_name":"Threat Group-4127","description":"(Citation: SecureWorks TG-4127)"},{"source_name":"TG-4127","description":"(Citation: SecureWorks TG-4127)"},{"source_name":"Pawn Storm","description":"(Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) "},{"source_name":"Swallowtail","description":"(Citation: Symantec APT28 Oct 2018)"},{"source_name":"Group 74","description":"(Citation: Talos Seduploader Oct 2017)"},{"source_name":"Accenture SNAKEMACKEREL Nov 2018","description":"Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.","url":"https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50"},{"source_name":"Crowdstrike DNC June 2016","description":"Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.","url":"https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"},{"source_name":"Leonard TAG 2023","description":"Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.","url":"https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"},{"source_name":"US District Court Indictment GRU Oct 2018","description":"Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.","url":"https://www.justice.gov/opa/page/file/1098481/download"},{"source_name":"GRIZZLY STEPPE JAR","description":"Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE – Russian Malicious Cyber Activity. Retrieved January 11, 2017.","url":"https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf"},{"source_name":"ESET Zebrocy May 2019","description":"ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.","url":"https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/"},{"source_name":"ESET Sednit Part 3","description":"ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.","url":"http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf"},{"source_name":"Sofacy DealersChoice","description":"Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.","url":"https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/"},{"source_name":"FireEye APT28 January 2017","description":"FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved January 11, 2017.","url":"https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf"},{"source_name":"FireEye APT28","description":"FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.","url":"https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"},{"source_name":"Ars Technica GRU indictment Jul 2018","description":"Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.","url":"https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/"},{"source_name":"TrendMicro Pawn Storm Dec 2020","description":"Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.","url":"https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html"},{"source_name":"Securelist Sofacy Feb 2018","description":"Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.","url":"https://securelist.com/a-slice-of-2017-sofacy-activity/83930/"},{"source_name":"Kaspersky Sofacy","description":"Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.","url":"https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"},{"source_name":"Palo Alto Sofacy 06-2018","description":"Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.","url":"https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/"},{"source_name":"Talos Seduploader Oct 2017","description":"Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.","url":"https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html"},{"source_name":"Microsoft Threat Actor Naming July 2023","description":"Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.","url":"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"},{"source_name":"Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020","description":"Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.","url":"https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/"},{"source_name":"Microsoft STRONTIUM Aug 2019","description":"MSRC Team. (2019, August 5). Corporate IoT – a path to intrusion. Retrieved August 16, 2019.","url":"https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/"},{"source_name":"DOJ GRU Indictment Jul 2018","description":"Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.","url":"https://www.justice.gov/file/1080281/download"},{"source_name":"Cybersecurity Advisory GRU Brute Force Campaign July 2021","description":"NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.","url":"https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF"},{"source_name":"NSA/FBI Drovorub August 2020","description":"NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.","url":"https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF"},{"source_name":"SecureWorks TG-4127","description":"SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.","url":"https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"},{"source_name":"Secureworks IRON TWILIGHT Active Measures March 2017","description":"Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.","url":"https://www.secureworks.com/research/iron-twilight-supports-active-measures"},{"source_name":"Secureworks IRON TWILIGHT Profile","description":"Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.","url":"https://www.secureworks.com/research/threat-profiles/iron-twilight"},{"source_name":"Symantec APT28 Oct 2018","description":"Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.","url":"https://www.symantec.com/blogs/election-security/apt28-espionage-military-government"},{"source_name":"Sednit","description":"This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)"},{"source_name":"Sofacy","description":"This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-11T02:52:27.131Z","name":"BITTER","description":"[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)","aliases":["BITTER","T-APT-17"],"x_mitre_deprecated":false,"x_mitre_version":"1.1","type":"intrusion-set","id":"intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9","created":"2022-06-01T20:26:53.880Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G1002","external_id":"G1002"},{"source_name":"T-APT-17","description":"(Citation: Cisco Talos Bitter Bangladesh May 2022)"},{"source_name":"Forcepoint BITTER Pakistan Oct 2016","description":"Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.","url":"https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"},{"source_name":"Cisco Talos Bitter Bangladesh May 2022","description":"Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.","url":"https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-11T00:30:42.003Z","name":"Operation Dust Storm","description":"[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.(Citation: Cylance Dust Storm)\n\n[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.(Citation: Cylance Dust Storm)","aliases":["Operation Dust Storm"],"first_seen":"2010-01-01T07:00:00.000Z","last_seen":"2016-02-01T06:00:00.000Z","x_mitre_first_seen_citation":"(Citation: Cylance Dust Storm)","x_mitre_last_seen_citation":"(Citation: Cylance Dust Storm)","x_mitre_deprecated":false,"x_mitre_version":"1.1","type":"campaign","id":"campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f","created":"2022-09-29T20:00:38.136Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/campaigns/C0016","external_id":"C0016"},{"source_name":"Cylance Dust Storm","description":"Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.","url":"https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_domains":["enterprise-attack","mobile-attack"]},{"modified":"2022-10-07T16:15:56.932Z","name":"Process Creation","description":"The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)","x_mitre_data_source_ref":"x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22","x_mitre_deprecated":false,"x_mitre_version":"1.1","type":"x-mitre-data-component","id":"x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-09-16T16:18:00.876Z","name":"Earth Lusca","description":"[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)\n\n[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)","aliases":["Earth Lusca","TAG-22","Charcoal Typhoon","CHROMIUM","ControlX"],"x_mitre_deprecated":false,"x_mitre_version":"2.0","type":"intrusion-set","id":"intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034","created":"2022-07-01T20:12:30.184Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G1006","external_id":"G1006"},{"source_name":"Charcoal Typhoon","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"ControlX","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"CHROMIUM","description":"(Citation: Microsoft Threat Actor Naming July 2023) (Citation: Recorded Future RedHotel August 2023)"},{"source_name":"TAG-22","description":"(Citation: Recorded Future TAG-22 July 2021)"},{"source_name":"TrendMicro EarthLusca 2022","description":"Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.","url":"https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf"},{"source_name":"Recorded Future TAG-22 July 2021","description":"INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 16, 2024.","url":"https://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan"},{"source_name":"Recorded Future RedHotel August 2023","description":"Insikt Group. (2023, August 8). RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale. Retrieved March 11, 2024.","url":"https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf"},{"source_name":"Microsoft Threat Actor Naming July 2023","description":"Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.","url":"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2022-10-20T20:18:06.745Z","name":"Network Connection Creation","description":"Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)","x_mitre_data_source_ref":"x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3","x_mitre_deprecated":false,"x_mitre_version":"1.1","type":"x-mitre-data-component","id":"x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba","created":"2021-10-20T15:05:19.274Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-22T20:43:16.504Z","name":"Confucius","description":"[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)","aliases":["Confucius","Confucius APT"],"x_mitre_deprecated":false,"x_mitre_version":"1.1","type":"intrusion-set","id":"intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f","created":"2021-12-26T23:11:39.442Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0142","external_id":"G0142"},{"source_name":"TrendMicro Confucius APT Feb 2018","description":"Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.","url":"https://www.trendmicro.com/en_us/research/18/b/deciphering-confucius-cyberespionage-operations.html"},{"source_name":"TrendMicro Confucius APT Aug 2021","description":"Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.","url":"https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html"},{"source_name":"Uptycs Confucius APT Jan 2021","description":"Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.","url":"https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-02T18:58:54.885Z","name":"UNC788","description":"[UNC788](https://attack.mitre.org/groups/G1029) is a group of hackers from Iran that has targeted people in the Middle East.(Citation: Meta Adversarial Threat Report 2022)","aliases":["UNC788"],"x_mitre_deprecated":false,"x_mitre_version":"1.0","x_mitre_contributors":["Denise Tan"],"type":"intrusion-set","id":"intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258","created":"2024-04-02T18:58:36.186Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G1029","external_id":"G1029"},{"source_name":"Meta Adversarial Threat Report 2022","description":"Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.","url":"https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["mobile-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-09-26T14:34:08.342Z","name":"MoustachedBouncer","description":"[MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)","aliases":["MoustachedBouncer"],"x_mitre_deprecated":false,"x_mitre_version":"1.0","type":"intrusion-set","id":"intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28","created":"2023-09-25T18:11:05.672Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G1019","external_id":"G1019"},{"source_name":"MoustachedBouncer ESET August 2023","description":"Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.","url":"https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-03-29T14:59:30.164Z","name":"Application Assets","description":"Additional assets included with an application","x_mitre_data_source_ref":"x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203","x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","type":"x-mitre-data-component","id":"x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa","created":"2024-03-29T14:59:30.164Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.2.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-13T20:00:38.029Z","name":"Protected Configuration","description":"Device configuration options that are not typically utilized by benign applications","x_mitre_data_source_ref":"x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203","x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","type":"x-mitre-data-component","id":"x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2","created":"2023-03-13T20:00:38.029Z","revoked":false,"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-09-12T17:37:44.040Z","name":"Sandworm Team","description":"[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)","aliases":["Sandworm Team","ELECTRUM","Telebots","IRON VIKING","BlackEnergy (Group)","Quedagh","Voodoo Bear","IRIDIUM","Seashell Blizzard","FROZENBARENTS","APT44"],"x_mitre_deprecated":false,"x_mitre_version":"4.1","x_mitre_contributors":["Dragos Threat Intelligence","Hakan KARABACAK"],"type":"intrusion-set","id":"intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192","created":"2017-05-31T21:32:04.588Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0034","external_id":"G0034"},{"source_name":"Voodoo Bear","description":"(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"},{"source_name":"ELECTRUM","description":"(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)"},{"source_name":"Sandworm Team","description":"(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"},{"source_name":"Quedagh","description":"(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)"},{"source_name":"FROZENBARENTS","description":"(Citation: Leonard TAG 2023)"},{"source_name":"APT44","description":"(Citation: mandiant_apt44_unearthing_sandworm)"},{"source_name":"IRIDIUM","description":"(Citation: Microsoft Prestige ransomware October 2022)"},{"source_name":"Seashell Blizzard","description":"(Citation: Microsoft Threat Actor Naming July 2023)"},{"source_name":"BlackEnergy (Group)","description":"(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)"},{"source_name":"Telebots","description":"(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"},{"source_name":"IRON VIKING","description":"(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"},{"source_name":"Leonard TAG 2023","description":"Billy Leonard. (2023, April 19). Ukraine remains Russia’s biggest cyber focus in 2023. Retrieved March 1, 2024.","url":"https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"},{"source_name":"US District Court Indictment GRU Oct 2018","description":"Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.","url":"https://www.justice.gov/opa/page/file/1098481/download"},{"source_name":"Dragos ELECTRUM","description":"Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.","url":"https://www.dragos.com/resource/electrum/"},{"source_name":"F-Secure BlackEnergy 2014","description":"F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.","url":"https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"},{"source_name":"iSIGHT Sandworm 2014","description":"Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.","url":"https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html"},{"source_name":"CrowdStrike VOODOO BEAR","description":"Meyers, A. (2018, January 19). Meet CrowdStrike’s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.","url":"https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/"},{"source_name":"Microsoft Threat Actor Naming July 2023","description":"Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.","url":"https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"},{"source_name":"Microsoft Prestige ransomware October 2022","description":"MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.","url":"https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"},{"source_name":"InfoSecurity Sandworm Oct 2014","description":"Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian ‘Sandworm’ Hackers. Retrieved October 6, 2017.","url":"https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/"},{"source_name":"NCSC Sandworm Feb 2020","description":"NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.","url":"https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory"},{"source_name":"USDOJ Sandworm Feb 2020","description":"Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved September 12, 2024.","url":"https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia/index.html"},{"source_name":"mandiant_apt44_unearthing_sandworm","description":"Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.","url":"https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"},{"source_name":"US District Court Indictment GRU Unit 74455 October 2020","description":"Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.","url":"https://www.justice.gov/opa/press-release/file/1328521/download"},{"source_name":"Secureworks IRON VIKING ","description":"Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.","url":"https://www.secureworks.com/research/threat-profiles/iron-viking"},{"source_name":"UK NCSC Olympic Attacks October 2020","description":"UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.","url":"https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["enterprise-attack","ics-attack","mobile-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f","type":"x-mitre-data-component","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","modified":"2021-10-20T15:05:19.272Z","name":"Process Termination","description":"Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)","x_mitre_data_source_ref":"x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22","x_mitre_version":"1.0","x_mitre_attack_spec_version":"2.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2024-04-19T19:35:15.637Z","name":"PROMETHIUM","description":"[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium June 2020)","aliases":["PROMETHIUM","StrongPity"],"x_mitre_deprecated":false,"x_mitre_version":"2.1","type":"intrusion-set","id":"intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c","created":"2018-01-16T16:13:52.465Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/groups/G0056","external_id":"G0056"},{"source_name":"PROMETHIUM","description":"(Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)"},{"source_name":"Microsoft SIR Vol 21","description":"Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.","url":"http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf"},{"source_name":"Talos Promethium June 2020","description":"Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.","url":"https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html"},{"source_name":"Microsoft NEODYMIUM Dec 2016","description":"Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.","url":"https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"},{"source_name":"StrongPity","description":"The name StrongPity has also been used to describe the group and the malware used by the group.(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)"},{"source_name":"Bitdefender StrongPity June 2020","description":"Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.","url":"https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_domains":["mobile-attack"],"x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-04-20T18:38:40.409Z","name":"Sensor Health","description":"Information from host telemetry providing insights about system status, errors, or other notable functional activity","x_mitre_platforms":["Linux","Windows","macOS","Android","iOS"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_version":"1.1","x_mitre_contributors":["Center for Threat-Informed Defense (CTID)"],"x_mitre_collection_layers":["Host"],"type":"x-mitre-data-source","id":"x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0013","external_id":"DS0013"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-13T19:30:41.131Z","name":"Application Vetting","description":"Application vetting report generated by an external cloud service.","x_mitre_platforms":["Android","iOS"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_collection_layers":["Report"],"type":"x-mitre-data-source","id":"x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203","created":"2023-03-13T19:30:41.131Z","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0041","external_id":"DS0041"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-04-20T18:38:13.356Z","name":"Network Traffic","description":"Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)","x_mitre_platforms":["IaaS","Linux","Windows","macOS","Android","iOS"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_version":"1.1","x_mitre_contributors":["Center for Threat-Informed Defense (CTID)","ExtraHop"],"x_mitre_collection_layers":["Cloud Control Plane","Host","Network"],"type":"x-mitre-data-source","id":"x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3","created":"2021-10-20T15:05:19.274Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0029","external_id":"DS0029"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-03-13T19:36:25.108Z","name":"User Interface","description":"Visual activity on the device that could alert the user to potentially malicious behavior.","x_mitre_platforms":["Android","iOS"],"x_mitre_deprecated":false,"x_mitre_domains":["mobile-attack"],"x_mitre_version":"1.0","x_mitre_collection_layers":["Device"],"type":"x-mitre-data-source","id":"x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8","created":"2023-03-13T19:36:25.108Z","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0042","external_id":"DS0042"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-04-20T18:38:00.625Z","name":"Command","description":"A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command  Line)(Citation: Audit OSX)","x_mitre_platforms":["Containers","Linux","Network","Windows","macOS","Android","iOS"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_version":"1.1","x_mitre_contributors":["Center for Threat-Informed Defense (CTID)","Austin Clark, @c2defense"],"x_mitre_collection_layers":["Container","Host"],"type":"x-mitre-data-source","id":"x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089","created":"2021-10-20T15:05:19.273Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0017","external_id":"DS0017"},{"source_name":"Confluence Linux Command  Line","description":"Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.","url":"https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html"},{"source_name":"Audit OSX","description":"Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.","url":"https://www.scip.ch/en/?labs.20150108"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"modified":"2023-04-20T18:38:26.515Z","name":"Process","description":"Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)","x_mitre_platforms":["Linux","Windows","macOS","Android","iOS"],"x_mitre_deprecated":false,"x_mitre_domains":["enterprise-attack","mobile-attack"],"x_mitre_version":"1.1","x_mitre_contributors":["Center for Threat-Informed Defense (CTID)"],"x_mitre_collection_layers":["Host"],"type":"x-mitre-data-source","id":"x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22","created":"2021-10-20T15:05:19.272Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"mitre-attack","url":"https://attack.mitre.org/datasources/DS0009","external_id":"DS0009"},{"source_name":"Microsoft Processes and Threads","description":"Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.","url":"https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"x_mitre_attack_spec_version":"3.1.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"type":"relationship","id":"relationship--f372697e-b661-4995-9920-4ec0a9060ebb","created":"2024-03-28T18:01:08.468Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","revoked":false,"external_references":[{"source_name":"Talos Promethium June 2020","description":"Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.","url":"https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html"},{"source_name":"Bitdefender StrongPity June 2020","description":"Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.","url":"https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf"}],"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"modified":"2024-03-28T18:35:45.577Z","description":"(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)","relationship_type":"attributed-to","source_ref":"campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4","target_ref":"intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c","x_mitre_deprecated":false,"x_mitre_version":"0.1","x_mitre_attack_spec_version":"3.2.0","x_mitre_modified_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"},{"object_marking_refs":["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"],"id":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","type":"identity","identity_class":"organization","created":"2017-06-01T00:00:00.000Z","modified":"2017-06-01T00:00:00.000Z","name":"The MITRE Corporation"},{"definition":{"statement":"Copyright 2015-2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation."},"id":"marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168","type":"marking-definition","created":"2017-06-01T00:00:00.000Z","created_by_ref":"identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5","definition_type":"statement","x_mitre_attack_spec_version":"2.1.0"}],"spec_version":"2.0"}
\ No newline at end of file
+{"type": "bundle", "id": "bundle--6dfdcb9f-eef2-4d92-b800-a0b918314cb3", "objects": [{"type": "x-mitre-matrix", "id": "x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/matrices/mobile-attack", "external_id": "mobile-attack"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:50.259Z", "name": "Network-Based Effects", "description": "Below are the tactics and techniques representing the two MITRE ATT&CK Matrices for Mobile. The Matrices cover techniques involving device access and network-based effects that can be used by adversaries without device access. The Matrices contains information for the following platforms: Android, iOS.", "tactic_refs": ["x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210", "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-matrix", "id": "x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/matrices/mobile-attack", "external_id": "mobile-attack"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-17T20:51:13.569Z", "name": "Mobile ATT&CK", "description": "Below are the tactics and technique representing the MITRE ATT&CK Matrix for Mobile. The Matrix contains information for the following platforms: Android, iOS.", "tactic_refs": ["x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6", "x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756", "x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54", "x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8", "x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df", "x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10", "x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1", "x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f", "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba", "x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3", "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981", "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "created": "2017-10-25T14:48:51.657Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1006", "external_id": "M1006"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:17.864Z", "name": "Use Recent OS Version", "description": "New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--1553b156-6767-47f7-9eb4-2a692505666d", "created": "2019-10-18T12:49:58.924Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1005", "external_id": "M1005"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:49.664Z", "name": "Application Vetting", "description": "Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.\n\nEnterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.\n\nApplication Vetting is not a complete mitigation. Techniques such as [Evade Analysis Environment](https://attack.mitre.org/techniques/T1523) exist that can enable adversaries to bypass vetting.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-12-10T16:07:50.023Z", "name": "Application Developer Guidance", "description": "Application Developer Guidance focuses on providing developers with the knowledge, tools, and best practices needed to write secure code, reduce vulnerabilities, and implement secure design principles. By integrating security throughout the software development lifecycle (SDLC), this mitigation aims to prevent the introduction of exploitable weaknesses in applications, systems, and APIs. This mitigation can be implemented through the following measures:\n \nPreventing SQL Injection (Secure Coding Practice):\n\n- Implementation: Train developers to use parameterized queries or prepared statements instead of directly embedding user input into SQL queries.\n- Use Case: A web application accepts user input to search a database. By sanitizing and validating user inputs, developers can prevent attackers from injecting malicious SQL commands.\n\nCross-Site Scripting (XSS) Mitigation:\n\n- Implementation: Require developers to implement output encoding for all user-generated content displayed on a web page.\n- Use Case: An e-commerce site allows users to leave product reviews. Properly encoding and escaping user inputs prevents malicious scripts from being executed in other users\u2019 browsers.\n\nSecure API Design:\n\n- Implementation: Train developers to authenticate all API endpoints and avoid exposing sensitive information in API responses.\n- Use Case: A mobile banking application uses APIs for account management. By enforcing token-based authentication for every API call, developers reduce the risk of unauthorized access.\n\nStatic Code Analysis in the Build Pipeline:\n\n- Implementation: Incorporate tools into CI/CD pipelines to automatically scan for vulnerabilities during the build process.\n- Use Case: A fintech company integrates static analysis tools to detect hardcoded credentials in their source code before deployment.\n\nThreat Modeling in the Design Phase:\n\n- Implementation: Use frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to assess threats during application design.\n- Use Case: Before launching a customer portal, a SaaS company identifies potential abuse cases, such as session hijacking, and designs mitigations like secure session management.\n\n**Tools for Implementation**:\n\n- Static Code Analysis Tools: Use tools that can scan for known vulnerabilities in source code.\n- Dynamic Application Security Testing (DAST): Use tools like Burp Suite or OWASP ZAP to simulate runtime attacks and identify vulnerabilities.\n- Secure Frameworks: Recommend secure-by-default frameworks (e.g., Django for Python, Spring Security for Java) that enforce security best practices.", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "mobile-attack"], "x_mitre_version": "1.2", "type": "course-of-action", "id": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "created": "2017-10-25T14:48:53.732Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1013", "external_id": "M1013"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "course-of-action", "id": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "created": "2017-10-25T14:48:53.318Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1012", "external_id": "M1012"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:18.032Z", "name": "Enterprise Policy", "description": "An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "created": "2019-10-18T12:53:03.508Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1011", "external_id": "M1011"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:18.181Z", "name": "User Guidance", "description": "Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-02-20T22:02:55.968Z", "name": "Do Not Mitigate", "description": "This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "type": "course-of-action", "id": "course-of-action--76a32151-5233-465f-a607-7e576c62c932", "created": "2024-02-20T22:02:55.968Z", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1059", "external_id": "M1059"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "course-of-action", "id": "course-of-action--78671282-26aa-486c-a7a5-5921e1616b58", "created": "2023-09-21T19:36:08.280Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1058", "external_id": "M1058"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:18.330Z", "name": "Antivirus/Antimalware", "description": "Mobile security products, such as Mobile Threat Defense (MTD), offer various device-based mitigations against certain behaviors.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "created": "2017-10-25T14:48:52.270Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1004", "external_id": "M1004"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:18.484Z", "name": "System Partition Integrity", "description": "Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8", "created": "2017-10-25T14:48:50.769Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1009", "external_id": "M1009"}, {"source_name": "TechCrunch-ATS", "description": "Kate Conger. (2016, June 14). Apple will require HTTPS connections for iOS apps by the end of 2016. Retrieved December 19, 2016.", "url": "https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/"}, {"source_name": "Android-NetworkSecurityConfig", "description": "Google. (n.d.). Network Security Configuration. Retrieved December 19, 2016.", "url": "https://developer.android.com/training/articles/security-config.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:18.668Z", "name": "Encrypt Network Traffic", "description": "Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.\n\niOS's App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security  (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.\n\nAndroid's Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected  (Citation: Android-NetworkSecurityConfig).\n\nUse of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "created": "2017-10-25T14:48:49.554Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1003", "external_id": "M1003"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:18.821Z", "name": "Lock Bootloader", "description": "On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "created": "2019-10-18T12:51:36.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1001", "external_id": "M1001"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:18.982Z", "name": "Security Updates", "description": "Install security updates in response to discovered vulnerabilities.\n\nPurchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.\n\nDecommission devices that will no longer receive security updates.\n\nLimit or block access to enterprise resources from devices that have not installed recent security updates.\n\nOn Android devices, access can be controlled based on each device's security patch level. On iOS devices, access can be controlled based on the iOS version.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "created": "2017-10-25T14:48:52.601Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1010", "external_id": "M1010"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:19.136Z", "name": "Deploy Compromised Device Detection Method", "description": "A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124", "created": "2017-10-25T14:48:50.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1014", "external_id": "M1014"}, {"source_name": "CSRIC5-WG10-FinalReport", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:19.290Z", "name": "Interconnection Filtering", "description": "In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--e944670c-d03a-4e93-a21c-b3d4c53ec4c9", "created": "2017-10-25T14:48:51.365Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1007", "external_id": "M1007"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:49.835Z", "name": "Caution with Device Administrator Access", "description": "Warn device users not to accept requests to grant Device Administrator access to applications without good reason.\n\nAdditionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "course-of-action", "id": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "created": "2019-10-18T12:50:35.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/mitigations/M1002", "external_id": "M1002"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:19.448Z", "name": "Attestation", "description": "Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "created": "2020-11-10T16:50:38.917Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0529", "external_id": "S0529"}, {"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:03.013Z", "name": "CarbonSteal", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) is one of a family of four surveillanceware tools that share a common C2 infrastructure. [CarbonSteal](https://attack.mitre.org/software/S0529) primarily deals with audio surveillance. (Citation: Lookout Uyghur Campaign)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["CarbonSteal"]}, {"type": "malware", "id": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "created": "2020-06-26T15:32:24.569Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0480", "external_id": "S0480"}, {"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:03.157Z", "name": "Cerberus", "description": "[Cerberus](https://attack.mitre.org/software/S0480) is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of [Cerberus](https://attack.mitre.org/software/S0480) claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Aviran Hazum, Check Point", "Sergey Persikov, Check Point"], "x_mitre_aliases": ["Cerberus"]}, {"type": "malware", "id": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "created": "2017-10-25T14:48:40.571Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0320", "external_id": "S0320"}, {"source_name": "DroidJack", "description": "(Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)"}, {"source_name": "Proofpoint-Droidjack", "description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load\u2026It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.", "url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"}, {"source_name": "Zscaler-SuperMarioRun", "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.", "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:03.310Z", "name": "DroidJack", "description": "[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["DroidJack"]}, {"type": "malware", "id": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "created": "2019-09-23T13:36:07.816Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0411", "external_id": "S0411"}, {"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:03.463Z", "name": "Rotexy", "description": "[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Rotexy"]}, {"type": "malware", "id": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0328", "external_id": "S0328"}, {"source_name": "Stealth Mango", "description": "(Citation: Lookout-StealthMango)"}, {"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:03.669Z", "name": "Stealth Mango", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.3", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Stealth Mango"]}, {"type": "malware", "id": "malware--08784a9d-09e9-4dce-a839-9612398214e8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0319", "external_id": "S0319"}, {"source_name": "Allwinner", "description": "(Citation: HackerNews-Allwinner)"}, {"source_name": "HackerNews-Allwinner", "description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.", "url": "https://thehackernews.com/2016/05/android-kernal-exploit.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:03.823Z", "name": "Allwinner", "description": "[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "created": "2020-12-24T22:04:27.667Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0551", "external_id": "S0551"}, {"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:03.977Z", "name": "GoldenEagle", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.(Citation: Lookout Uyghur Campaign)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["GoldenEagle"]}, {"modified": "2024-03-19T18:32:01.207Z", "name": "FlixOnline", "description": "[FlixOnline](https://attack.mitre.org/software/S1103) is an Android malware, first detected in early 2021, believed to target users of WhatsApp. [FlixOnline](https://attack.mitre.org/software/S1103) primarily spreads via automatic replies to a device\u2019s incoming WhatsApp messages.(Citation: checkpoint_flixonline_0421) ", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["FlixOnline"], "type": "malware", "id": "malware--0ec9593f-3221-49b1-b597-37f307c19f13", "created": "2024-01-26T17:30:31.022Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1103", "external_id": "S1103"}, {"source_name": "checkpoint_flixonline_0421", "description": "Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.", "url": "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "created": "2020-05-04T14:04:55.823Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0432", "external_id": "S0432"}, {"source_name": "Joker", "description": "(Citation: Google Bread)"}, {"source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:04.130Z", "name": "Bread", "description": "[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store\u2019s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Sergey Persikov, Check Point", "Jonathan Shimonovich, Check Point", "Aviran Hazum, Check Point"], "x_mitre_aliases": ["Bread", "Joker"]}, {"modified": "2025-04-02T14:42:15.961Z", "name": "TriangleDB", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) is an Objective-C written implant deployed after [Binary Validator](https://attack.mitre.org/software/S1215) and after root privileges are obtained during [Operation Triangulation](https://attack.mitre.org/campaigns/C0054)\u2019s infection chain. Upon execution, [TriangleDB](https://attack.mitre.org/software/S1216) communicates with the C2 server, relaying information about the victim device.(Citation: SecureList OpTriangulation 21Jun2023)  ", "x_mitre_platforms": ["iOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["TriangleDB"], "type": "malware", "id": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "created": "2025-03-27T22:51:45.705Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1216", "external_id": "S1216"}, {"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-07T21:29:43.845Z", "name": "Hornbill", "description": "[Hornbill](https://attack.mitre.org/software/S1077) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142). Analysis suggests that [Hornbill](https://attack.mitre.org/software/S1077) was first active in early 2018. While [Hornbill](https://attack.mitre.org/software/S1077) and [Sunbird](https://attack.mitre.org/software/S1082) overlap in core capabilities, [Hornbill](https://attack.mitre.org/software/S1077) has tools and behaviors suggesting more passive reconnaissance.(Citation: lookout_hornbill_sunbird_0221)", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["Hornbill"], "type": "malware", "id": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "created": "2023-06-09T19:07:18.101Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1077", "external_id": "S1077"}, {"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--172444ab-97fc-4d94-b142-179452bfb760", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0325", "external_id": "S0325"}, {"source_name": "Judy", "description": "(Citation: CheckPoint-Judy)"}, {"source_name": "CheckPoint-Judy", "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.", "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:04.284Z", "name": "Judy", "description": "[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc", "created": "2017-10-25T14:48:45.155Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0285", "external_id": "S0285"}, {"source_name": "OldBoot", "description": "(Citation: HackerNews-OldBoot)"}, {"source_name": "HackerNews-OldBoot", "description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.", "url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:04.440Z", "name": "OldBoot", "description": "[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--20d56cd6-8dff-4871-9889-d32d254816de", "created": "2017-10-25T14:48:43.242Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0290", "external_id": "S0290"}, {"source_name": "Gooligan", "description": "(Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)"}, {"source_name": "Ghost Push", "description": "Gooligan has been described as being part of the Ghost Push Android malware family. (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)"}, {"source_name": "Gooligan Citation", "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"}, {"source_name": "Ludwig-GhostPush", "description": "Adrian Ludwig. (2016, November 29). The fight against Ghost Push continues. Retrieved December 12, 2016.", "url": "https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi"}, {"source_name": "Lookout-Gooligan", "description": "Lookout. (2016, December 1). Ghost Push and Gooligan: One and the same. Retrieved December 12, 2016.", "url": "https://blog.lookout.com/blog/2016/12/01/ghost-push-gooligan/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:04.607Z", "name": "Gooligan", "description": "[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Gooligan", "Ghost Push"]}, {"type": "malware", "id": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "created": "2017-10-25T14:48:45.794Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0305", "external_id": "S0305"}, {"source_name": "SpyNote RAT", "description": "(Citation: Zscaler-SpyNote)"}, {"source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:04.768Z", "name": "SpyNote RAT", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware's functionality. (Citation: Zscaler-SpyNote)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["SpyNote RAT"]}, {"type": "malware", "id": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "created": "2020-04-24T17:46:31.111Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0427", "external_id": "S0427"}, {"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:04.918Z", "name": "TrickMo", "description": "[TrickMo](https://attack.mitre.org/software/S0427) a 2FA bypass mobile banking trojan, most likely being distributed by [TrickBot](https://attack.mitre.org/software/S0266). [TrickMo](https://attack.mitre.org/software/S0427) has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)\n\n[TrickMo](https://attack.mitre.org/software/S0427) is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo) ", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Ohad Mana, Check Point", "Aviran Hazum, Check Point", "Sergey Persikov, Check Point"], "x_mitre_aliases": ["TrickMo"]}, {"type": "malware", "id": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "created": "2020-06-02T14:32:31.461Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0463", "external_id": "S0463"}, {"source_name": "Volexity Insomnia", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:05.067Z", "name": "INSOMNIA", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) is spyware that has been used by the group Evil Eye.(Citation: Volexity Insomnia)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["iOS"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["INSOMNIA"]}, {"type": "malware", "id": "malware--22b596a6-d288-4409-8520-5f2846f85514", "created": "2019-12-10T16:07:40.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0420", "external_id": "S0420"}, {"source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:05.219Z", "name": "Dvmap", "description": "[Dvmap](https://attack.mitre.org/software/S0420) is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Dvmap"]}, {"type": "malware", "id": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "created": "2020-07-27T14:14:56.729Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0494", "external_id": "S0494"}, {"source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:05.422Z", "name": "Zen", "description": "[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Zen"]}, {"type": "malware", "id": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe", "created": "2017-10-25T14:48:36.707Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0299", "external_id": "S0299"}, {"source_name": "NotCompatible", "description": "(Citation: Lookout-NotCompatible)"}, {"source_name": "Lookout-NotCompatible", "description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:05.573Z", "name": "NotCompatible", "description": "[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2025-01-24T17:12:44.782Z", "name": "AhRat", "description": "[AhRat](https://attack.mitre.org/software/S1095) is an Android remote access tool based on the open-source AhMyth remote access tool. [AhRat](https://attack.mitre.org/software/S1095) initially spread in August 2022 on the Google Play Store via an update containing malicious code to the previously benign application, \u201ciRecorder \u2013 Screen Recorder,\u201d which itself was released in September 2021.(Citation: welivesecurity_ahrat_0523)", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Edward Stevens", "BT Security"], "x_mitre_aliases": ["AhRat"], "type": "malware", "id": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "created": "2023-12-18T19:00:02.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1095", "external_id": "S1095"}, {"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0318", "external_id": "S0318"}, {"source_name": "XLoader for Android", "description": "(Citation: TrendMicro-XLoader)"}, {"source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"}, {"source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:05.761Z", "name": "XLoader for Android", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["XLoader for Android"]}, {"type": "malware", "id": "malware--28e39395-91e7-4f02-b694-5e079c964da9", "created": "2017-10-25T14:48:46.107Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0306", "external_id": "S0306"}, {"source_name": "Trojan-SMS.AndroidOS.FakeInst.a", "description": "(Citation: Kaspersky-MobileMalware)"}, {"source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:05.907Z", "name": "Trojan-SMS.AndroidOS.FakeInst.a", "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "created": "2020-07-20T13:58:53.422Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0490", "external_id": "S0490"}, {"source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:06.053Z", "name": "XLoader for iOS", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["iOS"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["XLoader for iOS"]}, {"type": "malware", "id": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "created": "2023-02-06T18:48:41.442Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1061", "external_id": "S1061"}, {"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:06.208Z", "name": "AbstractEmu", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) is mobile malware that was first seen in Google Play and other third-party stores in October 2021. It was discovered in 19 Android applications, of which at least 7 abused known Android exploits for obtaining root permissions. [AbstractEmu](https://attack.mitre.org/software/S1061) was observed primarily impacting users in the United States, however victims are believed to be across a total of 17 countries.(Citation: lookout_abstractemu_1021)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["AbstractEmu"]}, {"type": "malware", "id": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "created": "2023-08-16T16:30:44.598Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1083", "external_id": "S1083"}, {"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:06.355Z", "name": "Chameleon", "description": "[Chameleon](https://attack.mitre.org/software/S1083) is an Android banking trojan that can leverage Android\u2019s Accessibility Services to perform malicious activities. Believed to have been first active in January 2023, [Chameleon](https://attack.mitre.org/software/S1083) has been observed targeting users in Australia and Poland by masquerading as official apps.(Citation: cyble_chameleon_0423)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Yasuhito Kawanishi, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India", "Pooja Natarajan, NEC Corporation India"], "x_mitre_aliases": ["Chameleon"]}, {"modified": "2024-11-17T18:31:54.806Z", "name": "Exodus", "description": "[Exodus](https://attack.mitre.org/software/S0405) is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["Exodus", "Exodus One", "Exodus Two"], "type": "malware", "id": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "created": "2019-09-03T19:45:47.826Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0405", "external_id": "S0405"}, {"source_name": "Exodus One", "description": "(Citation: SWB Exodus March 2019)"}, {"source_name": "Exodus Two", "description": "(Citation: SWB Exodus March 2019)"}, {"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "created": "2017-10-25T14:48:37.438Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0301", "external_id": "S0301"}, {"source_name": "Dendroid", "description": "(Citation: Lookout-Dendroid)"}, {"source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:06.526Z", "name": "Dendroid", "description": "[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Dendroid"]}, {"type": "malware", "id": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", "created": "2017-10-25T14:48:37.020Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0312", "external_id": "S0312"}, {"source_name": "WireLurker", "description": "Claud Xiao. (n.d.). WireLurker: A New Era in iOS and OS X Malware. Retrieved July 10, 2017.", "url": "https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf"}, {"source_name": "PaloAlto-WireLurker", "description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:06.693Z", "name": "WireLurker", "description": "[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2025-01-13T17:52:20.612Z", "name": "Desert Scorpion", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor [APT-C-23](https://attack.mitre.org/groups/G1028).(Citation: Lookout Desert Scorpion) \n\nThere are multiple close variants of [Desert Scorpion](https://attack.mitre.org/software/S0505), such as VAMP(Citation: Unit42 VAMP 2017), GnatSpy(Citation: Trendmicro GnatSpy 2017), [FrozenCell](https://attack.mitre.org/software/S0577) and [SpyC23](https://attack.mitre.org/software/S1195), which add some additional functionality but are not significantly different from the original malware.", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["Desert Scorpion"], "type": "malware", "id": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "created": "2020-09-11T14:54:16.188Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0505", "external_id": "S0505"}, {"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}, {"source_name": "Unit42 VAMP 2017", "description": "Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.", "url": "https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/"}, {"source_name": "Trendmicro GnatSpy 2017", "description": "Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024.", "url": "https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-06T00:01:53.588Z", "name": "Pegasus for iOS", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims.(Citation: Lookout-Pegasus)(Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).", "x_mitre_platforms": ["iOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["Pegasus for iOS"], "type": "malware", "id": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "created": "2017-10-25T14:48:44.238Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0289", "external_id": "S0289"}, {"source_name": "Pegasus for iOS", "description": "(Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab)"}, {"source_name": "PegasusCitizenLab", "description": "Bill Marczak and John Scott-Railton. (2016, August 24). The Million Dollar Dissident: NSO Group\u2019s iPhone Zero-Days used against a UAE Human Rights Defender. Retrieved December 12, 2016.", "url": "https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/"}, {"source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0329", "external_id": "S0329"}, {"source_name": "Tangelo", "description": "(Citation: Lookout-StealthMango)"}, {"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:06.838Z", "name": "Tangelo", "description": "[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["iOS"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Tangelo"]}, {"type": "malware", "id": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "created": "2017-10-25T14:48:38.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0295", "external_id": "S0295"}, {"source_name": "RCSAndroid", "description": "(Citation: TrendMicro-RCSAndroid)"}, {"source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:06.991Z", "name": "RCSAndroid", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["RCSAndroid"]}, {"type": "malware", "id": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "created": "2020-04-24T15:06:32.870Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0425", "external_id": "S0425"}, {"source_name": "Wabi Music", "description": "(Citation: TrendMicro Coronavirus Updates)"}, {"source_name": "Concipit1248", "description": "(Citation: TrendMicro Coronavirus Updates)"}, {"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:07.148Z", "name": "Corona Updates", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Corona Updates", "Wabi Music", "Concipit1248"]}, {"type": "malware", "id": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0327", "external_id": "S0327"}, {"source_name": "Skygofree", "description": "(Citation: Kaspersky-Skygofree)"}, {"source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:07.299Z", "name": "Skygofree", "description": "[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Skygofree"]}, {"type": "malware", "id": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", "created": "2017-10-25T14:48:43.815Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0288", "external_id": "S0288"}, {"source_name": "KeyRaider", "description": "(Citation: Xiao-KeyRaider)"}, {"source_name": "Xiao-KeyRaider", "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:07.456Z", "name": "KeyRaider", "description": "[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0", "created": "2017-10-25T14:48:44.853Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0287", "external_id": "S0287"}, {"source_name": "ZergHelper", "description": "(Citation: Xiao-ZergHelper)"}, {"source_name": "Xiao-ZergHelper", "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:07.644Z", "name": "ZergHelper", "description": "[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple's App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "created": "2020-12-24T21:50:02.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0550", "external_id": "S0550"}, {"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:07.802Z", "name": "DoubleAgent", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.(Citation: Lookout Uyghur Campaign)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["DoubleAgent"]}, {"type": "malware", "id": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", "created": "2017-10-25T14:48:42.313Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0302", "external_id": "S0302"}, {"source_name": "Twitoor", "description": "(Citation: ESET-Twitoor)"}, {"source_name": "ESET-Twitoor", "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:07.968Z", "name": "Twitoor", "description": "[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Twitoor"]}, {"modified": "2023-10-11T14:36:39.396Z", "name": "Fakecalls", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) is an Android trojan, first detected in January 2021, that masquerades as South Korean banking apps. It has capabilities to intercept calls to banking institutions and even maintain realistic dialogues with the victim using pre-recorded audio snippets.(Citation: kaspersky_fakecalls_0422) ", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Pooja Natarajan, NEC Corporation India", "Hiroki Nagahama, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India"], "x_mitre_aliases": ["Fakecalls"], "type": "malware", "id": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "created": "2023-07-21T19:49:44.577Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1080", "external_id": "S1080"}, {"source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "created": "2023-02-06T19:34:43.026Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1062", "external_id": "S1062"}, {"source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly"}, {"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:08.121Z", "name": "S.O.V.A.", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) is an Android banking trojan that was first identified in August 2021 and has subsequently been found in a variety of applications, including banking, cryptocurrency wallet/exchange, and shopping apps. [S.O.V.A.](https://attack.mitre.org/software/S1062), which is Russian for \"owl\", contains features not commonly found in Android malware, such as session cookie theft.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["S.O.V.A."]}, {"type": "malware", "id": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", "created": "2017-10-25T14:48:47.965Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0310", "external_id": "S0310"}, {"source_name": "ANDROIDOS_ANSERVER.A", "description": "(Citation: TrendMicro-Anserver)"}, {"source_name": "TrendMicro-Anserver", "description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:08.276Z", "name": "ANDROIDOS_ANSERVER.A", "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.3", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["ANDROIDOS_ANSERVER.A"]}, {"type": "malware", "id": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878", "created": "2017-10-25T14:48:41.721Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0315", "external_id": "S0315"}, {"source_name": "DualToy", "description": "(Citation: PaloAlto-DualToy)"}, {"source_name": "PaloAlto-DualToy", "description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:08.432Z", "name": "DualToy", "description": "[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "created": "2020-07-15T20:20:58.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0485", "external_id": "S0485"}, {"source_name": "oxide", "description": "(Citation: Bitdefender Mandrake)"}, {"source_name": "briar", "description": "(Citation: Bitdefender Mandrake)"}, {"source_name": "ricinus", "description": "(Citation: Bitdefender Mandrake)"}, {"source_name": "darkmatter", "description": "(Citation: Bitdefender Mandrake)"}, {"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:08.595Z", "name": "Mandrake", "description": "[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.\n\n[Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Mandrake", "oxide", "briar", "ricinus", "darkmatter"]}, {"modified": "2024-04-10T21:58:07.962Z", "name": "HilalRAT", "description": "[HilalRAT](https://attack.mitre.org/software/S1128) is a remote access-capable Android malware, developed and used by [UNC788](https://attack.mitre.org/groups/G1029).(Citation: Meta Adversarial Threat Report 2022)   [HilalRAT](https://attack.mitre.org/software/S1128) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as activating a device's camera and microphone.(Citation: Meta Adversarial Threat Report 2022)  ", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Denise Tan"], "x_mitre_aliases": ["HilalRAT"], "type": "malware", "id": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "created": "2024-04-02T19:01:36.303Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1128", "external_id": "S1128"}, {"source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--56660521-6db4-4e5a-a927-464f22954b7c", "created": "2017-10-25T14:48:42.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0314", "external_id": "S0314"}, {"source_name": "X-Agent for Android", "description": "(Citation: CrowdStrike-Android)"}, {"source_name": "CrowdStrike-Android", "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:08.784Z", "name": "X-Agent for Android", "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "created": "2020-06-26T15:12:39.648Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0479", "external_id": "S0479"}, {"source_name": "ESET DEFENSOR ID", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:08.935Z", "name": "DEFENSOR ID", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim\u2019s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android\u2019s accessibility service.(Citation: ESET DEFENSOR ID) ", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Luk\u00e1\u0161 \u0160tefanko, ESET"], "x_mitre_aliases": ["DEFENSOR ID"]}, {"modified": "2024-04-17T17:06:28.821Z", "name": "BRATA", "description": "[BRATA](https://attack.mitre.org/software/S1094) (Brazilian Remote Access Tool, Android), is an evolving Android malware strain, detected in late 2018 and again in late 2021. Originating in Brazil, [BRATA](https://attack.mitre.org/software/S1094) was later also found in the UK, Poland, Italy, Spain, and USA, where it is believed to have targeted financial institutions such as banks. There are currently three known variants of [BRATA](https://attack.mitre.org/software/S1094).(Citation: securelist_brata_0819)(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Pooja Natarajan, NEC Corporation India"], "x_mitre_aliases": ["BRATA"], "type": "malware", "id": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "created": "2023-12-18T18:06:22.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1094", "external_id": "S1094"}, {"source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}, {"source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}, {"source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "created": "2025-01-03T20:41:46.276Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1185", "external_id": "S1185"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-15T18:40:23.781Z", "name": "LightSpy", "description": "First observed in 2018, LightSpy is a modular malware family that initially targeted iOS devices in Southern Asia before expanding to Android and macOS platforms. It consists of a downloader, a main executable that manages network communications, and functionality-specific modules, typically implemented as `.dylib` files (iOS, macOS) or `.apk` files (Android). LightSpy can collect VoIP call recordings, SMS messages, and credential stores, which are then exfiltrated to a command and control (C2) server.(Citation: MelikovBlackBerry LightSpy 2024) ", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "Windows", "iOS", "macOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Alden Schmidt", "Dmitry Bestuzhev"], "x_mitre_aliases": ["LightSpy"], "labels": ["malware"]}, {"type": "malware", "id": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", "created": "2017-10-25T14:48:40.875Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0303", "external_id": "S0303"}, {"source_name": "MazarBOT", "description": "(Citation: Tripwire-MazarBOT)"}, {"source_name": "Tripwire-MazarBOT", "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.", "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:09.084Z", "name": "MazarBOT", "description": "[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "created": "2020-04-08T15:51:24.862Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0423", "external_id": "S0423"}, {"source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:09.244Z", "name": "Ginp", "description": "[Ginp](https://attack.mitre.org/software/S0423) is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from [Anubis](https://attack.mitre.org/software/S0422).(Citation: ThreatFabric Ginp)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Aviran Hazum, Check Point", "Sergey Persikov, Check Point"], "x_mitre_aliases": ["Ginp"]}, {"type": "malware", "id": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f", "created": "2017-10-25T14:48:40.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0321", "external_id": "S0321"}, {"source_name": "HummingWhale", "description": "(Citation: ArsTechnica-HummingWhale)"}, {"source_name": "ArsTechnica-HummingWhale", "description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.", "url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:09.395Z", "name": "HummingWhale", "description": "[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-03-29T15:07:58.675Z", "name": "eSurv", "description": "[eSurv](https://attack.mitre.org/software/S0507) is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.(Citation: Lookout eSurv)", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["eSurv"], "type": "malware", "id": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "created": "2020-09-14T14:13:45.032Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0507", "external_id": "S0507"}, {"source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "created": "2023-02-28T21:39:52.744Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1069", "external_id": "S1069"}, {"source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:09.556Z", "name": "TangleBot", "description": "[TangleBot](https://attack.mitre.org/software/S1069) is SMS malware that was initially observed in September 2021, primarily targeting mobile users in the United States and Canada. [TangleBot](https://attack.mitre.org/software/S1069) has used SMS text message lures about COVID-19 regulations and vaccines to trick mobile users into downloading the malware, similar to [FluBot](https://attack.mitre.org/software/S1067) Android malware campaigns.(Citation: cloudmark_tanglebot_0921)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["TangleBot"]}, {"type": "malware", "id": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "created": "2019-09-04T14:28:14.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0407", "external_id": "S0407"}, {"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:09.753Z", "name": "Monokle", "description": "[Monokle](https://attack.mitre.org/software/S0407) is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["J\u00f6rg Abraham, EclecticIQ"], "x_mitre_aliases": ["Monokle"]}, {"type": "malware", "id": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "created": "2020-12-14T14:52:02.949Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0539", "external_id": "S0539"}, {"source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:09.903Z", "name": "Red Alert 2.0", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0) ", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Red Alert 2.0"]}, {"type": "malware", "id": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "created": "2019-11-21T16:42:48.203Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0418", "external_id": "S0418"}, {"source_name": "ViceLeaker", "description": "(Citation: SecureList - ViceLeaker 2019)"}, {"source_name": "Triout", "description": "(Citation: SecureList - ViceLeaker 2019)"}, {"source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}, {"source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:10.060Z", "name": "ViceLeaker", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["ViceLeaker", "Triout"]}, {"modified": "2023-10-16T16:57:33.534Z", "name": "FlyTrap", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) is an Android trojan, first detected in March 2021, that uses social engineering tactics to compromise Facebook accounts. [FlyTrap](https://attack.mitre.org/software/S1093) was initially detected through infected apps on the Google Play store, and is believed to have impacted over 10,000 victims across at least 140 countries.(Citation: Trend Micro FlyTrap) ", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Pooja Natarajan, NEC Corporation India", "Hiroki Nagahama, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India"], "x_mitre_aliases": ["FlyTrap"], "type": "malware", "id": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "created": "2023-09-28T17:36:00.965Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1093", "external_id": "S1093"}, {"source_name": "Trend Micro FlyTrap", "description": "Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts \u2014 Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.", "url": "https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "created": "2020-09-15T15:18:11.971Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0509", "external_id": "S0509"}, {"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:10.213Z", "name": "FakeSpy", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Ofir Almkias, Cybereason"], "x_mitre_aliases": ["FakeSpy"]}, {"type": "malware", "id": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0324", "external_id": "S0324"}, {"source_name": "SpyDealer", "description": "(Citation: PaloAlto-SpyDealer)"}, {"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:10.366Z", "name": "SpyDealer", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["SpyDealer"]}, {"type": "malware", "id": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", "created": "2020-04-24T15:12:10.817Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0426", "external_id": "S0426"}, {"source_name": "Corona Updates", "description": "(Citation: TrendMicro Coronavirus Updates)"}, {"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:10.526Z", "name": "Concipit1248", "description": "[Concipit1248](https://attack.mitre.org/software/S0426) is iOS spyware that was discovered using the same name as the developer of the Android spyware [Corona Updates](https://attack.mitre.org/software/S0425). Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.(Citation: TrendMicro Coronavirus Updates)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["iOS"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Concipit1248", "Corona Updates"]}, {"type": "malware", "id": "malware--936be60d-90eb-4c36-9247-4b31128432c4", "created": "2017-10-25T14:48:48.917Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0313", "external_id": "S0313"}, {"source_name": "RuMMS", "description": "(Citation: FireEye-RuMMS)"}, {"source_name": "FireEye-RuMMS", "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:10.719Z", "name": "RuMMS", "description": "[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "created": "2017-10-25T14:48:41.202Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0316", "external_id": "S0316"}, {"source_name": "Pegasus for Android", "description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)"}, {"source_name": "Chrysaor", "description": "(Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor)"}, {"source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}, {"source_name": "Google-Chrysaor", "description": "Rich Cannings et al.. (2017, April 3). An investigation of Chrysaor Malware on Android. Retrieved April 16, 2017.", "url": "https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:10.874Z", "name": "Pegasus for Android", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Pegasus for Android", "Chrysaor"]}, {"modified": "2025-02-19T17:09:13.063Z", "name": "SpyC23", "description": "[SpyC23](https://attack.mitre.org/software/S1195) is a mobile malware that has been used by [APT-C-23](https://attack.mitre.org/groups/G1028) since at least 2017. [SpyC23](https://attack.mitre.org/software/S1195) has been observed primarily targeting Android devices in the Middle East.(Citation: welivesecurity_apt-c-23) \n\nThere are multiple close variants of [SpyC23](https://attack.mitre.org/software/S1195), such as VAMP(Citation: Unit42 VAMP 2017), GnatSpy(Citation: Trendmicro GnatSpy 2017), [Desert Scorpion](https://attack.mitre.org/software/S0505) and [FrozenCell](https://attack.mitre.org/software/S0577), which add some additional functionality but are not significantly different from the original malware.", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Sittikorn Sangrattanapitak"], "x_mitre_aliases": ["SpyC23"], "type": "malware", "id": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "created": "2024-03-26T19:12:00.011Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1195", "external_id": "S1195"}, {"source_name": "Unit42 VAMP 2017", "description": "Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.", "url": "https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/"}, {"source_name": "Trendmicro GnatSpy 2017", "description": "Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024.", "url": "https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html"}, {"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2025-02-19T17:08:24.276Z", "name": "FrozenCell", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and [Micropsia](https://attack.mitre.org/software/S0339).(Citation: Lookout FrozenCell) \n\nThere are multiple close variants of [FrozenCell](https://attack.mitre.org/software/S0577), such as VAMP(Citation: Unit42 VAMP 2017), GnatSpy(Citation: Trendmicro GnatSpy 2017), [Desert Scorpion](https://attack.mitre.org/software/S0505) and [SpyC23](https://attack.mitre.org/software/S1195), which add some additional functionality but are not significantly different from the original malware.", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["FrozenCell"], "type": "malware", "id": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "created": "2021-02-17T20:43:52.033Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0577", "external_id": "S0577"}, {"source_name": "Unit42 VAMP 2017", "description": "Bar, T., Lancaster, T. (2017, April 5). Targeted Attacks in the Middle East Using KASPERAGENT and MICROPSIA. Retrieved March 4, 2024.", "url": "https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/"}, {"source_name": "Trendmicro GnatSpy 2017", "description": "Guo, G., Xu, E. (2017, December 18). New GnatSpy Mobile Malware Family Discovered. Retrieved March 4, 2024.", "url": "https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html"}, {"source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", "created": "2020-10-29T18:41:49.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0524", "external_id": "S0524"}, {"source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:11.027Z", "name": "AndroidOS/MalLocker.B", "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["AndroidOS/MalLocker.B"]}, {"type": "malware", "id": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "created": "2023-01-18T19:44:52.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1055", "external_id": "S1055"}, {"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:11.187Z", "name": "SharkBot", "description": "[SharkBot](https://attack.mitre.org/software/S1055) is a banking malware, first discovered in October 2021, that tries to initiate money transfers directly from compromised devices by abusing Accessibility Services.(Citation: nccgroup_sharkbot_0322)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["SharkBot"]}, {"modified": "2024-11-17T14:24:44.696Z", "name": "RedDrop", "description": "[RedDrop](https://attack.mitre.org/software/S0326) is an Android malware family that exfiltrates sensitive data from devices. (Citation: Wandera-RedDrop)", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.2", "x_mitre_aliases": ["RedDrop"], "type": "malware", "id": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0326", "external_id": "S0326"}, {"source_name": "RedDrop", "description": "(Citation: Wandera-RedDrop)"}, {"source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "created": "2020-12-31T18:25:04.779Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0555", "external_id": "S0555"}, {"source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:11.340Z", "name": "CHEMISTGAMES", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) is a modular backdoor that has been deployed by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CYBERWARCON CHEMISTGAMES)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["CHEMISTGAMES"]}, {"type": "malware", "id": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "created": "2017-10-25T14:48:48.301Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0311", "external_id": "S0311"}, {"source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:11.527Z", "name": "YiSpecter", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) is a family of iOS and Android malware, first detected in November 2014, targeting users in mainland China and Taiwan. [YiSpecter](https://attack.mitre.org/software/S0311) abuses private APIs in iOS to infect both jailbroken and non-jailbroken devices.(Citation: paloalto_yispecter_1015)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "2.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["YiSpecter"]}, {"type": "malware", "id": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17", "created": "2017-10-25T14:48:46.411Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0307", "external_id": "S0307"}, {"source_name": "Trojan-SMS.AndroidOS.Agent.ao", "description": "(Citation: Kaspersky-MobileMalware)"}, {"source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:11.724Z", "name": "Trojan-SMS.AndroidOS.Agent.ao", "description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2023-10-20T21:40:21.121Z", "name": "BOULDSPY", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) is an Android malware, detected in early 2023, with surveillance and remote-control capabilities. Analysis of exfiltrated C2 data suggests that [BOULDSPY](https://attack.mitre.org/software/S1079) primarily targeted minority groups in Iran.(Citation: lookout_bouldspy_0423)", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Gunji Satoshi, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India", "Pooja Natarajan, NEC Corporation India", "Phyo Paing Htun (ChiLai), I-Secure Co.,Ltd"], "x_mitre_aliases": ["BOULDSPY"], "type": "malware", "id": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "created": "2023-07-21T19:31:54.632Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1079", "external_id": "S1079"}, {"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-09-25T15:03:05.100Z", "name": "Anubis", "description": "[Anubis](https://attack.mitre.org/software/S0422) is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.(Citation: Cofense Anubis)", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.3", "x_mitre_contributors": ["Aviran Hazum, Check Point", "Sergey Persikov, Check Point"], "x_mitre_aliases": ["Anubis"], "type": "malware", "id": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "created": "2020-04-08T15:41:19.114Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0422", "external_id": "S0422"}, {"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-11-17T20:00:53.685Z", "name": "AndroRAT", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) is an open-source remote access tool for Android devices. [AndroRAT](https://attack.mitre.org/software/S0292) is capable of collecting data, such as device location, call logs, etc., and is capable of executing actions, such as sending SMS messages and taking pictures.(Citation: Lookout-EnterpriseApps)(Citation: github_androrat)(Citation: Forcepoint BITTER Pakistan Oct 2016) It is originally available through the `The404Hacking` Github repository.(Citation: github_androrat)", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["AndroRAT"], "type": "malware", "id": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "created": "2017-10-25T14:48:47.363Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0292", "external_id": "S0292"}, {"source_name": "Forcepoint BITTER Pakistan Oct 2016", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.", "url": "https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}, {"source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}, {"source_name": "github_androrat", "description": "The404Hacking. (n.d.). AndroRAT. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221013124327/https:/github.com/The404Hacking/AndroRAT"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-09-12T17:23:46.687Z", "name": "FinFisher", "description": "[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://attack.mitre.org/software/S0176). (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)", "x_mitre_platforms": ["Windows", "Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "mobile-attack"], "x_mitre_version": "1.4", "x_mitre_aliases": ["FinFisher", "FinSpy"], "type": "malware", "id": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0182", "external_id": "S0182"}, {"source_name": "FinFisher", "description": "(Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)"}, {"source_name": "FinSpy", "description": "(Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017)"}, {"source_name": "Microsoft FinFisher March 2018", "description": "Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher\u2019s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.", "url": "https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/"}, {"source_name": "Microsoft SIR Vol 21", "description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.", "url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf"}, {"source_name": "FinFisher Citation", "description": "FinFisher. (n.d.). Retrieved September 12, 2024.", "url": "https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html"}, {"source_name": "FireEye FinSpy Sept 2017", "description": "Jiang, G., et al. (2017, September 12). FireEye Uncovers CVE-2017-8759: Zero-Day Used in the Wild to Distribute FINSPY. Retrieved February 15, 2018.", "url": "https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html"}, {"source_name": "Securelist BlackOasis Oct 2017", "description": "Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.", "url": "https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--a6228601-03f6-4949-ae22-c1087627a637", "created": "2020-05-07T15:18:34.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0440", "external_id": "S0440"}, {"source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:11.884Z", "name": "Agent Smith", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 [Agent Smith](https://attack.mitre.org/software/S0440) had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Aviran Hazum, Check Point", "Sergey Persikov, Check Point"], "x_mitre_aliases": ["Agent Smith"]}, {"type": "malware", "id": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "created": "2020-12-14T15:02:35.007Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0540", "external_id": "S0540"}, {"source_name": "Trojan-SMS.AndroidOS.Smaps", "description": "(Citation: Securelist Asacub)"}, {"source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:12.041Z", "name": "Asacub", "description": "[Asacub](https://attack.mitre.org/software/S0540) is a banking trojan that attempts to steal money from victims\u2019 bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Asacub", "Trojan-SMS.AndroidOS.Smaps"]}, {"type": "malware", "id": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "created": "2020-11-24T17:55:12.561Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0536", "external_id": "S0536"}, {"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:12.191Z", "name": "GPlayed", "description": "[GPlayed](https://attack.mitre.org/software/S0536) is an Android trojan with a broad range of capabilities.(Citation: Talos GPlayed) ", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["GPlayed"]}, {"type": "malware", "id": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "created": "2020-06-26T14:55:12.847Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0478", "external_id": "S0478"}, {"source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:12.346Z", "name": "EventBot", "description": "[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android\u2019s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["EventBot"]}, {"type": "malware", "id": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "created": "2020-12-17T20:15:22.110Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0544", "external_id": "S0544"}, {"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:12.500Z", "name": "HenBox", "description": "[HenBox](https://attack.mitre.org/software/S0544) is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. [HenBox](https://attack.mitre.org/software/S0544) has primarily been used to target Uyghurs, a minority Turkic ethnic group.(Citation: Palo Alto HenBox)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["HenBox"]}, {"modified": "2025-04-02T15:36:23.931Z", "name": "Binary Validator", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) is a Mach-O binary file used during [Operation Triangulation](https://attack.mitre.org/campaigns/C0054).(Citation: SecureList OpTriangulation 23Oct2023) [Binary Validator](https://attack.mitre.org/software/S1215) first collects information about the device, such as the device's phone number and a list of installed applications, before the deployment of the [TriangleDB](https://attack.mitre.org/software/S1216) implant.  After the actions are completed and the data is collected, [Binary Validator](https://attack.mitre.org/software/S1215) encrypts and sends the data to the C2 server, and in turn, the C2 server sends the [TriangleDB](https://attack.mitre.org/software/S1216) implant.", "x_mitre_platforms": ["iOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["Binary Validator"], "type": "malware", "id": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "created": "2025-03-27T22:44:51.717Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1215", "external_id": "S1215"}, {"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "created": "2019-08-07T15:57:12.877Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0403", "external_id": "S0403"}, {"source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:12.694Z", "name": "Riltok", "description": "[Riltok](https://attack.mitre.org/software/S0403) is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Riltok"]}, {"type": "malware", "id": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "created": "2020-01-27T17:05:57.712Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0421", "external_id": "S0421"}, {"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:12.846Z", "name": "GolfSpy", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) is Android spyware deployed by the group [Bouncing Golf](https://attack.mitre.org/groups/G0097).(Citation: Trend Micro Bouncing Golf 2019)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["GolfSpy"]}, {"type": "malware", "id": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "created": "2019-07-10T15:35:43.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0399", "external_id": "S0399"}, {"source_name": "Pallas", "description": "(Citation: Lookout Dark Caracal Jan 2018)"}, {"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:12.993Z", "name": "Pallas", "description": "[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Pallas"]}, {"type": "malware", "id": "malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24", "created": "2021-04-26T15:33:55.798Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0602", "external_id": "S0602"}, {"source_name": "CitizenLab Circles", "description": "Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020.", "url": "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:13.137Z", "name": "Circles", "description": "[Circles](https://attack.mitre.org/software/S0602) reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company\u2019s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Circles"]}, {"type": "malware", "id": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "created": "2021-01-05T20:16:19.968Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0558", "external_id": "S0558"}, {"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:13.285Z", "name": "Tiktok Pro", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Tiktok Pro"]}, {"type": "malware", "id": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", "created": "2017-10-25T14:48:43.527Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0291", "external_id": "S0291"}, {"source_name": "PJApps", "description": "(Citation: Lookout-EnterpriseApps)"}, {"source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:13.454Z", "name": "PJApps", "description": "[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--c80a6bef-b3ce-44d0-b113-946e93124898", "created": "2017-10-25T14:48:38.690Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0294", "external_id": "S0294"}, {"source_name": "ShiftyBug", "description": "(Citation: Lookout-Adware)"}, {"source_name": "Lookout-Adware", "description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:13.608Z", "name": "ShiftyBug", "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--c8770c81-c29f-40d2-a140-38544206b2b4", "created": "2017-10-25T14:48:42.948Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0322", "external_id": "S0322"}, {"source_name": "ArsTechnica-HummingBad", "description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.", "url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:13.785Z", "name": "HummingBad", "description": "[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["HummingBad"]}, {"modified": "2024-10-01T15:53:53.833Z", "name": "Exobot", "description": "[Exobot](https://attack.mitre.org/software/S0522) is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.(Citation: Threat Fabric Exobot)", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["Exobot"], "type": "malware", "id": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "created": "2020-10-29T13:32:20.972Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0522", "external_id": "S0522"}, {"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde", "created": "2017-10-25T14:48:44.540Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0286", "external_id": "S0286"}, {"source_name": "OBAD", "description": "(Citation: TrendMicro-Obad)"}, {"source_name": "TrendMicro-Obad", "description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:13.949Z", "name": "OBAD", "description": "OBAD is an Android malware family. (Citation: TrendMicro-Obad)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2025-03-12T22:09:42.623Z", "name": "FjordPhantom", "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) is a malicious Android application first discovered in September 2024 with targets in Southeast Asia, specifically Indonesia, Thailand, and Vietnam. [FjordPhantom](https://attack.mitre.org/software/S1208) was distributed through email and messaging applications. Once installed, the application launches a virtualization solution to steal important information, such as bank accounts, and to manipulate the user interface. The malicious activity from the virtualization solution runs alongside legitimate banking applications.(Citation: Promon FjordPhantom Oct2024)   ", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Liran Ravich, CardinalOps"], "x_mitre_aliases": ["FjordPhantom"], "type": "malware", "id": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4", "created": "2025-03-12T22:01:15.599Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1208", "external_id": "S1208"}, {"source_name": "Promon FjordPhantom Oct2024", "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.", "url": "https://promon.io/security-news/fjordphantom-android-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "created": "2017-10-25T14:48:45.482Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0304", "external_id": "S0304"}, {"source_name": "Android/Chuli.A", "description": "(Citation: Kaspersky-WUC)"}, {"source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:14.103Z", "name": "Android/Chuli.A", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Android/Chuli.A"]}, {"type": "malware", "id": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "created": "2017-10-25T14:48:39.631Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0323", "external_id": "S0323"}, {"source_name": "Charger", "description": "(Citation: CheckPoint-Charger)"}, {"source_name": "CheckPoint-Charger", "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:14.258Z", "name": "Charger", "description": "[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user's device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Charger"]}, {"modified": "2024-11-17T18:11:27.761Z", "name": "Drinik", "description": "[Drinik](https://attack.mitre.org/software/S1054) is an evolving Android banking trojan that was observed targeting customers of around 27 banks in India in August 2021. Initially seen as an SMS stealer in 2016, [Drinik](https://attack.mitre.org/software/S1054) resurfaced as a banking trojan with more advanced capabilities included in subsequent versions between September 2021 and August 2022.(Citation: cyble_drinik_1022)", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["Drinik"], "type": "malware", "id": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "created": "2023-01-18T19:05:43.194Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1054", "external_id": "S1054"}, {"source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--d89c132d-7752-4c7f-9372-954a71522985", "created": "2017-10-25T14:48:46.734Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0308", "external_id": "S0308"}, {"source_name": "Trojan-SMS.AndroidOS.OpFake.a", "description": "(Citation: Kaspersky-MobileMalware)"}, {"source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:14.410Z", "name": "Trojan-SMS.AndroidOS.OpFake.a", "description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", "created": "2017-10-25T14:48:42.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0297", "external_id": "S0297"}, {"source_name": "XcodeGhost", "description": "(Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)"}, {"source_name": "PaloAlto-XcodeGhost1", "description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"}, {"source_name": "PaloAlto-XcodeGhost", "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:14.566Z", "name": "XcodeGhost", "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "created": "2020-12-24T21:41:36.719Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0549", "external_id": "S0549"}, {"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:14.758Z", "name": "SilkBean", "description": "[SilkBean](https://attack.mitre.org/software/S0549) is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.(Citation: Lookout Uyghur Campaign)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["SilkBean"]}, {"type": "malware", "id": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "created": "2020-07-20T13:27:33.113Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0489", "external_id": "S0489"}, {"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:14.905Z", "name": "WolfRAT", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT) ", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["WolfRAT"]}, {"type": "malware", "id": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "created": "2021-10-01T14:42:48.234Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0655", "external_id": "S0655"}, {"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:15.058Z", "name": "BusyGasper", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.(Citation: SecureList BusyGasper)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["BusyGasper"]}, {"type": "malware", "id": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "created": "2017-10-25T14:48:47.674Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0293", "external_id": "S0293"}, {"source_name": "CheckPoint-BrainTest", "description": "Andrey Polkovnichenko and Alon Boxiner. (2015, September 21). BrainTest \u2013 A New Level of Sophistication in Mobile Malware. Retrieved December 21, 2016.", "url": "http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/"}, {"source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:15.215Z", "name": "BrainTest", "description": "[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "created": "2020-12-18T20:14:46.858Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0545", "external_id": "S0545"}, {"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:15.370Z", "name": "TERRACOTTA", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.(Citation: WhiteOps TERRACOTTA)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["TERRACOTTA"]}, {"modified": "2023-10-11T14:36:10.445Z", "name": "Escobar", "description": "[Escobar](https://attack.mitre.org/software/S1092) is an Android banking trojan, first detected in March 2021, believed to be a new variant of AbereBot.(Citation: Bleeipng Computer Escobar)", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Pooja Natarajan, NEC Corporation India", "Hiroki Nagahama, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India"], "x_mitre_aliases": ["Escobar"], "type": "malware", "id": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "created": "2023-09-28T17:04:46.516Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1092", "external_id": "S1092"}, {"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2025-03-27T14:28:40.768Z", "name": "Android/SpyAgent", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) is a variant of spyware in the MoqHao phishing campaign primarily targeting Korean and Japanese users.(Citation: McAfee MoqHao 2019) Fake security applications were used to target Japanese users, while fake police applications were used to target Korean users. Both fake applications have common C2 commands and share the same crash report key on a cloud service.(Citation: McAfee MoqHao 2019)", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["Android/SpyAgent"], "type": "malware", "id": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "created": "2025-03-24T14:50:29.875Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1214", "external_id": "S1214"}, {"source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "created": "2019-07-16T14:33:12.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0424", "external_id": "S0424"}, {"source_name": "Kaspersky Triada March 2016", "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.", "url": "https://www.kaspersky.com/blog/triada-trojan/11481/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:15.523Z", "name": "Triada", "description": "[Triada](https://attack.mitre.org/software/S0424) was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.(Citation: Kaspersky Triada March 2016)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Triada"]}, {"type": "malware", "id": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "created": "2020-11-20T15:44:57.339Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0535", "external_id": "S0535"}, {"source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:15.703Z", "name": "Golden Cup", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup) ", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Golden Cup"]}, {"modified": "2025-03-27T22:35:44.281Z", "name": "FluBot", "description": "[FluBot](https://attack.mitre.org/software/S1067) is a multi-purpose mobile banking malware that was first observed in Spain in late 2020. It primarily spread through European countries using a variety of SMS phishing messages in multiple languages.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524) An international law enforcement operation of 11 countries eventually disrupted the spread of [FluBot](https://attack.mitre.org/software/S1067).(Citation: Europol FluBot Jun2022)", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.1", "x_mitre_aliases": ["FluBot"], "type": "malware", "id": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "created": "2023-02-28T20:25:59.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1067", "external_id": "S1067"}, {"source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}, {"source_name": "Europol FluBot Jun2022", "description": "Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.", "url": "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones"}, {"source_name": "bitdefender_flubot_0524", "description": "Filip TRU\u021a\u0102, R\u0103zvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.", "url": "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "created": "2020-09-11T16:22:02.954Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0506", "external_id": "S0506"}, {"source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:15.850Z", "name": "ViperRAT", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT) ", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["ViperRAT"]}, {"type": "malware", "id": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "created": "2017-10-25T14:48:47.038Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0309", "external_id": "S0309"}, {"source_name": "Adups", "description": "(Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)"}, {"source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"}, {"source_name": "BankInfoSecurity-BackDoor", "description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.", "url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:15.993Z", "name": "Adups", "description": "[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", "created": "2019-11-21T19:16:34.526Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0419", "external_id": "S0419"}, {"source_name": "CheckPoint SimBad 2019", "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:16.143Z", "name": "SimBad", "description": "[SimBad](https://attack.mitre.org/software/S0419) was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name \"SimBad\" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.(Citation: CheckPoint SimBad 2019)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["SimBad"]}, {"type": "malware", "id": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "created": "2020-10-29T19:19:08.848Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0525", "external_id": "S0525"}, {"source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:16.304Z", "name": "Android/AdDisplay.Ashas", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Android/AdDisplay.Ashas"]}, {"modified": "2024-11-17T20:01:55.807Z", "name": "Phenakite", "description": "[Phenakite](https://attack.mitre.org/software/S1126) is a mobile malware that is used by [APT-C-23](https://attack.mitre.org/groups/G1028) to target iOS devices. According to several reports, [Phenakite](https://attack.mitre.org/software/S1126) was developed to fill a tooling gap and to target those who owned iPhones instead of Windows desktops or Android phones.(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)", "x_mitre_platforms": ["iOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_contributors": ["Sittikorn Sangrattanapitak"], "x_mitre_aliases": ["Phenakite"], "type": "malware", "id": "malware--f97e2718-af50-41df-811f-215ebab45691", "created": "2024-03-26T18:47:29.820Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1126", "external_id": "S1126"}, {"source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}, {"source_name": "sentinelone_israel_hamas_war", "description": "Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20240208234008/www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-09-30T18:57:47.266Z", "name": "Marcher", "description": "[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)", "x_mitre_deprecated": true, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["Marcher"], "type": "malware", "id": "malware--f9854ba6-989d-43bf-828b-7240b8a65291", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0317", "external_id": "S0317"}, {"source_name": "Proofpoint-Marcher", "description": "Proofpoint. (2017, November 3). Credential phishing and an Android banking Trojan combine in Austrian mobile attacks. Retrieved July 6, 2018.", "url": "https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "created": "2023-01-19T18:05:30.924Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1056", "external_id": "S1056"}, {"source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:16.464Z", "name": "TianySpy", "description": "[TianySpy](https://attack.mitre.org/software/S1056) is a mobile malware primarily spread by SMS phishing between September 30 and October 12, 2021. [TianySpy](https://attack.mitre.org/software/S1056) is believed to have targeted credentials associated with membership websites of major Japanese telecommunication services.(Citation: trendmicro_tianyspy_0122)  ", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["TianySpy"]}, {"modified": "2023-10-07T21:33:03.773Z", "name": "Sunbird", "description": "[Sunbird](https://attack.mitre.org/software/S1082) is one of two mobile malware families known to be used by the APT [Confucius](https://attack.mitre.org/groups/G0142).  Analysis suggests that [Sunbird](https://attack.mitre.org/software/S1082) was first active in early 2017. While [Sunbird](https://attack.mitre.org/software/S1082) and [Hornbill](https://attack.mitre.org/software/S1077) overlap in core capabilities, [Sunbird](https://attack.mitre.org/software/S1082) has a more extensive set of malicious features.(Citation: lookout_hornbill_sunbird_0221)", "x_mitre_platforms": ["Android"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_aliases": ["Sunbird"], "type": "malware", "id": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "created": "2023-08-04T18:27:24.614Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S1082", "external_id": "S1082"}, {"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "labels": ["malware"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "malware", "id": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", "created": "2017-10-25T14:48:37.856Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0300", "external_id": "S0300"}, {"source_name": "DressCode", "description": "(Citation: TrendMicro-DressCode)"}, {"source_name": "TrendMicro-DressCode", "description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:16.646Z", "name": "DressCode", "description": "[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "malware", "id": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "created": "2019-09-03T20:08:00.241Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0406", "external_id": "S0406"}, {"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:16.804Z", "name": "Gustuff", "description": "[Gustuff](https://attack.mitre.org/software/S0406) is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)", "labels": ["malware"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_aliases": ["Gustuff"]}, {"type": "tool", "id": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "created": "2019-09-04T15:38:56.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0408", "external_id": "S0408"}, {"source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf"}, {"source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"}, {"source_name": "FlexiSpy-Website", "description": "FlexiSpy. (n.d.). FlexiSpy. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:17.243Z", "name": "FlexiSpy", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)\n\n[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)", "labels": ["tool"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Emily Ratliff, IBM"], "x_mitre_aliases": ["FlexiSpy"]}, {"type": "tool", "id": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "created": "2017-10-25T14:48:48.609Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/software/S0298", "external_id": "S0298"}, {"source_name": "Xbot", "description": "(Citation: PaloAlto-Xbot)"}, {"source_name": "PaloAlto-Xbot", "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:17.393Z", "name": "Xbot", "description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)", "labels": ["tool"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0027", "external_id": "TA0027"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:59.963Z", "name": "Initial Access", "description": "The adversary is trying to get into your device.\n\nThe initial access tactic represents the vectors adversaries use to gain an initial foothold onto a mobile device.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "initial-access"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0036", "external_id": "TA0036"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:00.114Z", "name": "Exfiltration", "description": "The adversary is trying to steal data.\n\nExfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from the targeted mobile device.\n\nIn the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "exfiltration"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0028", "external_id": "TA0028"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:00.260Z", "name": "Persistence", "description": " The adversary is trying to maintain their foothold.\n\nPersistence is any access, action, or configuration change to a mobile device that gives an attacker a persistent presence on the device. Attackers often will need to maintain access to mobile devices through interruptions such as device reboots and potentially even factory data resets.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "persistence"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0029", "external_id": "TA0029"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:00.414Z", "name": "Privilege Escalation", "description": " The adversary is trying to gain higher-level permissions.\n\nPrivilege escalation includes techniques that allow an attacker to obtain a higher level of permissions on the mobile device. Attackers may enter the mobile device with very limited privileges and may be required to take advantage of a device weakness to obtain higher privileges necessary to successfully carry out their mission objectives.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "privilege-escalation"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0037", "external_id": "TA0037"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:00.567Z", "name": "Command and Control", "description": "The adversary is trying to communicate with compromised devices to control them.\n\nThe command and control tactic represents how adversaries communicate with systems under their control within a target network. There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology. Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control. There are still a great many specific techniques within the documented methods, largely due to how easy it is to define new protocols and use existing, legitimate protocols and network services for communication. \n\nThe resulting breakdown should help convey the concept that detecting intrusion through command and control protocols without prior knowledge is a difficult proposition over the long term. Adversaries' main constraints in network-level defense avoidance are testing and deployment of tools to rapidly change their protocols, awareness of existing defensive technologies, and access to legitimate Web services that, when used appropriately, make their tools difficult to distinguish from benign traffic.\n\nAdditionally, in the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "command-and-control"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756", "created": "2020-01-27T14:00:49.089Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0041", "external_id": "TA0041"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:00.730Z", "name": "Execution", "description": "The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a mobile device. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "execution"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0034", "external_id": "TA0034"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:00.876Z", "name": "Impact", "description": "The adversary is trying to manipulate, interrupt, or destroy your devices and data.\n\nThe impact tactic consists of techniques used by the adversary to execute his or her mission objectives but that do not cleanly fit into another category such as Collection. Mission objectives vary based on each adversary's goals, but examples include toll fraud, destruction of device data, or locking the user out of his or her device until a ransom is paid.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "impact"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0031", "external_id": "TA0031"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:01.017Z", "name": "Credential Access", "description": "The adversary is trying to steal account names, passwords, or other secrets that enable access to resources.\n\nCredential access represents techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources. Credential access allows the adversary to assume the identity of an account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "credential-access"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0035", "external_id": "TA0035"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:01.179Z", "name": "Collection", "description": "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "collection"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0033", "external_id": "TA0033"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:01.345Z", "name": "Lateral Movement", "description": "The adversary is trying to move through your environment.\n\nLateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "lateral-movement"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0030", "external_id": "TA0030"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:01.500Z", "name": "Defense Evasion", "description": " The adversary is trying to avoid being detected.\n\nDefense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. Defense evasion may be considered a set of attributes the adversary applies to all other phases of the operation.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "defense-evasion"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0038", "external_id": "TA0038"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:48.173Z", "name": "Network Effects", "description": "The adversary is trying to intercept or manipulate network traffic to or from a device.\n\nThis category refers to network-based techniques that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself. These include techniques to intercept or manipulate network traffic to and from the mobile device.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "network-effects"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0032", "external_id": "TA0032"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:01.668Z", "name": "Discovery", "description": "The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques that allow the adversary to gain knowledge about the characteristics of the mobile device and potentially other networked systems. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system may provide capabilities that aid in this post-compromise information-gathering phase.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "discovery"}, {"type": "x-mitre-tactic", "id": "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/tactics/TA0039", "external_id": "TA0039"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:48.346Z", "name": "Remote Service Effects", "description": "The adversary is trying to control or monitor the device using remote services.\n\nThis category refers to techniques involving remote services, such as vendor-provided cloud services (e.g. Google Drive, Google Find My Device, or Apple iCloud), or enterprise mobility management (EMM)/mobile device management (MDM) services that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": true, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_shortname": "remote-service-effects"}, {"type": "attack-pattern", "id": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", "created": "2020-11-04T16:43:31.619Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1603", "external_id": "T1603"}, {"source_name": "Android WorkManager", "description": "Google. (n.d.). Schedule tasks with WorkManager. Retrieved November 4, 2020.", "url": "https://developer.android.com/topic/libraries/architecture/workmanager"}, {"source_name": "Apple NSBackgroundActivityScheduler", "description": "Apple. (n.d.). NSBackgroundActivityScheduler. Retrieved November 4, 2020.", "url": "https://developer.apple.com/documentation/foundation/nsbackgroundactivityscheduler"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:43.650Z", "name": "Scheduled Task/Job", "description": "Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.\n\nOn Android, the `WorkManager` API allows asynchronous tasks to be scheduled with the system. `WorkManager` was introduced to unify task scheduling on Android, using `JobScheduler`, `GcmNetworkManager`, and `AlarmManager` internally. `WorkManager` offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).(Citation: Android WorkManager)\n\nOn iOS, the `NSBackgroundActivityScheduler` API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.(Citation: Apple NSBackgroundActivityScheduler)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "execution"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Lorin Wu, Trend Micro"], "x_mitre_detection": "Scheduling tasks/jobs can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa", "created": "2019-10-30T15:37:55.029Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1540", "external_id": "T1540"}, {"source_name": "Fadeev Code Injection Aug 2018", "description": "Alexandr Fadeev. (2018, August 26). Shared Library Injection on Android 8.0. Retrieved October 30, 2019.", "url": "https://fadeevab.com/shared-library-injection-on-android-8/"}, {"source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"}, {"source_name": "Shunix Code Injection Mar 2016", "description": "Shunix . (2016, March 22). Shared Library Injection in Android. Retrieved October 30, 2019.", "url": "https://shunix.com/shared-library-injection-in-android/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:35.582Z", "name": "Code Injection", "description": "Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.\n\nWith root access, `ptrace` can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application\u2019s process.(Citation: Google Triada June 2019)\n", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Code injection can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2024-02-07T18:10:46.887Z", "name": "Adversary-in-the-Middle", "description": "Adversaries may attempt to position themselves between two or more networked devices to support follow-on behaviors such as [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002) or [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642).  \n\n \n\n[Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1638) can be achieved through several mechanisms. For example, a malicious application may register itself as a VPN client, effectively redirecting device traffic to adversary-owned resources. Registering as a VPN client requires user consent on both Android and iOS; additionally, a special entitlement granted by Apple is needed for iOS devices. Alternatively, a malicious application with escalation privileges may utilize those privileges to gain access to network traffic.   \n\n\n Specific to Android devices, adversary-in-the-disk is a type of AiTM attack where adversaries monitor and manipulate data that is exchanged between applications and external storage.(Citation: mitd_kaspersky)(Citation: mitd_checkpoint)(Citation: mitd_checkpoint_research) To accomplish this, a malicious application firsts requests for access to multimedia files on the device (`READ_EXTERNAL STORAGE` and `WRITE_EXTERNAL_STORAGE`), then the application reads data on the device and/or writes malware to the device. Though the request for access is common, when used maliciously, adversaries may access files and other sensitive data due to abusing the permission. Multiple applications were shown to be vulnerable against this attack; however, scrutiny of permissions and input validations may mitigate this attack.    \n\nOutside of a mobile device, adversaries may be able to capture traffic by employing a rogue base station or Wi-Fi access point. These devices will allow adversaries to capture network traffic after it has left the device, while it is flowing to its destination. On a local network, enterprise techniques could be used, such as [ARP Cache Poisoning](https://attack.mitre.org/techniques/T1557/002) or [DHCP Spoofing](https://attack.mitre.org/techniques/T1557/003).  \n\n \n\nIf applications properly encrypt their network traffic, sensitive data may not be accessible to adversaries, depending on the point of capture. For example, properly implementing Apple\u2019s Application Transport Security (ATS) and Android\u2019s Network Security Configuration (NSC) may prevent sensitive data leaks.(Citation: NSC_Android)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. \n\n \n\nOn both Android and iOS, users must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. Users can see registered VPN services in the device settings. ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "created": "2022-04-05T20:11:08.894Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1638", "external_id": "T1638"}, {"source_name": "mitd_checkpoint", "description": "Check Point Research Team. (2018, August 12). Man-in-the-Disk: A New Attack Surface for Android Apps. Retrieved October 31, 2023.", "url": "https://blog.checkpoint.com/security/man-in-the-disk-a-new-attack-surface-for-android-apps/"}, {"source_name": "mitd_kaspersky", "description": "Drozhzhin, A. (2018, August 27). Man-in-the-Disk: A new and dangerous way to hack Android. Retrieved October 31, 2023.", "url": "https://usa.kaspersky.com/blog/man-in-the-disk/16089/"}, {"source_name": "NSC_Android", "description": "Lee, A., Ramirez, T. (2018, August 15). A Security Analyst\u2019s Guide to Network Security Configuration in Android P . Retrieved February 7, 2024.", "url": "https://www.nowsecure.com/blog/2018/08/15/a-security-analysts-guide-to-network-security-configuration-in-android-p/"}, {"source_name": "mitd_checkpoint_research", "description": "Makkaveev, S. (2018, August 12). Man-in-the-Disk: Android Apps Exposed via External Storage. Retrieved October 31, 2023.", "url": "https://research.checkpoint.com/androids-man-in-the-disk/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html", "external_id": "CEL-3"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html", "external_id": "APP-0"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", "external_id": "APP-1"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-8.html", "external_id": "APP-8"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-12.html", "external_id": "ECO-12"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", "created": "2022-04-01T15:54:05.633Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1626", "external_id": "T1626"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:43.814Z", "name": "Abuse Elevation Control Mechanism", "description": "Adversaries may circumvent mechanisms designed to control elevated privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can gain on a machine. Authorization has to be granted to specific users in order to perform tasks that are designated as higher risk. An adversary can use several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "When an application requests administrator permission, users are presented with a popup and the option to grant or deny the request. Application vetting services can detect when an application requests administrator permission. Extra scrutiny could be applied to applications that do", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c", "created": "2023-09-25T19:53:07.406Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1663", "external_id": "T1663"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:44.009Z", "name": "Remote Access Software", "description": "Adversaries may use legitimate remote access software, such as `VNC`, `TeamViewer`, `AirDroid`, `AirMirror`, etc., to establish an interactive command and control channel to target mobile devices.  \n\nRemote access applications may be installed and used post-compromise as an alternate communication channel for redundant access or as a way to establish an interactive remote session with the target device. They may also be used as a component of malware to establish a reverse connection to an adversary-controlled system or service. Installation of remote access tools may also include persistence.  ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0"}, {"type": "attack-pattern", "id": "attack-pattern--0bcc4ec1-a897-49a9-a9ff-c00df1d1209d", "created": "2017-10-25T14:48:08.155Z", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1454", "external_id": "T1454"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:35.774Z", "name": "Malicious SMS Message", "description": "Test", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--0c71033e-401e-4b97-9309-7a7c95e43a5d", "created": "2017-10-25T14:48:18.237Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1470", "external_id": "T1470"}, {"source_name": "Elcomsoft-EPPB", "description": "Elcomsoft. (n.d.). Elcomsoft Phone Breaker. Retrieved December 29, 2016.", "url": "https://www.elcomsoft.com/eppb.html"}, {"source_name": "Elcomsoft-WhatsApp", "description": "Oleg Afonin. (2017, July 20). Extract and Decrypt WhatsApp Backups from iCloud. Retrieved July 6, 2018.", "url": "https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html", "external_id": "ECO-0"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html", "external_id": "ECO-1"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:35.994Z", "name": "Obtain Device Cloud Backups", "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google's Android backup service or Apple's iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple's iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "remote-service-effects"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_detection": "Google provides the ability for users to view their account activity. Apple iCloud also provides notifications to users of account activity.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Without Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "created": "2022-03-30T19:31:31.855Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1630/001", "external_id": "T1630.001"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html", "external_id": "APP-43"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:44.210Z", "name": "Uninstall Malicious Application", "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by: \n \n* Abusing device owner permissions to perform silent uninstallation using device owner API calls. \n* Abusing root permissions to delete files from the filesystem. \n* Abusing the accessibility service. This requires sending an intent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of the accessibility service or features that typically require root access.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "created": "2022-03-30T19:28:25.541Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1630", "external_id": "T1630"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html", "external_id": "APP-43"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:44.391Z", "name": "Indicator Removal on Host", "description": "Adversaries may delete, alter, or hide generated artifacts on a device, including files, jailbreak status, or the malicious application itself. These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of mobile security solutions by causing notable events or information to go unreported.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Users can see a list of applications that can use accessibility services in the device settings. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["iOS", "Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2024-11-17T13:32:52.029Z", "name": "Supply Chain Compromise", "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.\n\nSupply chain compromise can take place at any stage of the supply chain including:\n\n* Manipulation of development tools\n* Manipulation of a development environment\n* Manipulation of source code repositories (public or private)\n* Manipulation of source code in open-source dependencies\n* Manipulation of software update/distribution mechanisms\n* Compromised/infected system images\n* Replacement of legitimate software with modified versions\n* Sales of modified/counterfeit products to legitimate distributors\n* Shipment interdiction\n\nWhile supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. Targeting may be specific to a desired victim set or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.  Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency, specifically with the widespread usage of third-party advertising libraries.(Citation: Grace-Advertisement)(Citation: NowSecure-RemoteCode)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}], "x_mitre_deprecated": false, "x_mitre_detection": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1474", "external_id": "T1474"}, {"source_name": "Grace-Advertisement", "description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved November 17, 2024.", "url": "https://dl.acm.org/doi/10.1145/2185448.2185464"}, {"source_name": "NowSecure-RemoteCode", "description": "Ryan Welton. (2015, June 15). A Pattern for Remote Code Execution using Arbitrary File Writes and MultiDex Applications. Retrieved December 22, 2016.", "url": "https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html", "external_id": "APP-6"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html", "external_id": "SPC-0"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html", "external_id": "SPC-1"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html", "external_id": "SPC-2"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html", "external_id": "SPC-3"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html", "external_id": "SPC-4"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html", "external_id": "SPC-5"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html", "external_id": "SPC-6"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html", "external_id": "SPC-7"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html", "external_id": "SPC-8"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html", "external_id": "SPC-9"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html", "external_id": "SPC-10"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html", "external_id": "SPC-11"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html", "external_id": "SPC-12"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html", "external_id": "SPC-13"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-14.html", "external_id": "SPC-14"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html", "external_id": "SPC-15"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html", "external_id": "SPC-16"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html", "external_id": "SPC-17"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html", "external_id": "SPC-18"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-19.html", "external_id": "SPC-19"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html", "external_id": "SPC-20"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html", "external_id": "SPC-21"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2025-01-21T16:22:43.947Z", "name": "Impersonate SS7 Nodes", "description": "Adversaries may exploit the lack of authentication in signaling system network nodes to track the location of mobile devices by impersonating a node.(Citation: Engel-SS7)(Citation: Engel-SS7-2008)(Citation: 3GPP-Security)(Citation: Positive-SS7)(Citation: CSRIC5-WG10-FinalReport) \n\n \n\nBy providing the victim\u2019s MSISDN (phone number) and impersonating network internal nodes to query subscriber information from other nodes, adversaries may use data collected from each hop to eventually determine the device\u2019s geographical cell area or nearest cell tower.(Citation: Engel-SS7)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery"}], "x_mitre_deprecated": false, "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "type": "attack-pattern", "id": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "created": "2022-04-05T19:49:58.938Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1430/002", "external_id": "T1430.002"}, {"source_name": "3GPP-Security", "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.", "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf"}, {"source_name": "CSRIC5-WG10-FinalReport", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"}, {"source_name": "CSRIC-WG1-FinalReport", "description": "CSRIC-WG1-FinalReport"}, {"source_name": "Positive-SS7", "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.", "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf"}, {"source_name": "Engel-SS7-2008", "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.", "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI"}, {"source_name": "Engel-SS7", "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.", "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", "external_id": "CEL-38"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "created": "2023-07-12T20:45:14.704Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1655/001", "external_id": "T1655.001"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html", "external_id": "APP-14"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "external_id": "APP-31"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:44.590Z", "name": "Match Legitimate Name or Location", "description": "Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by giving artifacts the name and icon of a legitimate, trusted application (i.e., Settings), or using a package name that matches legitimate, trusted applications (i.e., `com.google.android.gm`). \n\nAdversaries may also use the same icon of the file or application they are trying to mimic.\n", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Ford Qin, Trend Micro", "Liran Ravich, CardinalOps"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0"}, {"type": "attack-pattern", "id": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799", "created": "2017-10-25T14:48:30.462Z", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1425", "external_id": "T1425"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:36.173Z", "name": "Insecure Third-Party Libraries", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "created": "2022-04-01T12:36:41.507Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636", "external_id": "T1636"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:44.829Z", "name": "Protected User Data", "description": "Adversaries may utilize standard operating system APIs to collect data from permission-backed data stores on a device, such as the calendar or contact list. These permissions need to be declared ahead of time. On Android, they must be included in the application\u2019s manifest. On iOS, they must be included in the application\u2019s `Info.plist` file.  \n\n \n\nIn almost all cases, the user is required to grant access to the data store that the application is trying to access. In recent OS versions, vendors have introduced additional privacy controls for users, such as the ability to grant permission to an application only while the application is being actively used by the user. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Protected User Data](https://attack.mitre.org/techniques/T1636) without the user\u2019s knowledge or approval. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Users can view permissions granted to an application in device settings. Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "created": "2022-04-05T20:15:43.636Z", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1521/002", "external_id": "T1521.002"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:44.987Z", "name": "Asymmetric Cryptography", "description": "Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private that should not be distributed. Due to how asymmetric algorithms work, the sender encrypts data with the receiver\u2019s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA, ElGamal, and ECDSA.\n\nFor efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1521/002).", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "created": "2017-10-25T14:48:28.067Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1418", "external_id": "T1418"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html", "external_id": "APP-12"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:45.152Z", "name": "Software Discovery", "description": "Adversaries may attempt to get a listing of applications that are installed on a device. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1418) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempts specific actions. \n\n \n\nAdversaries may attempt to enumerate applications for a variety of reasons, such as figuring out what security measures are present or to identify the presence of target applications. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "created": "2017-10-25T14:48:33.926Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1424", "external_id": "T1424"}, {"source_name": "Android-SELinuxChanges", "description": "Various. (2016, March 31). Overly restrictive SELinux filesystem permissions in Android N. Retrieved December 21, 2016.", "url": "https://code.google.com/p/android/issues/detail?id=205565"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:45.337Z", "name": "Process Discovery", "description": "Adversaries may attempt to get information about running processes on a device. Information obtained could be used to gain an understanding of common software/applications running on devices within a network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1424) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. \n\n \n\nRecent Android security enhancements have made it more difficult to obtain a list of running processes. On Android 7 and later, there is no way for an application to obtain the process list without abusing elevated privileges. This is due to the Android kernel utilizing the `hidepid` mount feature. Prior to Android 7, applications could utilize the `ps` command or examine the `/proc` directory on the device.(Citation: Android-SELinuxChanges) \n\n \n\nIn iOS, applications have previously been able to use the `sysctl` command to obtain a list of running processes. This functionality has been removed in later iOS versions. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "created": "2022-04-01T13:12:23.522Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636/002", "external_id": "T1636.002"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:45.503Z", "name": "Call Log", "description": "Adversaries may utilize standard operating system APIs to gather call log data. On Android, this can be accomplished using the Call Log Content Provider. iOS provides no standard API to access the call log. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Call Log](https://attack.mitre.org/techniques/T1636/002) without the user\u2019s knowledge or approval. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it.  ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "created": "2022-03-31T19:50:45.752Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1418/001", "external_id": "T1418.001"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html", "external_id": "APP-12"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:45.687Z", "name": "Security Software Discovery", "description": "Adversaries may attempt to get a listing of security applications and configurations that are installed on a device. This may include things such as mobile security products. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1418/001) during automated discovery to shape follow-on behaviors, including whether or not to fully infect the target and/or attempt specific actions. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2", "created": "2017-10-25T14:48:10.699Z", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1434", "external_id": "T1434"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:36.344Z", "name": "App Delivered via Email Attachment", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "created": "2022-03-30T19:05:17.048Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1631/001", "external_id": "T1631.001"}, {"source_name": "BH Linux Inject", "description": "Colgan, T. (2015, August 15). Linux-Inject. Retrieved February 21, 2020.", "url": "https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf"}, {"source_name": "Medium Ptrace JUL 2018", "description": "Jain, S. (2018, July 25). Code injection in running process using ptrace. Retrieved February 21, 2020.", "url": "https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be"}, {"source_name": "PTRACE man", "description": "Kerrisk, M. (2020, February 9). PTRACE(2) - Linux Programmer's Manual. Retrieved February 21, 2020.", "url": "http://man7.org/linux/man-pages/man2/ptrace.2.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:45.841Z", "name": "Ptrace System Calls", "description": "Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.  \n\nPtrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (e.g., by using `malloc`) then invoking that memory with `PTRACE_SETREGS` to set the register containing the next instruction to execute. Ptrace system call injection can also be done with `PTRACE_POKETEXT`/`PTRACE_POKEDATA`, which copy data to a specific address in the target process's memory (e.g., the current address of the next instruction).(Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018)  \n\nPtrace system call injection may not be possible when targeting processes with high-privileges, and on some systems those that are non-child processes.(Citation: BH Linux Inject)  \n\nRunning code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "created": "2022-04-01T18:42:22.117Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1629", "external_id": "T1629"}, {"source_name": "Samsung Knox Mobile Threat Defense", "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", "url": "https://partner.samsungknox.com/mtd"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:45.996Z", "name": "Impair Defenses", "description": "Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may span both native defenses as well as supplemental capabilities installed by users or mobile endpoint administrators.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running. Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--2204c371-6100-4ae0-82f3-25c07c29772a", "created": "2017-10-25T14:48:08.613Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1453", "external_id": "T1453"}, {"source_name": "Skycure-Accessibility", "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.", "url": "https://www.skycure.com/blog/accessibility-clickjacking/"}, {"source_name": "android-trojan-steals-paypal-2fa", "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/"}, {"source_name": "banking-trojans-google-play", "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, October 24). Banking Trojans continue to surface on Google Play. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2018/10/24/banking-trojans-continue-surface-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:36.575Z", "name": "Abuse Accessibility Features", "description": "**This technique has been deprecated. Please use [Input Capture](https://attack.mitre.org/techniques/T1417), [Input Injection](https://attack.mitre.org/techniques/T1516), and [Input Prompt](https://attack.mitre.org/techniques/T1411) where appropriate.**\n\nA malicious app could abuse Android's accessibility features to capture sensitive data or perform other malicious actions.(Citation: Skycure-Accessibility)\n\nAdversaries may abuse accessibility features on Android to emulate a user's clicks, for example to steal money from a user's bank account.(Citation: android-trojan-steals-paypal-2fa)(Citation: banking-trojans-google-play)\n\nAdversaries may abuse accessibility features on Android devices to evade defenses by repeatedly clicking the \"Back\" button when a targeted app manager or mobile security app is launched, or when strings suggesting uninstallation are detected in the foreground. This effectively prevents the malicious application from being uninstalled.(Citation: android-trojan-steals-paypal-2fa)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Luk\u00e1\u0161 \u0160tefanko, ESET"], "x_mitre_deprecated": true, "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "2.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "created": "2017-10-25T14:48:13.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1428", "external_id": "T1428"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html", "external_id": "APP-32"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:46.157Z", "name": "Exploitation of Remote Services", "description": "Adversaries may exploit remote services of enterprise servers, workstations, or other resources to gain unauthorized access to internal systems once inside of a network. Adversaries may exploit remote services by taking advantage of a mobile device\u2019s access to an internal enterprise network through local connectivity or through a Virtual Private Network (VPN). Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. \n\nAn adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1423) or other Discovery methods. These look for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.\n\nDepending on the permissions level of the vulnerable remote service, an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1404) as a result of lateral movement exploitation as well. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "lateral-movement"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Detecting software exploitation initiated by a mobile device may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash.\n\nNetwork traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. \n\nApplication vetting may be able to identify applications that perform Discovery or utilize existing connectivity to remotely access hosts within an internal enterprise network. ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "created": "2022-04-01T19:06:27.177Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1437/001", "external_id": "T1437.001"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", "external_id": "APP-29"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:46.363Z", "name": "Web Protocols", "description": "Adversaries may communicate using application layer protocols associated with web protocols traffic to avoid detection/network filtering by blending in with existing traffic. Commands to remote mobile devices, and often the results of those commands, will be embedded within the protocol traffic between the mobile client and server. \n\nWeb protocols such as HTTP and HTTPS are used for web traffic as well as well as notification services native to mobile messaging services such as Google Cloud Messaging (GCM) and newly, Firebase Cloud Messaging (FCM), (GCM/FCM: two-way communication) and Apple Push Notification Service (APNS; one-way server-to-device).  Such notification services leverage HTTP/S via the respective API and are commonly abused on Android and iOS respectively in order blend in with routine device traffic making it difficult for enterprises to inspect. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior. ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2023-12-26T19:17:13.294Z", "name": "Steal Application Access Token", "description": "Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering or URI hijacking and typically requires user action to grant access, such as through a system \u201cOpen With\u201d dialogue.  \n\nApplication access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework used to issue tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry through OAuth 2.0 using a variety of authorization protocols. An example of a commonly-used sequence is Microsoft's Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested without requiring user credentials.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}], "x_mitre_deprecated": false, "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "created": "2022-04-01T15:12:50.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1635", "external_id": "T1635"}, {"source_name": "Android-AppLinks", "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.", "url": "https://developer.android.com/training/app-links/index.html"}, {"source_name": "Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019", "description": "Auth0. (n.d.). Why You Should Always Use Access Tokens to Secure APIs. Retrieved September 12, 2019.", "url": "https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/"}, {"source_name": "Microsoft - OAuth Code Authorization flow - June 2019", "description": "Microsoft. (n.d.). Microsoft identity platform and OAuth 2.0 authorization code flow. Retrieved September 12, 2019.", "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow"}, {"source_name": "Microsoft Identity Platform Protocols May 2019", "description": "Microsoft. (n.d.). Retrieved September 12, 2019.", "url": "https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols"}, {"source_name": "IETF-OAuthNativeApps", "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.", "url": "https://tools.ietf.org/html/rfc8252"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "created": "2022-04-11T20:05:56.069Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1628/002", "external_id": "T1628.002"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:46.535Z", "name": "User Evasion", "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", "created": "2022-03-30T17:51:29.550Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1633", "external_id": "T1633"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:46.725Z", "name": "Virtualization/Sandbox Evasion", "description": "Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors after checking for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the payload. They may also search for VME artifacts before dropping further payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) during automated discovery to shape follow-on behaviors. \n\nAdversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1633) such as checking for system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38", "created": "2020-06-24T17:33:49.778Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1579", "external_id": "T1579"}, {"source_name": "Apple Keychain Services", "description": "Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020.", "url": "https://developer.apple.com/documentation/security/keychain_services"}, {"source_name": "Elcomsoft Decrypt Keychain", "description": "V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020.", "url": "https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html", "external_id": "AUT-11"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:36.750Z", "name": "Keychain", "description": "Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.\n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices and perform further actions as necessary.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2023-09-28T15:36:11.282Z", "name": "Application Versioning", "description": "An adversary may push an update to a previously benign application to add malicious code. This can be accomplished by pushing an initially benign, functional application to a trusted application store, such as the Google Play Store or the Apple App Store. This allows the adversary to establish a trusted userbase that may grant permissions to the application prior to the introduction of malicious code. Then, an application update could be pushed to introduce malicious code.(Citation: android_app_breaking_bad)\n\nThis technique could also be accomplished by compromising a developer\u2019s account. This would allow an adversary to take advantage of an existing userbase without having to establish the userbase themselves. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_contributors": ["Edward Stevens, BT Security", "Adam Lichters"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258", "created": "2023-09-21T22:16:38.002Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1661", "external_id": "T1661"}, {"source_name": "android_app_breaking_bad", "description": "Stefanko, L. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved August 28, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html", "external_id": "SPC-20"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--29e07491-8947-43a3-8d4e-9a787c45f3d3", "created": "2017-10-25T14:48:17.176Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1413", "external_id": "T1413"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html", "external_id": "APP-3"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:36.939Z", "name": "Access Sensitive Data in Device Logs", "description": "On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device's system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "created": "2022-03-30T13:40:37.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1623", "external_id": "T1623"}, {"source_name": "Samsung Knox Mobile Threat Defense", "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", "url": "https://partner.samsungknox.com/mtd"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:46.879Z", "name": "Command and Scripting Interpreter", "description": "Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, Android is a UNIX-like OS and includes a basic [Unix Shell](https://attack.mitre.org/techniques/T1623/001) that can be accessed via the Android Debug Bridge (ADB) or Java\u2019s `Runtime` package.\n\nAdversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0027) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "execution"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "created": "2022-04-01T18:51:13.963Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1629/003", "external_id": "T1629.003"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:47.026Z", "name": "Disable or Modify Tools", "description": "Adversaries may disable security tools to avoid potential detection of their tools and activities. This can take the form of disabling security software, modifying SELinux configuration, or other methods to interfere with security tools scanning or reporting information. This is typically done by abusing device administrator permissions or using system exploits to gain root access to the device to modify protected system files.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Users can view a list of active device administrators in the device settings.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "created": "2020-01-21T15:27:30.182Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1544", "external_id": "T1544"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:47.175Z", "name": "Ingress Tool Transfer", "description": "Adversaries may transfer tools or other files from an external system onto a compromised device to facilitate follow-on actions. Files may be copied from an external adversary-controlled system through the command and control channel  or through alternate protocols with another tool such as FTP.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for connections to unknown domains or IP addresses. Application vetting services may indicate precisely what content was requested during application execution.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26", "created": "2022-04-05T19:57:15.734Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1637", "external_id": "T1637"}, {"source_name": "Data Driven Security DGA", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:47.329Z", "name": "Dynamic Resolution", "description": "Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware's communications. This algorithm can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different Domain Generation Algorithms (DGAs), constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names or rarely visited domains.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1477", "external_id": "T1477"}, {"source_name": "Forbes-iPhoneSMS", "description": "Andy Greenberg. (2009, July 28). How to Hijack 'Every iPhone In The World'. Retrieved December 23, 2016.", "url": "http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html"}, {"source_name": "Register-BaseStation", "description": "D. Pauli. (2015, November 12). Samsung S6 calls open to man-in-the-middle base station snooping. Retrieved December 23, 2016.", "url": "http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/"}, {"source_name": "ProjectZero-BroadcomWiFi", "description": "Gal Beniamini. (2017, April 4). Over The Air: Exploiting Broadcom's Wi-Fi Stack. Retrieved November 8, 2018.", "url": "https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html"}, {"source_name": "Weinmann-Baseband", "description": "R. Weinmann. (2012, August 6-7). Baseband Attacks: Remote Exploitation of Memory Corruptions in Cellular Protocol Stacks. Retrieved December 23, 2016.", "url": "https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf"}, {"source_name": "SRLabs-SIMCard", "description": "SRLabs. (n.d.). SIM cards are prone to remote hacking. Retrieved December 23, 2016.", "url": "https://srlabs.de/bites/rooting-sim-cards/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:37.121Z", "name": "Exploit via Radio Interfaces", "description": "The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.\n\n### Baseband Vulnerability Exploitation\n\nA message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband).\n\n### Malicious SMS Message\n\nAn SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790", "created": "2017-10-25T14:48:26.890Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1423", "external_id": "T1423"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:47.481Z", "name": "Network Service Scanning", "description": "Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device's access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Network service scanning can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d", "created": "2021-09-30T18:18:52.285Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1618", "external_id": "T1618"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:37.306Z", "name": "User Evasion", "description": "Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary\u2019s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device. \n\nWhile there are many ways this can be accomplished, one method is by using the device\u2019s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products may be able to detect some forms of user evasion. Otherwise, the act of hiding malicious activity could be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "created": "2022-04-01T15:43:45.913Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1646", "external_id": "T1646"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", "external_id": "APP-29"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:47.650Z", "name": "Exfiltration Over C2 Channel", "description": "Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "exfiltration"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "[Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1646) can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "created": "2017-10-25T14:48:29.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1404", "external_id": "T1404"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html", "external_id": "APP-26"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:47.809Z", "name": "Exploitation for Privilege Escalation", "description": "Adversaries may exploit software vulnerabilities in order to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in an application, service, within the operating system software, or kernel itself to execute adversary-controlled code. Security constructions, such as permission levels, will often hinder access to information and use of certain techniques. Adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions. \n\nWhen initially gaining access to a device, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and applications running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user- level permission to root permissions depending on the component that is vulnerable. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken.  Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "created": "2021-09-20T13:42:20.824Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1616", "external_id": "T1616"}, {"source_name": "Android Permissions", "description": "Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.", "url": "https://developer.android.com/reference/android/Manifest.permission"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-41.html", "external_id": "APP-41"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-42.html", "external_id": "CEL-42"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-36.html", "external_id": "CEL-36"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-18.html", "external_id": "CEL-18"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:47.962Z", "name": "Call Control", "description": "Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.\n\nSeveral permissions may be used to programmatically control phone calls, including:\n\n* `ANSWER_PHONE_CALLS` - Allows the application to answer incoming phone calls(Citation: Android Permissions)\n* `CALL_PHONE` - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)\n* `PROCESS_OUTGOING_CALLS` - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)\n* `MANAGE_OWN_CALLS` - Allows a calling application which manages its own calls through the self-managed `ConnectionService` APIs(Citation: Android Permissions)\n* `BIND_TELECOM_CONNECTION_SERVICE` - Required permission when using a `ConnectionService`(Citation: Android Permissions)\n* `WRITE_CALL_LOG` - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)\n\nWhen granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using `Intent.ACTION_DIAL`, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Gaetan van Diemen, ThreatFabric"], "x_mitre_deprecated": false, "x_mitre_detection": "Users can view their default phone app in device settings. Users can review available call logs for irregularities, such as missing or unrecognized calls.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", "created": "2022-04-06T13:22:57.683Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1639/001", "external_id": "T1639.001"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", "external_id": "APP-30"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:48.130Z", "name": "Exfiltration Over Unencrypted Non-C2 Protocol", "description": "Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.\n\nAdversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). Adversaries may employ custom or publicly available encoding/compression algorithms (such as base64) or embed data within protocol headers and fields.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "exfiltration"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "[Exfiltration Over Unencrypted Non-C2 Protocol](https://attack.mitre.org/techniques/T1639/001)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "created": "2022-03-30T14:41:00.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1624/001", "external_id": "T1624.001"}, {"source_name": "Android Changes to System Broadcasts", "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.", "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:48.286Z", "name": "Broadcast Receivers", "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAn intent is a message passed between Android applications or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received. \n\nIn addition to Android system intents, malicious applications can register for intents broadcasted by other applications. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications. \n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts) ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Alex Hinchliffe, Palo Alto Networks"], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--3911658a-6506-4deb-9ab4-595a51ae71ad", "created": "2017-10-25T14:48:16.650Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1436", "external_id": "T1436"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:37.510Z", "name": "Commonly Used Port", "description": "Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. \n\nThey may use commonly open ports such as\n\n* TCP:80 (HTTP)\n* TCP:443 (HTTPS)\n* TCP:25 (SMTP)\n* TCP/UDP:53 (DNS)\n\nThey may use the protocol associated with the port or a completely different protocol.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "exfiltration"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796", "created": "2017-10-25T14:48:26.104Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1439", "external_id": "T1439"}, {"source_name": "mHealth", "description": "D. He et al.. (2014). Security Concerns in Android mHealth Apps. Retrieved December 24, 2016.", "url": "https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html", "external_id": "APP-0"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", "external_id": "APP-1"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:37.686Z", "name": "Eavesdrop on Insecure Network Communication", "description": "If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Without Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "created": "2019-09-15T15:26:08.183Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1517", "external_id": "T1517"}, {"source_name": "ESET 2FA Bypass", "description": "Luk\u00e1\u0161 \u0160tefanko. (2019, June 17). Malware sidesteps Google permissions policy with new 2FA bypass technique. Retrieved September 15, 2019.", "url": "https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:48.448Z", "name": "Access Notifications", "description": "Adversaries may collect data within notifications sent by the operating system or other applications. Notifications may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. In the case of Credential Access, adversaries may attempt to intercept one-time code sent to the device. Adversaries can also dismiss notifications to prevent the user from noticing that the notification has arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass) ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. Users can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9", "created": "2017-10-25T14:48:14.982Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1410", "external_id": "T1410"}, {"source_name": "Skycure-Profiles", "description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016.", "url": "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:37.855Z", "name": "Network Traffic Capture or Redirection", "description": "An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.\n\nA malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.\n\nAlternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.\n\nAn adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device's proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.\n\nIf applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On both Android and iOS the user must grant consent to an app to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is in place.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2", "created": "2017-10-25T14:48:34.407Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1411", "external_id": "T1411"}, {"source_name": "Felt-PhishingOnMobileDevices", "description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.", "url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf"}, {"source_name": "Android Background", "description": "Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.", "url": "https://developer.android.com/guide/components/activities/background-starts"}, {"source_name": "Android-getRunningTasks", "description": "Android. (n.d.). ActivityManager getRunningTasks documentation. Retrieved January 19, 2017.", "url": "https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29"}, {"source_name": "Cloak and Dagger", "description": "Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 18, 2019.", "url": "http://cloak-and-dagger.org/"}, {"source_name": "Group IB Gustuff Mar 2019", "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.", "url": "https://www.group-ib.com/blog/gustuff"}, {"source_name": "eset-finance", "description": "Luk\u00e1\u0161 \u0160tefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.", "url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/"}, {"source_name": "Hassell-ExploitingAndroid", "description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.", "url": "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf"}, {"source_name": "XDA Bubbles", "description": "Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.", "url": "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/"}, {"source_name": "NowSecure Android Overlay", "description": "Ramirez, T.. (2017, May 25). \u2018SAW\u2019-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.", "url": "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/"}, {"source_name": "ThreatFabric Cerberus", "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}, {"source_name": "StackOverflow-getRunningAppProcesses", "description": "Various. (n.d.). Android 5.1.1 and above - getRunningAppProcesses() returns my application package only. Retrieved January 19, 2017.", "url": "http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag"}, {"source_name": "Skycure-Accessibility", "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved December 21, 2016.", "url": "https://www.skycure.com/blog/accessibility-clickjacking/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "external_id": "APP-31"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:38.043Z", "name": "Input Prompt", "description": "The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.\n\nCompared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nSpecific approaches to this technique include:\n\n### Impersonate the identity of a legitimate application\n\nA malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance)\n\n### Display a prompt on top of a running legitimate application\n\nA malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the `ActivityManager` API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include:\n\n* A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)\n\n### Fake device notifications\n\nA malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "The user can view and manage which applications hold the SYSTEM_ALERT_WINDOW permission to create overlay windows on top of other apps through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions).", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", "created": "2022-04-06T13:19:33.785Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1639", "external_id": "T1639"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", "external_id": "APP-30"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:48.656Z", "name": "Exfiltration Over Alternative Protocol", "description": "Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server. \n\nAlternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may opt to also encrypt and/or obfuscate these alternate channels. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "exfiltration"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1639)s can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2024-02-20T23:39:08.047Z", "name": "Internet Connection Discovery", "description": "Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using `adb shell netstat` for Android.(Citation: adb_commands)\n\nAdversaries may use the results and responses from these requests to determine if the mobile devices are capable of communicating with adversary-owned C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery"}], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "type": "attack-pattern", "id": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "created": "2024-02-20T23:39:08.047Z", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1422/001", "external_id": "T1422.001"}, {"source_name": "adb_commands", "description": "Pulimet. (2017, September 11). AdbCommands. Retrieved December 14, 2023.", "url": "https://gist.github.com/Pulimet/5013acf2cd5b28e55036c82c91bd56d8"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09", "created": "2017-10-25T14:48:24.069Z", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1460", "external_id": "T1460"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:38.220Z", "name": "Biometric Spoofing", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "created": "2017-10-25T14:48:31.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1398", "external_id": "T1398"}, {"source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html", "external_id": "APP-26"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:48.836Z", "name": "Boot or Logon Initialization Scripts", "description": "Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts are part of the underlying operating system and are not accessible to the user unless the device has been rooted or jailbroken. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2024-11-17T18:31:54.804Z", "name": "Execution Guardrails", "description": "Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary\u2019s campaign. Values an adversary can provide about a target system or environment to use as guardrails may include environment information such as location.(Citation: SWB Exodus March 2019)\n\nGuardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [System Checks](https://attack.mitre.org/techniques/T1633/001). While use of [System Checks](https://attack.mitre.org/techniques/T1633/001) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_deprecated": false, "x_mitre_detection": "Detecting the use of guardrails may be difficult depending on the implementation. Users can review which applications have location and sensitive phone information permissions in the operating system\u2019s settings menu. Application vetting services can detect unnecessary and potentially permissions or API calls.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "created": "2022-03-30T20:31:16.624Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1627", "external_id": "T1627"}, {"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-11-17T18:58:58.592Z", "name": "GUI Input Capture", "description": "Adversaries may mimic common operating system GUI components to prompt users for sensitive information with a seemingly legitimate prompt. The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique\u2019s use.(Citation: Felt-PhishingOnMobileDevices)\n\nThere are several approaches adversaries may use to mimic this functionality. Adversaries may impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and, when installed on the device, may prompt the user for sensitive information.(Citation: eset-finance) Adversaries may also send fake device notifications to the user that may trigger the display of an input prompt when clicked.(Citation: Group IB Gustuff Mar 2019) \n\nAdditionally, adversaries may display a prompt on top of a running, legitimate application to trick users into entering sensitive information into a malicious application rather than the legitimate application. Typically, adversaries need to know when the targeted application and the individual activity within the targeted application is running in the foreground to display the prompt at the proper time. Adversaries can abuse Android\u2019s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Two known approaches to displaying a prompt include:\n\n* Adversaries start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)\n* Adversaries create an application overlay window on top of a running legitimate application. Applications must hold the `SYSTEM_ALERT_WINDOW` permission to create overlay windows. This permission is handled differently than typical Android permissions and, at least under certain conditions, is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The `SYSTEM_ALERT_WINDOW` permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_deprecated": false, "x_mitre_detection": "Android users can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). \n\nApplication vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "created": "2022-04-05T19:48:31.195Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1417/002", "external_id": "T1417.002"}, {"source_name": "Felt-PhishingOnMobileDevices", "description": "A.P. Felt and D. Wagner. (2011, May 26). Phishing on Mobile Devices. Retrieved August 25, 2016.", "url": "http://w2spconf.com/2011/papers/felt-mobilephishing.pdf"}, {"source_name": "Android Background", "description": "Android Developers. (n.d.). Restrictions on starting activities from the background. Retrieved September 18, 2019.", "url": "https://developer.android.com/guide/components/activities/background-starts"}, {"source_name": "Cloak and Dagger", "description": "Fratantonio, Y., et al.. (2017). Cloak & Dagger. Retrieved September 12, 2024.", "url": "https://cloak-and-dagger.org/"}, {"source_name": "Group IB Gustuff Mar 2019", "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.", "url": "https://www.group-ib.com/blog/gustuff"}, {"source_name": "eset-finance", "description": "Luk\u00e1\u0161 \u0160tefanko. (2016, July 7). Fake finance apps on Google Play target users from around the world. Retrieved September 24, 2018.", "url": "https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/"}, {"source_name": "Hassell-ExploitingAndroid", "description": "R. Hassell. (2011, October 12-13). Exploiting Androids for Fun and Profit. Retrieved October 10, 2019.", "url": "https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf"}, {"source_name": "XDA Bubbles", "description": "Rahman, M.. (2019, May 8). Bubbles in Android Q will fully replace the overlay API in a future Android version. Retrieved September 18, 2019.", "url": "https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/"}, {"source_name": "NowSecure Android Overlay", "description": "Ramirez, T.. (2017, May 25). \u2018SAW\u2019-ing through the UI: Android overlay malware and the System Alert Window permission explained. Retrieved September 18, 2019.", "url": "https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/"}, {"source_name": "ThreatFabric Cerberus", "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}, {"source_name": "Skycure-Accessibility", "description": "Yair Amit. (2016, March 3). \u201cAccessibility Clickjacking\u201d \u2013 The Next Evolution in Android Malware that Impacts More Than 500 Million Devices. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20170211204349/https://www.skycure.com/blog/accessibility-clickjacking/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "external_id": "APP-31"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", "created": "2017-10-25T14:48:11.535Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1432", "external_id": "T1432"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:38.397Z", "name": "Access Contact List", "description": "An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access contact list information through the device settings screen, and the user can choose to revoke the permissions.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "created": "2022-03-30T19:53:27.791Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1645", "external_id": "T1645"}, {"source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:49.029Z", "name": "Compromise Client Software Binary", "description": "Adversaries may modify system software binaries to establish persistent access to devices. System software binaries are used by the underlying operating system and users over adb or terminal emulators. \n\nAdversaries may make modifications to client software binaries to carry out malicious tasks when those binaries are executed. For example, malware may come with a pre-compiled malicious binary intended to overwrite the genuine one on the device. Since these binaries may be routinely executed by the system or user, the adversary can leverage this for persistent access to the device. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. Application vetting services could detect applications trying to modify files in protected parts of the operating system.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "created": "2022-03-30T19:20:37.864Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1406/002", "external_id": "T1406.002"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:49.224Z", "name": "Software Packing", "description": "Adversaries may perform software packing to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. \n\nUtilities used to perform software packing are called packers. An example packer is FTT. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["iOS", "Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", "created": "2017-10-25T14:48:16.288Z", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1445", "external_id": "T1445"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:38.597Z", "name": "Abuse of iOS Enterprise App Signing Key", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5", "created": "2017-10-25T14:48:09.864Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1450", "external_id": "T1450"}, {"source_name": "3GPP-Security", "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.", "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf"}, {"source_name": "CSRIC5-WG10-FinalReport", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"}, {"source_name": "CSRIC-WG1-FinalReport", "description": "CSRIC-WG1-FinalReport"}, {"source_name": "Positive-SS7", "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.", "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf"}, {"source_name": "Engel-SS7-2008", "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.", "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI"}, {"source_name": "Engel-SS7", "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.", "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html", "external_id": "CEL-38"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:38.781Z", "name": "Exploit SS7 to Track Device Location", "description": "An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC-WG1-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Without Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "created": "2020-04-28T14:35:37.309Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1575", "external_id": "T1575"}, {"source_name": "Google NDK Getting Started", "description": "Google. (2019, December 27). Getting Started with the NDK. Retrieved April 28, 2020.", "url": "https://developer.android.com/ndk/guides"}, {"source_name": "MITRE App Vetting Effectiveness", "description": "M. Peck, C. Northern. (2016, August 22). Analyzing the Effectiveness of App Vetting Tools in the Enterprise. Retrieved April 28, 2020.", "url": "https://www.mitre.org/sites/default/files/publications/pr-16-4772-analyzing-effectiveness-mobile-app-vetting-tools-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:49.389Z", "name": "Native API", "description": "Adversaries may use Android\u2019s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.\n\nThe NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)\n\nAdversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "execution"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "This is abuse of standard OS-level APIs and are therefore typically undetectable to the end user.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "2.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1476", "external_id": "T1476"}, {"source_name": "IBTimes-ThirdParty", "description": "A Prasad. (2016, February 19). Danger lurks in third-party Android app stores. Retrieved November 8, 2018.", "url": "https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861"}, {"source_name": "TrendMicro-RootingMalware", "description": "Jordan Pan. (2016, February 10). User Beware: Rooting Malware Found in 3rd Party App Stores. Retrieved November 8, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/"}, {"source_name": "android-trojan-steals-paypal-2fa", "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/"}, {"source_name": "TrendMicro-FlappyBird", "description": "Veo Zhang. (2014, February 18). Flappy Bird and Third-Party App Stores. Retrieved November 8, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html", "external_id": "AUT-9"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html", "external_id": "ECO-13"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html", "external_id": "ECO-21"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:39.001Z", "name": "Deliver Malicious App via Other Means", "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.\n\nDelivery methods for the malicious application include:\n\n* [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.\n* [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.\n* Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)\n\nSome Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution may be able to identify the presence of apps installed from sources other than an authorized app store. \n* An EMM/MDM or mobile threat defense solution may be able to identify Android devices configured to allow apps to be installed from \"Unknown Sources\".\n* Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--537ea573-8a1c-468c-956b-d16d2ed9d067", "created": "2017-10-25T14:48:07.827Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1469", "external_id": "T1469"}, {"source_name": "Honan-Hacking", "description": "Mat Honan. (2012, August 6). How Apple and Amazon Security Flaws Led to My Epic Hacking. Retrieved December 29, 2016.", "url": "https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", "external_id": "ECO-5"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", "external_id": "EMM-7"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:39.181Z", "name": "Remotely Wipe Data Without Authorization", "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "remote-service-effects"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_detection": "Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Without Adversary Device Access"]}, {"modified": "2023-09-28T17:02:58.893Z", "name": "Exploitation for Client Execution", "description": "Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to insecure coding practices that can lead to unanticipated behavior. Adversaries may take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility. \n\nAdversaries may use device-based zero-click exploits for code execution. These exploits are powerful because there is no user interaction required for code execution. \n\n### SMS/iMessage Delivery  \n\nSMS and iMessage in iOS are common targets through [Drive-By Compromise](https://attack.mitre.org/techniques/T1456), [Phishing](https://attack.mitre.org/techniques/T1660), etc. Adversaries may use embed malicious links, files, etc. in SMS messages or iMessages. Mobile devices may be compromised through one-click exploits, where the victim must interact with a text message, or zero-click exploits, where no user interaction is required. \n\n### AirDrop \n\nUnique to iOS, AirDrop is a network protocol that allows iOS users to transfer files between iOS devices. Before patches from Apple were released, on iOS 13.4 and earlier, adversaries may force the Apple Wireless Direct Link (AWDL) interface to activate, then exploit a buffer overflow to gain access to the device and run as root without interaction from the user.  ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "execution"}], "x_mitre_contributors": ["Giorgi Gurgenidze, ISAC"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b", "created": "2023-08-23T22:13:27.313Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1658", "external_id": "T1658"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", "created": "2020-11-30T14:26:07.728Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1604", "external_id": "T1604"}, {"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:49.548Z", "name": "Proxy Through Victim", "description": "Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary\u2019s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.(Citation: Threat Fabric Exobot)\n\nThe most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the `Proxy` API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de", "created": "2019-09-23T13:11:43.694Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1520", "external_id": "T1520"}, {"source_name": "Data Driven Security DGA", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"}, {"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:39.358Z", "name": "Domain Generation Algorithms", "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There is a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, another more general approach for detecting a suspicious domain is to check for recently registered names or for rarely visited domains.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb", "created": "2017-10-25T14:48:20.727Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1435", "external_id": "T1435"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:39.545Z", "name": "Access Calendar Entries", "description": "An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On both Android (6.0 and up) and iOS, the user can view which applications have permission to access calendar information through the device settings screen, and the user can choose to revoke the permissions.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3", "created": "2017-10-25T14:48:21.354Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1465", "external_id": "T1465"}, {"source_name": "Kaspersky-DarkHotel", "description": "Alex Drozhzhin. (2014, November 10). Darkhotel: a spy campaign in luxury Asian hotels. Retrieved December 24, 2016.", "url": "https://blog.kaspersky.com/darkhotel-apt/6613/"}, {"source_name": "NIST-SP800153", "description": "M. Souppaya and K. Scarfone. (2012, February). NIST SP 800-153 Guidelines for Securing Wireless Local Area Networks (WLANs). Retrieved December 24, 2016.", "url": "http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html", "external_id": "LPN-0"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:39.717Z", "name": "Rogue Wi-Fi Access Points", "description": "An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Without Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "created": "2019-11-19T17:32:20.373Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1541", "external_id": "T1541"}, {"source_name": "Android-SensorsOverview", "description": "Google. (n.d.). Sensors Overview. Retrieved November 19, 2019.", "url": "https://developer.android.com/guide/topics/sensors/sensors_overview#sensors-practices"}, {"source_name": "Android-ForegroundServices", "description": "Google. (n.d.). Services overview. Retrieved November 19, 2019.", "url": "https://developer.android.com/guide/components/services.html#Foreground"}, {"source_name": "TrendMicro-Yellow Camera", "description": "Song Wang. (2019, October 18). Fake Photo Beautification Apps on Google Play can Read SMS Verification Code to Trigger Wireless Application Protocol (WAP)/Carrier Billing. Retrieved November 19, 2019.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/"}, {"source_name": "BlackHat Sutter Android Foreground 2019", "description": "Thomas Sutter. (2019, December). Simple Spyware Androids Invisible Foreground Services and How to (Ab)use Them. Retrieved December 26, 2019.", "url": "https://i.blackhat.com/eu-19/Thursday/eu-19-Sutter-Simple-Spyware-Androids-Invisible-Foreground-Services-And-How-To-Abuse-Them.pdf"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html", "external_id": "APP-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:49.743Z", "name": "Foreground Persistence", "description": "Adversaries may abuse Android's `startForeground()` API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android\u2019s `startForeground()` API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)\n\nMalicious applications may abuse the `startForeground()` API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device\u2019s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)\n\nMalicious applications may also abuse the `startForeground()` API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Lorin Wu, Trend Micro"], "x_mitre_deprecated": false, "x_mitre_detection": "Users can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong. Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "2.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2024-11-17T13:26:29.167Z", "name": "Replication Through Removable Media", "description": "Adversaries may move onto devices by exploiting or copying malware to devices connected via USB. In the case of Lateral Movement, adversaries may utilize the physical connection of a device to a compromised or malicious charging station or PC to bypass application store requirements and install malicious applications directly.(Citation: Lau-Mactans) In the case of Initial Access, adversaries may attempt to exploit the device via the connection to gain access to data stored on the device.(Citation: Krebs-JuiceJacking) Examples of this include: \n \n* Exploiting insecure bootloaders in a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location.(Citation: IBM-NexusUSB) \n* Exploiting weakly-enforced security boundaries in Android devices such as the Google Pixel 2 over USB.(Citation: GoogleProjectZero-OATmeal) \n* Products from Cellebrite and Grayshift purportedly that can exploit some iOS devices using physical access to the data port to unlock the passcode.(Citation: Computerworld-iPhoneCracking) ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "lateral-movement"}], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "created": "2017-10-25T14:48:23.233Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1458", "external_id": "T1458"}, {"source_name": "Krebs-JuiceJacking", "description": "Brian Krebs. (2011, August 17). Beware of Juice-Jacking. Retrieved December 23, 2016.", "url": "http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/"}, {"source_name": "GoogleProjectZero-OATmeal", "description": "Jann Horn. (2018, September 10). OATmeal on the Universal Cereal Bus: Exploiting Android phones over USB. Retrieved September 18, 2018.", "url": "https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html"}, {"source_name": "Lau-Mactans", "description": "Lau et al.. (2013). Mactans: Injecting Malware Into iOS Devices Via Malicious Chargers. Retrieved December 23, 2016.", "url": "https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf"}, {"source_name": "Computerworld-iPhoneCracking", "description": "Lucas Mearian. (2018, May 9). Two vendors now sell iPhone cracking technology \u2013 and police are buying. Retrieved November 17, 2024.", "url": "https://www.techcentral.ie/two-vendors-now-sell-iphone-cracking-technology-police-buying/"}, {"source_name": "IBM-NexusUSB", "description": "Roee Hay. (2017, January 5). Android Vulnerabilities: Attacking Nexus 6 and 6P Custom Boot Modes. Retrieved January 11, 2017.", "url": "https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html", "external_id": "PHY-1"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html", "external_id": "PHY-2"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-6.html", "external_id": "STA-6"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "created": "2017-10-25T14:48:12.913Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1429", "external_id": "T1429"}, {"source_name": "Manifest.permission", "description": "Android Developers. (2022, March 17). Voice Call. Retrieved April 1, 2022.", "url": "https://developer.android.com/reference/android/media/MediaRecorder.AudioSource#VOICE_CALL"}, {"source_name": "Requesting Auth-Media Capture", "description": "Apple Developers. (n.d.). Requesting Authorization for Media Capture on iOS. Retrieved April 1, 2022.", "url": "https://developer.apple.com/documentation/avfoundation/cameras_and_media_capture/requesting_authorization_for_media_capture_on_ios"}, {"source_name": "Android Permissions", "description": "Google. (2021, August 11). Manifest.permission. Retrieved September 22, 2021.", "url": "https://developer.android.com/reference/android/Manifest.permission"}, {"source_name": "Android Privacy Indicators", "description": "Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.", "url": "https://source.android.com/devices/tech/config/privacy-indicators"}, {"source_name": "iOS Mic Spyware", "description": "ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.", "url": "https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html", "external_id": "APP-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:49.937Z", "name": "Audio Capture", "description": "Adversaries may capture audio to collect information by leveraging standard operating system APIs of a mobile device. Examples of audio information adversaries may target include user conversations, surroundings, phone calls, or other sensitive information. \n\n \n\nAndroid and iOS, by default, require that applications request device microphone access from the user.  \n\n \n\nOn Android devices, applications must hold the `RECORD_AUDIO` permission to access the microphone or the `CAPTURE_AUDIO_OUTPUT` permission to access audio output. Because Android does not allow third-party applications to hold the `CAPTURE_AUDIO_OUTPUT` permission by default, only privileged applications, such as those distributed by Google or the device vendor, can access audio output.(Citation: Android Permissions) However, adversaries may be able to gain this access after successfully elevating their privileges. With the `CAPTURE_AUDIO_OUTPUT` permission, adversaries may pass the `MediaRecorder.AudioSource.VOICE_CALL` constant to `MediaRecorder.setAudioOutput`, allowing capture of both voice call uplink and downlink.(Citation: Manifest.permission) \n\n \n\nOn iOS devices, applications must include the `NSMicrophoneUsageDescription` key in their `Info.plist` file to access the microphone.(Citation: Requesting Auth-Media Capture)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)\n \n\nAndroid applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized. \n\n \n\nIn both Android (6.0 and up) and iOS, users can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "3.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "created": "2022-03-30T14:49:18.650Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1625", "external_id": "T1625"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:50.121Z", "name": "Hijack Execution Flow", "description": "Adversaries may execute their own malicious payloads by hijacking the way operating systems run applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur over time. \n\nThere are many ways an adversary may hijack the flow of execution. A primary way is by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs or resources, such as file directories, could also be poisoned to include malicious payloads.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "created": "2022-03-30T13:59:50.479Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1623/001", "external_id": "T1623.001"}, {"source_name": "Samsung Knox Mobile Threat Defense", "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", "url": "https://partner.samsungknox.com/mtd"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:50.314Z", "name": "Unix Shell", "description": "Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the underlying command prompts on Android and iOS devices. Unix shells can control every aspect of a system, with certain commands requiring elevated privileges that are only accessible if the device has been rooted or jailbroken. \n\nUnix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems. \n\nAdversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with SSH. Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence. \n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.  ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "execution"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Command-line activities can potentially be detected through Mobile Threat Defense integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.\n\nApplication vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "created": "2017-10-25T14:48:33.158Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1437", "external_id": "T1437"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html", "external_id": "APP-29"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:50.479Z", "name": "Application Layer Protocol", "description": "Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the mobile device, and often the results of those commands, will be embedded within the protocol traffic between the mobile device and server. \n\nAdversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Abuse of standard application protocols can be difficult to detect as many legitimate mobile applications leverage such protocols for language-specific APIs. Enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2", "created": "2017-10-25T14:48:11.861Z", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1431", "external_id": "T1431"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:39.890Z", "name": "App Delivered via Web Download", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "created": "2017-10-25T14:48:14.460Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1407", "external_id": "T1407"}, {"source_name": "FireEye-JSPatch", "description": "Jing Xie, Zhaofeng Chen, Jimmy Su. (2016, January 27). HOT OR NOT? THE BENEFITS AND RISKS OF IOS REMOTE HOT PATCHING. Retrieved December 9, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html", "external_id": "APP-20"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:50.660Z", "name": "Download New Code at Runtime", "description": "Adversaries may download and execute dynamic code not included in the original application package after installation. This technique is primarily used to evade static analysis checks and pre-publication scans in official app stores. In some cases, more advanced dynamic or behavioral analysis techniques could detect this behavior. However, in conjunction with [Execution Guardrails](https://attack.mitre.org/techniques/T1627) techniques, detecting malicious code downloaded after installation could be difficult.\n\nOn Android, dynamic code could include native code, Dalvik code, or JavaScript code that utilizes Android WebView\u2019s `JavascriptInterface` capability. \n\nOn iOS, dynamic code could be downloaded and executed through 3rd party libraries such as JSPatch. (Citation: FireEye-JSPatch) ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Existing network infrastructure may detect network calls to known malicious domains or the transfer of malicious payloads over the network. Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious. Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities). Unfortunately, this is only a partial mitigation, as additional scrutiny would still need to be applied to applications that use these techniques. These techniques are often used without malicious intent, and  applications may employ other techniques to hide their use of these techniques.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.5", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2025-02-27T22:56:19.681Z", "name": "Exploitation for Initial Access", "description": "Adversaries may exploit software vulnerabilities to gain initial access to a mobile device. \n\nThis can be accomplished in a variety of ways. Vulnerabilities may be present in the applications, the services, the underlying operating system, or the kernel itself. Several well-known mobile device exploits exist, including FORCEDENTRY, StageFright, and BlueBorne. Furthermore, some exploits may be possible to exploit without any user interaction (i.e. zero-click exploits, see [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1658)), making them particularly dangerous. Mobile operating system vendors are typically very quick to patch such critical bugs, ensuring only a small window where they can be exploited. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "type": "attack-pattern", "id": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", "created": "2023-12-05T22:14:54.813Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1664", "external_id": "T1664"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a", "created": "2017-10-25T14:48:21.023Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1468", "external_id": "T1468"}, {"source_name": "Krebs-Location", "description": "Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018.", "url": "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", "external_id": "ECO-5"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", "external_id": "EMM-7"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:40.105Z", "name": "Remotely Track Device Without Authorization", "description": "An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "remote-service-effects"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity. Apple iCloud also provides notifications to users of account activity.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Without Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "created": "2022-03-30T17:53:35.582Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1633/001", "external_id": "T1633.001"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:50.837Z", "name": "System Checks", "description": "Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behavior after checking for the presence of artifacts indicative of a virtual environment or sandbox. If the adversary detects a virtual environment, they may alter their malware\u2019s behavior to disengage from the victim or conceal the core functions of the implant. They may also search for virtualization artifacts before dropping secondary or additional payloads. \n\nChecks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. \n\nHardware checks, such as the presence of motion sensors, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2024-11-17T18:31:54.805Z", "name": "Stored Application Data", "description": "Adversaries may try to access and collect application data resident on the device. Adversaries often target popular applications, such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019) \n\n \n\nDue to mobile OS sandboxing, this technique is only possible in three scenarios: \n\n \n\n* An application stores files in unprotected external storage \n* An application stores files in its internal storage directory with insecure permissions (e.g. 777) \n* The adversary gains root permissions on the device ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "3.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "created": "2017-10-25T14:48:15.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1409", "external_id": "T1409"}, {"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html", "external_id": "AUT-0"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "created": "2019-08-08T18:34:14.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1513", "external_id": "T1513"}, {"source_name": "Android ScreenCap2 2019", "description": "Android Developers. (n.d.). Android Debug Bridge (adb). Retrieved August 8, 2019.", "url": "https://developer.android.com/studio/command-line/adb"}, {"source_name": "Android ScreenCap1 2019", "description": "Android Developers. (n.d.). Android MediaProjectionManager. Retrieved August 8, 2019.", "url": "https://developer.android.com/reference/android/media/projection/MediaProjectionManager"}, {"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}, {"source_name": "Fortinet screencap July 2019", "description": "Dario Durando. (2019, July 3). BianLian: A New Wave Emerges. Retrieved September 4, 2019.", "url": "https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html"}, {"source_name": "Trend Micro ScreenCap July 2015", "description": "Zhang, V. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved August 8, 2019.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html", "external_id": "APP-40"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:50.988Z", "name": "Screen Capture", "description": "Adversaries may use screen capture to collect additional information about a target device, such as applications running in the foreground, user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android `MediaProjectionManager` (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android `screencap` or `screenrecord` commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015) ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "The user can view a list of apps with accessibility service privileges in the device settings. Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.3", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "created": "2022-04-06T13:39:39.779Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1641/001", "external_id": "T1641.001"}, {"source_name": "ESET Clipboard Modification February 2019", "description": "ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019.", "url": "https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:51.156Z", "name": "Transmitted Data Manipulation", "description": "Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity. By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nManipulation may be possible over a network connection or between system processes where there is an opportunity to deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.\n\nOne method to achieve [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) is by modifying the contents of the device clipboard. Malicious applications may monitor clipboard activity through the `ClipboardManager.OnPrimaryClipChangedListener` interface on Android to determine when clipboard contents have changed. Listening to clipboard activity, reading clipboard contents, and modifying clipboard contents requires no explicit application permissions and can be performed by applications running in the background. However, this behavior has changed with the release of Android 10.\n\nAdversaries may use [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) to replace text prior to being pasted. For example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1641/001) was seen within the Android/Clipper.C trojan. This sample was detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69", "created": "2017-10-25T14:48:07.460Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1452", "external_id": "T1452"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:40.278Z", "name": "Manipulate App Store Rankings or Ratings", "description": "An adversary could use access to a compromised device's credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58", "created": "2017-10-25T14:48:32.008Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1416", "external_id": "T1416"}, {"source_name": "Trend Micro iOS URL Hijacking", "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12).  iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"}, {"source_name": "IETF-PKCE", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", "url": "https://tools.ietf.org/html/rfc7636"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:40.453Z", "name": "URI Hijacking", "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.\n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2024-11-17T13:32:52.030Z", "name": "Compromise Software Dependencies and Development Tools", "description": "Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency.(Citation: Grace-Advertisement)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}], "x_mitre_deprecated": false, "x_mitre_detection": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "created": "2022-03-28T19:31:51.978Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1474/001", "external_id": "T1474.001"}, {"source_name": "Grace-Advertisement", "description": "M. Grace et al. (2012, April 16-18). Unsafe exposure analysis of mobile in-app advertisements. Retrieved November 17, 2024.", "url": "https://dl.acm.org/doi/10.1145/2185448.2185464"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html", "external_id": "APP-6"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-0.html", "external_id": "SPC-0"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-3.html", "external_id": "SPC-3"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-9.html", "external_id": "SPC-9"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-10.html", "external_id": "SPC-10"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-15.html", "external_id": "SPC-15"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b", "created": "2019-10-02T14:46:43.632Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1523", "external_id": "T1523"}, {"source_name": "Sophos Anti-emulation", "description": "Chen Yu et al. . (2017, April 13). Android malware anti-emulation techniques. Retrieved October 2, 2019.", "url": "https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/"}, {"source_name": "Xiao-ZergHelper", "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"}, {"source_name": "Cyberscoop Evade Analysis January 2019", "description": "Jeff Stone. (2019, January 18). Sneaky motion-detection feature found on Android malware. Retrieved October 2, 2019.", "url": "https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/"}, {"source_name": "ThreatFabric Cerberus", "description": "ThreatFabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved September 18, 2019.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}, {"source_name": "Github Anti-emulator", "description": "Tim Strazzere. (n.d.). Android Anti-Emulator. Retrieved October 2, 2019.", "url": "https://github.com/strazzere/anti-emulator"}, {"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:40.634Z", "name": "Evade Analysis Environment", "description": "Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. \nAdversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access `android.os.SystemProperties` via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)\n", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Analysis Environment avoidance capabilities can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "created": "2022-04-01T15:15:35.640Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1635/001", "external_id": "T1635.001"}, {"source_name": "Android-AppLinks", "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.", "url": "https://developer.android.com/training/app-links/index.html"}, {"source_name": "Trend Micro iOS URL Hijacking", "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12).  iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"}, {"source_name": "IETF-PKCE", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", "url": "https://tools.ietf.org/html/rfc7636"}, {"source_name": "IETF-OAuthNativeApps", "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.", "url": "https://tools.ietf.org/html/rfc8252"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:51.304Z", "name": "URI Hijacking", "description": "Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data. \n\nApplications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If an adversary were to register for a URI that was already in use by a genuine application, the adversary may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the adversary to gain access to protected resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE) ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Leo Zhang, Trend Micro", "Steven Du, Trend Micro"], "x_mitre_deprecated": false, "x_mitre_detection": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it. When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "created": "2022-03-30T18:05:46.795Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1632", "external_id": "T1632"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html", "external_id": "STA-7"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:51.458Z", "name": "Subvert Trust Controls", "description": "Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted applications. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features include: an app being allowed to run because it is signed by a valid code signing certificate; an OS prompt alerting the user that an app came from an untrusted source; or getting an indication that you are about to connect to an untrusted site. The method adversaries use will depend on the specific mechanism they seek to subvert. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44", "created": "2017-10-25T14:48:11.116Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1433", "external_id": "T1433"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:40.824Z", "name": "Access Call Log", "description": "On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.\n\nOn iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On Android 6.0 and up, the user can view which applications have permission to access call log information through the device settings screen, and the user can choose to revoke the permissions.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31", "created": "2020-09-11T15:04:14.532Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1581", "external_id": "T1581"}, {"source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research"}, {"source_name": "Apple Location Services", "description": "Apple. (n.d.). Requesting Authorization for Location Services. Retrieved September 11, 2020.", "url": "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services"}, {"source_name": "Android Geofencing API", "description": "Google. (n.d.). Create and monitor geofences. Retrieved September 11, 2020.", "url": "https://developer.android.com/training/location/geofencing"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:41.041Z", "name": "Geofencing", "description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.\n\nOne method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \u201cAllow only while using the app\u201d, which will effectively prohibit background location collection.(Citation: Android Geofencing API)\n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call `requestWhenInUseAuthorization()` or `requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services)\n\n[Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Users can review which applications have location permissions in the operating system\u2019s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483", "created": "2017-10-25T14:48:29.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1401", "external_id": "T1401"}, {"source_name": "Android DeviceAdminInfo", "description": "Google. (n.d.). DeviceAdminInfo. Retrieved November 20, 2020.", "url": "https://developer.android.com/reference/android/app/admin/DeviceAdminInfo"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:41.218Z", "name": "Device Administrator Permissions", "description": "Adversaries may request device administrator permissions to perform malicious actions.\n\nBy abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device\u2019s password for [Device Lockout](https://attack.mitre.org/techniques/T1446), factory resetting the device to [Delete Device Data](https://attack.mitre.org/techniques/T1447) and any traces of the malware, disabling all of the device\u2019s cameras, or make it more difficult to uninstall the app.(Citation: Android DeviceAdminInfo)\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Users can see when an app requests device administrator permissions. Users can also view which apps have device administrator permissions in the settings menu.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "2.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16", "created": "2017-10-25T14:48:34.830Z", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1443", "external_id": "T1443"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:41.398Z", "name": "Remotely Install Application", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "created": "2022-04-01T15:01:32.169Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1634/001", "external_id": "T1634.001"}, {"source_name": "Apple Keychain Services", "description": "Apple, Inc.. (n.d.). Keychain Services. Retrieved June 24, 2020.", "url": "https://developer.apple.com/documentation/security/keychain_services"}, {"source_name": "Elcomsoft Decrypt Keychain", "description": "V. Katalov. (2018, December 18). Six Ways to Decrypt iPhone Passwords from the Keychain. Retrieved June 24, 2020.", "url": "https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html", "external_id": "AUT-11"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:51.670Z", "name": "Keychain", "description": "Adversaries may collect keychain data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials. \n\nOn the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, adversaries can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain) ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--88932a8c-3a17-406f-9431-1da3ff19f6d6", "created": "2017-10-25T14:48:29.092Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1403", "external_id": "T1403"}, {"source_name": "Sabanal-ART", "description": "Paul Sabanal. (2015). Hiding Behind ART. Retrieved December 21, 2016.", "url": "https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:41.585Z", "name": "Modify Cached Executable Code", "description": "ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_detection": "Modifications to cached executable code can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversary behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--89fcd02f-62dc-40b9-a54b-9ac4b1baef05", "created": "2017-10-25T14:48:28.456Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1419", "external_id": "T1419"}, {"source_name": "Android-Build", "description": "Android. (n.d.). Build. Retrieved December 21, 2016.", "url": "https://developer.android.com/reference/android/os/Build"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:41.755Z", "name": "Device Type Discovery", "description": "On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5", "created": "2020-05-04T13:49:34.706Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1576", "external_id": "T1576"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html", "external_id": "APP-43"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:41.929Z", "name": "Uninstall Malicious Application", "description": "Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:\n\n* Abusing device owner permissions to perform silent uninstallation using device owner API calls.\n* Abusing root permissions to delete files from the filesystem.\n* Abusing the accessibility service. This requires an intent be sent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2025-03-14T17:56:26.095Z", "name": "Virtualization Solution", "description": "Adversaries may carry out malicious operations using virtualization solutions to escape from Android sandboxes and to avoid detection. Android uses sandboxes to separate resources and code execution between applications and the operating system.(Citation: Android Application Sandbox) There are a few virtualization solutions available on Android, such as the Android Virtualization Framework (AVF).(Citation: Android AVF Overview)  \n\n \n\nThrough virtualization solutions, adversaries may execute malicious operations without user knowledge. For example, adversaries may mimic a legitimate banking application\u2019s functionalities in a virtual environment, thanks to the virtualization solution, while malicious code captures credentials.  ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_contributors": ["Liran Ravich, CardinalOps"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android"], "x_mitre_version": "1.0", "type": "attack-pattern", "id": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a", "created": "2025-03-14T17:56:26.095Z", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1670", "external_id": "T1670"}, {"source_name": "Android AVF Overview", "description": "Android Open Source Project. (n.d.). Android Virtualization Framework (AVF) overview. Retrieved February 26, 2025.", "url": "https://source.android.com/docs/core/virtualization"}, {"source_name": "Android Application Sandbox", "description": "Android Open Source Project. (n.d.). Application Sandbox. Retrieved February 26, 2025.", "url": "https://source.android.com/docs/security/app-sandbox"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f", "created": "2017-10-25T14:48:31.694Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1447", "external_id": "T1447"}, {"source_name": "Android DevicePolicyManager 2019", "description": "Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:42.129Z", "name": "Delete Device Data", "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)\n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "2.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274", "created": "2017-10-25T14:48:09.082Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1448", "external_id": "T1448"}, {"source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"}, {"source_name": "AndroidSecurity2014", "description": "Google. (2014). Android Security 2014 Year in Review. Retrieved December 12, 2016.", "url": "https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:42.305Z", "name": "Carrier Billing Fraud", "description": "A malicious app may trigger fraudulent charges on a victim\u2019s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.\n\nPerforming SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.(Citation: Google Bread)\n\nMalicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.(Citation: Google Bread)\n\nOn iOS, apps cannot send SMS messages.\n\nOn Android, apps must hold the `SEND_SMS` permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Starting with Android 4.2 the user is prompted and must provide consent before applications can send SMS messages to premium numbers.(Citation: AndroidSecurity2014)\n\nOn Android 6.0 and up, the user can view which applications have permission to send SMS messages through the device settings screen, and the user can choose to revoke the permissions.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "2.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--8f142a25-f6c3-4520-bd50-2ae3ab50ed3e", "created": "2017-10-25T14:48:17.533Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1415", "external_id": "T1415"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html", "external_id": "AUT-10"}, {"source_name": "FireEye-Masque2", "description": "Hui Xue, Tao Wei, Yulong Zhang, Song Jin, Zhaofeng Chen. (2015, February 19). IOS MASQUE ATTACK REVIVED: BYPASSING PROMPT FOR TRUST AND APP URL SCHEME HIJACKING. Retrieved December 21, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html"}, {"source_name": "Dhanjani-URLScheme", "description": "Nitesh Dhanjani. (2010, November 8). Insecure Handling of URL Schemes in Apple\u2019s iOS. Retrieved December 21, 2016.", "url": "http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html"}, {"source_name": "IETF-PKCE", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", "url": "https://tools.ietf.org/html/rfc7636"}, {"source_name": "MobileIron-XARA", "description": "Michael T. Raggo. (2015, October 1). iOS URL Scheme Hijacking (XARA) Attack Analysis and Countermeasures. Retrieved December 21, 2016.", "url": "https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:42.505Z", "name": "URL Scheme Hijacking", "description": "An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "created": "2022-04-06T15:47:06.071Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1481/002", "external_id": "T1481.002"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:51.825Z", "name": "Bidirectional Communication", "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to and receiving output from a compromised system. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "created": "2019-08-01T13:44:09.368Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1509", "external_id": "T1509"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:51.980Z", "name": "Non-Standard Port", "description": "Adversaries may generate network traffic using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088 or port 587 as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "created": "2022-03-28T19:25:17.596Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1474/003", "external_id": "T1474.003"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html", "external_id": "SPC-4"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-11.html", "external_id": "SPC-11"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-12.html", "external_id": "SPC-12"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-18.html", "external_id": "SPC-18"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-20.html", "external_id": "SPC-20"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:52.139Z", "name": "Compromise Software Supply Chain", "description": "Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services can detect malicious code in applications. System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "created": "2022-04-06T15:41:03.914Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1481/001", "external_id": "T1481.001"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:52.296Z", "name": "Dead Drop Resolver", "description": "Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "created": "2017-10-25T14:48:12.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1430", "external_id": "T1430"}, {"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}, {"source_name": "Android Request Location Permissions", "description": "Android Developers. (2022, March 24). Request Location Permissions. Retrieved April 1, 2022.", "url": "https://developer.android.com/training/location/permissions"}, {"source_name": "Apple Requesting Authorization for Location Services", "description": "Apple Developers. (n.d.). Requesting Authorization for Location Services. Retrieved April 1, 2022.", "url": "https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services"}, {"source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}, {"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html", "external_id": "APP-24"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:52.460Z", "name": "Location Tracking", "description": "Adversaries may track a device\u2019s physical location through use of standard operating system APIs via malicious or exploited applications on the compromised device. \n\n \n\nOn Android, applications holding the `ACCESS_COAURSE_LOCATION` or `ACCESS_FINE_LOCATION` permissions provide access to the device\u2019s physical location. On Android 10 and up, declaration of the `ACCESS_BACKGROUND_LOCATION` permission in an application\u2019s manifest will allow applications to request location access even when the application is running in the background.(Citation: Android Request Location Permissions) Some adversaries have utilized integration of Baidu map services to retrieve geographical location once the location access permissions had been obtained.(Citation: PaloAlto-SpyDealer)(Citation: Palo Alto HenBox) \n\n \n\nOn iOS, applications must include the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file depending on the extent of requested access to location information.(Citation: Apple Requesting Authorization for Location Services) On iOS 8.0 and up, applications call `requestWhenInUseAuthorization()` to request access to location information when the application is in use or `requestAlwaysAuthorization()` to request access to location information regardless of whether the application is in use. With elevated privileges, an adversary may be able to access location data without explicit user consent with the `com.apple.locationd.preauthorized` entitlement key.(Citation: Google Project Zero Insomnia)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. \n\n \n\nIn both Android (6.0 and up) and iOS, users can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary.  ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "created": "2022-04-01T15:59:05.830Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1626/001", "external_id": "T1626.001"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:52.648Z", "name": "Device Administrator Permissions", "description": "Adversaries may abuse Android\u2019s device administration API to obtain a higher degree of control over the device. By abusing the API, adversaries can perform several nefarious actions, such as resetting the device\u2019s password for [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1642), factory resetting the device for [File Deletion](https://attack.mitre.org/techniques/T1630/002) and to delete any traces of the malware, disabling all the device\u2019s cameras, or to make it more difficult to uninstall the app.\n\nDevice administrators must be approved by the user at runtime, with a system popup showing which actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Users are prompted for approval when an application requests device administrator permissions. Users can see which applications are registered as device administrators in the device settings. Application vetting services can check for the string `BIND_DEVICE_ADMIN` in the application\u2019s manifest. This indicates it can prompt the user for device administrator permissions.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1", "created": "2017-10-25T14:48:17.886Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1446", "external_id": "T1446"}, {"source_name": "Xiao-KeyRaider", "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"}, {"source_name": "Android resetPassword", "description": "Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html", "external_id": "APP-28"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:42.681Z", "name": "Device Lockout", "description": "An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device\u2019s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On Android, users can review which applications have device administrator access in the device settings, and revoke permission where appropriate.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "created": "2022-04-05T19:37:15.984Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1430/001", "external_id": "T1430.001"}, {"source_name": "Krebs-Location", "description": "Brian Krebs. (2018, May 17). Tracking Firm LocationSmart Leaked Location Data for Customers of All Major U.S. Mobile Carriers Without Consent in Real Time Via Its Web Site. Retrieved November 8, 2018.", "url": "https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html", "external_id": "ECO-5"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html", "external_id": "EMM-7"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:52.807Z", "name": "Remote Device Management Services", "description": "An adversary may use access to cloud services (e.g. Google's Android Device Manager or Apple iCloud's Find my iPhone) or to an enterprise mobility management (EMM)/mobile device management (MDM) server console to track the location of mobile devices managed by the service.(Citation: Krebs-Location) ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2023-09-27T21:09:27.288Z", "name": "Data Destruction", "description": "Adversaries may destroy data and files on specific devices or in large numbers to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.  \n\nTo achieve data destruction, adversaries may use the `pm uninstall` command to uninstall packages or the `rm` command to remove specific files. For example, adversaries may first use `pm uninstall` to uninstall non-system apps, and then use `rm (-f) <file(s)>` to delete specific files, further hiding malicious activity.(Citation: rootnik_rooting_tool)(Citation: abuse_native_linux_tools)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}], "x_mitre_contributors": ["Liran Ravich, CardinalOps"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "created": "2023-09-22T19:09:15.698Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1662", "external_id": "T1662"}, {"source_name": "rootnik_rooting_tool", "description": "Hu, W., et al. (2015, December 4). Rootnik Android Trojan Abuses Commercial Rooting Tool and Steals Private Information. Retrieved September 26, 2023.", "url": "https://unit42.paloaltonetworks.com/rootnik-android-trojan-abuses-commercial-rooting-tool-and-steals-private-information/"}, {"source_name": "abuse_native_linux_tools", "description": "Surana, N., et al. (2022, September 8). How Malicious Actors Abuse Native Linux Tools in Attacks. Retrieved September 26, 2023.", "url": "https://www.trendmicro.com/en_za/research/22/i/how-malicious-actors-abuse-native-linux-tools-in-their-attacks.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--a0464539-e1b7-4455-a355-12495987c300", "created": "2017-10-25T14:48:13.625Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1427", "external_id": "T1427"}, {"source_name": "ArsTechnica-PoisonTap", "description": "Dan Goodin. (2016, November 16). Meet PoisonTap, the $5 tool that ransacks password-protected computers. Retrieved December 22, 2016.", "url": "http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/"}, {"source_name": "Wang-ExploitingUSB", "description": "Z. Wang and A. Stavrou. (2010, December 6-10). Exploiting smart-phone USB connectivity for fun and profit. Retrieved December 22, 2016.", "url": "http://dl.acm.org/citation.cfm?id=1920314"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html", "external_id": "PHY-2"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:42.856Z", "name": "Attack PC via USB Connection", "description": "With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "lateral-movement"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881", "created": "2017-10-25T14:48:05.928Z", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1441", "external_id": "T1441"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:43.039Z", "name": "Stolen Developer Credentials or Signing Keys", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed", "created": "2017-10-25T14:48:22.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1467", "external_id": "T1467"}, {"source_name": "Computerworld-Femtocell", "description": "Jaikumar Vijayan. (2013, August 1). Researchers exploit cellular tech flaws to intercept phone calls. Retrieved December 24, 2016.", "url": "http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html", "external_id": "CEL-7"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:43.216Z", "name": "Rogue Cellular Base Station", "description": "An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Without Adversary Device Access"]}, {"modified": "2025-02-12T16:26:38.632Z", "name": "SIM Card Swap", "description": "Adversaries may gain access to mobile devices through transfers or swaps from victims\u2019 phone numbers to adversary-controlled SIM cards and mobile devices.(Citation: ATT SIM Swap Scams)(Citation: Verizon SIM Swapping) \n\nThe typical process is as follows:  \n\n1. Adversaries will first gather information about victims through [Phishing](https://attack.mitre.org/techniques/T1660), social engineering, data breaches, or other avenues. \n2. Adversaries will then impersonate victims as they contact mobile carriers to request for the SIM swaps. For example, adversaries would provide victims\u2019 name and address to mobile carriers; once authenticated, adversaries would request for victims\u2019 phone numbers to be transferred to adversary-controlled SIM cards.  \n3. Once completed, victims will lose mobile data, such as text messages and phone calls, on their mobile devices. In turn, adversaries will receive mobile data that was intended for the victims.  \n\nAdversaries may use the intercepted SMS messages to log into online accounts that use SMS-based authentication. Specifically, adversaries may use SMS-based authentication to log into banking and/or cryptocurrency accounts, then transfer funds to adversary-controlled wallets. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}], "x_mitre_contributors": ["Karim Hasanen, @_karimhasanen", "Jennifer Kim Roman"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.0", "x_mitre_tactic_type": ["Without Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5", "created": "2017-10-25T14:48:20.329Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1451", "external_id": "T1451"}, {"source_name": "ATT SIM Swap Scams", "description": "AT&T. (n.d.). UPDATE: Secure Your Number to Reduce SIM Swap Scams. Retrieved January 27, 2025.", "url": "https://www.research.att.com/sites/cyberaware/ni/blog/sim_swap.html"}, {"source_name": "Verizon SIM Swapping", "description": "Verizon. (n.d.). SIM Swapping. Retrieved January 27, 2025.", "url": "https://www.verizon.com/about/account-security/sim-swapping"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html", "external_id": "STA-22"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "created": "2017-10-25T14:48:27.660Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1417", "external_id": "T1417"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "external_id": "APP-31"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html", "external_id": "AUT-13"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:52.964Z", "name": "Input Capture", "description": "Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal device usage, users often provide credentials to various locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Keylogging](https://attack.mitre.org/techniques/T1417/001)) or rely on deceiving the user into providing input into what they believe to be a genuine application prompt (e.g. [GUI Input Capture](https://attack.mitre.org/techniques/T1417/002)).", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. Users can view and manage installed third-party keyboards.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.3", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "created": "2022-04-06T13:55:14.390Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1643", "external_id": "T1643"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html", "external_id": "APP-16"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:53.113Z", "name": "Generate Traffic from Victim", "description": "Adversaries may generate outbound traffic from devices. This is typically performed to manipulate external outcomes, such as to achieve carrier billing fraud or to manipulate app store rankings or ratings. Outbound traffic is typically generated as SMS messages or general web traffic, but may take other forms as well.\n\nIf done via SMS messages, Android apps must hold the `SEND_SMS` permission. Additionally, sending an SMS message requires user consent if the recipient is a premium number. Applications cannot send SMS messages on iOS", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On Android, users can review which applications can use premium SMS features in the \u201cSpecial access\u201d page within application settings. Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", "created": "2022-04-08T16:29:30.087Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1630/003", "external_id": "T1630.003"}, {"source_name": "Brodie", "description": "Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016.", "url": "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf"}, {"source_name": "Rastogi", "description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.", "url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf"}, {"source_name": "Tan", "description": "Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017.", "url": "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html", "external_id": "EMM-5"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:53.262Z", "name": "Disguise Root/Jailbreak Indicators", "description": "An adversary could use knowledge of the techniques used by security software to evade detection.(Citation: Brodie)(Citation: Tan) For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection.(Citation: Rastogi)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can use attestation to detect compromised devices.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--a93ccb8f-3996-42e2-b7c7-bb599d4e205f", "created": "2017-10-25T14:48:35.247Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1444", "external_id": "T1444"}, {"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}, {"source_name": "Zhou", "description": "Yajin Zhou and Xuxian Jiang. (2012, May). Dissecting Android Malware: Characterization and Evolution. Retrieved December 9, 2016.", "url": "http://ieeexplore.ieee.org/document/6234407"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "external_id": "APP-31"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html", "external_id": "APP-14"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:43.392Z", "name": "Masquerade as Legitimate Application", "description": "An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.\n\nEmbedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.(Citation: Zhou) The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method.\n\nPretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.(Citation: Palo Alto HenBox)\n\nMalicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Alex Hinchliffe, Palo Alto Networks"], "x_mitre_deprecated": true, "x_mitre_detection": "Users can detect malicious applications by watching for nuances that could indicate the application is not the intended one when it is being installed.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431", "created": "2017-10-25T14:48:19.682Z", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1457", "external_id": "T1457"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:43.584Z", "name": "Malicious Media Content", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "created": "2022-04-01T12:48:27.021Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636/001", "external_id": "T1636.001"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:53.420Z", "name": "Calendar Entries", "description": "Adversaries may utilize standard operating system APIs to gather calendar entry data. On Android, this can be accomplished using the Calendar Content Provider. On iOS, this can be accomplished using the `EventKit` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [Calendar Entries](https://attack.mitre.org/techniques/T1636/001) without the user\u2019s knowledge or approval. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1"}, {"type": "attack-pattern", "id": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "created": "2022-03-30T19:36:09.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1630/002", "external_id": "T1630.002"}, {"source_name": "Android DevicePolicyManager 2019", "description": "Android Developers. (n.d.). DevicePolicyManager. Retrieved September 22, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:53.593Z", "name": "File Deletion", "description": "Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location.(Citation: Android DevicePolicyManager 2019) \n\nStored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can detect which applications can request device administrator permissions. Users can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. Application vetting services could be extra scrutinous of applications that request device administrator permissions.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "created": "2022-04-01T18:49:03.892Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1629/002", "external_id": "T1629.002"}, {"source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"}, {"source_name": "Android resetPassword", "description": "Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)"}, {"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}, {"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:53.782Z", "name": "Device Lockout", "description": "An adversary may seek to inhibit user interaction by locking the legitimate user out of the device. This is typically accomplished by requesting device administrator permissions and then locking the screen using `DevicePolicyManager.lockNow()`. Other novel techniques for locking the user out of the device have been observed, such as showing a persistent overlay, using carefully crafted \u201ccall\u201d notification screens, and locking HTML pages in the foreground. These techniques can be very difficult to get around, and typically require booting the device into safe mode to uninstall the malware.(Citation: Microsoft MalLockerB)(Citation: Talos GPlayed)(Citation: securelist rotexy 2018)\n\nPrior to Android 7, device administrators were able to reset the device lock passcode to prevent the user from unlocking the device. The release of Android 7 introduced updates that only allow device or profile owners (e.g. MDMs) to reset the device\u2019s passcode.(Citation: Android resetPassword)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Users can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "created": "2022-04-05T19:45:03.000Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1417/001", "external_id": "T1417.001"}, {"source_name": "Zeltser-Keyboard", "description": "Lenny Zeltser. (2016, July 30). Security of Third-Party Keyboard Apps on Mobile Devices. Retrieved December 21, 2016.", "url": "https://zeltser.com/third-party-keyboards-security/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-13.html", "external_id": "AUT-13"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:53.936Z", "name": "Keylogging", "description": "Adversaries may log user keystrokes to intercept credentials or other information from the user as the user types them.\n\nSome methods of keylogging include:\n\n* Masquerading as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.\n* Abusing accessibility features. On Android, adversaries may abuse accessibility features to record keystrokes by registering an `AccessibilityService` class, overriding the `onAccessibilityEvent` method, and listening for the `AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED` event type. The event object passed into the function will contain the data that the user typed. \n*Additional methods of keylogging may be possible if root access is available. \n", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On Android, users can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, users can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. \n\nApplication vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, users can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "created": "2020-09-11T15:14:33.730Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1582", "external_id": "T1582"}, {"source_name": "Android SmsProvider", "description": "Google. (n.d.). SmsProvider.java. Retrieved September 11, 2020.", "url": "https://android.googlesource.com/platform/packages/providers/TelephonyProvider/+/7e7c274/src/com/android/providers/telephony/SmsProvider.java"}, {"source_name": "SMS KitKat", "description": "S.Main, D. Braun. (2013, October 14).  Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020.", "url": "https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html", "external_id": "APP-16"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-41.html", "external_id": "CEL-41"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:54.090Z", "name": "SMS Control", "description": "Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.\n\nThis can be accomplished by requesting the `RECEIVE_SMS` or `SEND_SMS` permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the `SMS_DELIVER` broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Users can view the default SMS handler in system settings.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6", "created": "2017-10-25T14:48:14.003Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1408", "external_id": "T1408"}, {"source_name": "Brodie", "description": "Daniel Brodie. (2016). Practical Attacks against Mobile Device Management (MDM). Retrieved December 21, 2016.", "url": "https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf"}, {"source_name": "Rastogi", "description": "Vaibhav Rastogi, Yan Chen, and Xuxian Jiang. (2013, May). DroidChameleon: Evaluating Android Anti-malware against Transformation Attacks. Retrieved December 9, 2016.", "url": "http://pages.cs.wisc.edu/~vrastogi/static/papers/rcj13b.pdf"}, {"source_name": "Tan", "description": "Vincent Tan. (2016, August). BAD FOR ENTERPRISE: ATTACKING BYOD ENTERPRISE MOBILE SECURITY SOLUTIONS. Retrieved February 4, 2017.", "url": "http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html", "external_id": "EMM-5"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:43.756Z", "name": "Disguise Root/Jailbreak Indicators", "description": "An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed \"su\" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a", "created": "2017-10-25T14:48:27.307Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1438", "external_id": "T1438"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html", "external_id": "APP-30"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:43.920Z", "name": "Exfiltration Over Other Network Medium", "description": "Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a standard Internet connection, the exfiltration may occur, for example, via Bluetooth, or another radio frequency (RF) channel. \n\nAdversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Exfiltration over other network mediums can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b", "created": "2017-10-25T14:48:26.473Z", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1440", "external_id": "T1440"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:44.130Z", "name": "Detect App Analysis Environment", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", "created": "2022-03-30T18:50:43.393Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1631", "external_id": "T1631"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:54.246Z", "name": "Process Injection", "description": "Adversaries may inject code into processes in order to evade process-based defenses or even elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process. \n\nBoth Android and iOS have no legitimate way to achieve process injection. The only way this is possible is by abusing existing root access or exploiting a vulnerability.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for misuse of dynamic libraries.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc", "created": "2017-10-25T14:48:24.905Z", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1462", "external_id": "T1462"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:44.301Z", "name": "Malicious Software Development Tools", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "created": "2022-04-05T20:14:17.310Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1521/001", "external_id": "T1521.001"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:54.401Z", "name": "Symmetric Cryptography", "description": "Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic, rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, Blowfish, and RC4.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69", "created": "2017-10-25T14:48:30.127Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1402", "external_id": "T1402"}, {"source_name": "Android Changes to System Broadcasts", "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.", "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:44.489Z", "name": "Broadcast Receivers", "description": "An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.\n\nFurther, malicious applications can register for intents broadcasted by other applications in addition to the Android system itself. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications.\n\nIn Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "execution"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Broadcast intent receivers are part of standard OS-level APIs and are therefore typically undetectable to the end user.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "2.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2024-02-21T20:44:44.404Z", "name": "Wi-Fi Discovery", "description": "Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems. Adversaries may use Wi-Fi information as part of [Discovery](https://attack.mitre.org/tactics/TA0032) or [Credential Access](https://attack.mitre.org/tactics/TA0031) activity to support both ongoing and future campaigns. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery"}], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "type": "attack-pattern", "id": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "created": "2024-02-21T20:44:44.404Z", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1422/002", "external_id": "T1422.002"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", "created": "2022-03-28T19:30:15.556Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1474/002", "external_id": "T1474.002"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-1.html", "external_id": "SPC-1"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-2.html", "external_id": "SPC-2"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-4.html", "external_id": "SPC-4"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-5.html", "external_id": "SPC-5"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-6.html", "external_id": "SPC-6"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-7.html", "external_id": "SPC-7"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-8.html", "external_id": "SPC-8"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-13.html", "external_id": "SPC-13"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-16.html", "external_id": "SPC-16"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-17.html", "external_id": "SPC-17"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/supply-chain-threats/SPC-21.html", "external_id": "SPC-21"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:54.553Z", "name": "Compromise Hardware Supply Chain", "description": "Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Integrity checking mechanisms can potentially detect unauthorized hardware modifications.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2024-09-12T15:17:00.569Z", "name": "Clipboard Data", "description": "Adversaries may abuse clipboard manager APIs to obtain sensitive information copied to the device clipboard. For example, passwords being copied and pasted from a password manager application could be captured by a malicious application installed on the device.(Citation: Fahl-Clipboard) \n\n \n\nOn Android, applications can use the `ClipboardManager.OnPrimaryClipChangedListener()` API to register as a listener and monitor the clipboard for changes. However, starting in Android 10, this can only be used if the application is in the foreground, or is set as the device\u2019s default input method editor (IME).(Citation: Github Capture Clipboard 2019)(Citation: Android 10 Privacy Changes) \n\n \n\nOn iOS, this can be accomplished by accessing the `UIPasteboard.general.string` field. However, starting in iOS 14, upon accessing the clipboard, the user will be shown a system notification if the accessed text originated in a different application. For example, if the user copies the text of an iMessage from the Messages application, the notification will read \u201capplication_name has pasted from Messages\u201d when the text was pasted in a different application.(Citation: UIPPasteboard)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could detect usage of standard clipboard APIs.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "3.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "created": "2017-10-25T14:48:19.996Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1414", "external_id": "T1414"}, {"source_name": "Android 10 Privacy Changes", "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.", "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data"}, {"source_name": "UIPPasteboard", "description": "Apple Developer. (n.d.). UIPasteboard. Retrieved April 1, 2022.", "url": "https://developer.apple.com/documentation/uikit/uipasteboard"}, {"source_name": "Fahl-Clipboard", "description": "Fahl, S, et al.. (2013). Hey, You, Get Off of My Clipboard. Retrieved September 12, 2024.", "url": "https://saschafahl.de/static/paper/pwmanagers2013.pdf"}, {"source_name": "Github Capture Clipboard 2019", "description": "Pearce, G. (, January). Retrieved August 8, 2019.", "url": "https://github.com/grepx/android-clipboard-security"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html", "external_id": "APP-35"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0", "created": "2017-10-25T14:48:30.890Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1400", "external_id": "T1400"}, {"source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/"}, {"source_name": "Apple-iOSSecurityGuide", "description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.", "url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:44.671Z", "name": "Modify System Partition", "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.\n\nMany Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Android devices with the Verified Boot capability (Citation: Android-VerifiedBoot) perform cryptographic checks of the integrity of the system partition.\n\nThe Android SafetyNet API's remote attestation capability could potentially be used to identify and respond to compromised devices.\n\nSamsung KNOX also provides a remote attestation capability on supported Samsung Android devices.\n\niOS devices will fail to boot or fail to allow device activation if unauthorized modifications are detected.(Citation: Apple-iOSSecurityGuide)", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", "created": "2022-04-06T13:34:46.021Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1641", "external_id": "T1641"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:54.742Z", "name": "Data Manipulation", "description": "Adversaries may insert, delete, or alter data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.\n\nThe type of modification and the impact it will have depends on the target application, process, and the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system, typically gained through a prolonged information gathering campaign, in order to have the desired impact.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "created": "2022-04-01T13:25:30.923Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636/004", "external_id": "T1636.004"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:54.890Z", "name": "SMS Messages", "description": "Adversaries may utilize standard operating system APIs to gather SMS messages. On Android, this can be accomplished using the SMS Content Provider. iOS provides no standard API to access SMS messages. \n\nIf the device has been jailbroken or rooted, an adversary may be able to access [SMS Messages](https://attack.mitre.org/techniques/T1636/004) without the user\u2019s knowledge or approval. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1"}, {"type": "attack-pattern", "id": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "created": "2019-02-01T17:29:43.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1481", "external_id": "T1481"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:55.035Z", "name": "Web Service", "description": "Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. \n\n \n\nUse of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis, or enable operational resiliency (since this infrastructure may be dynamically changed). \n\n ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.3", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "created": "2022-03-30T15:07:51.646Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1625/001", "external_id": "T1625.001"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:55.191Z", "name": "System Runtime API Hijacking", "description": "Adversaries may execute their own malicious payloads by hijacking the way an operating system runs applications. Hijacking execution flow can be for the purposes of persistence since this hijacked execution may reoccur at later points in time. \n\n\nOn Android, adversaries may overwrite the standard OS API library with a malicious alternative to hook into core functions to achieve persistence. By doing this, the adversary\u2019s code will be executed every time the overwritten API function is called by an app on the infected device.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f", "created": "2017-10-25T14:48:07.149Z", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1455", "external_id": "T1455"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:44.847Z", "name": "Exploit Baseband Vulnerability", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "created": "2022-04-01T14:55:10.494Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1634", "external_id": "T1634"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html", "external_id": "AUT-11"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:55.358Z", "name": "Credentials from Password Store", "description": "Adversaries may search common password storage locations to obtain user credentials. Passwords can be stored in several places on a device, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users to manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can potentially detect jailbroken devices. Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "created": "2021-09-24T14:47:34.182Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1617", "external_id": "T1617"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:55.543Z", "name": "Hooking", "description": "Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["J\u00f6rg Abraham, EclecticIQ"], "x_mitre_detection": "Hooking can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1478", "external_id": "T1478"}, {"source_name": "Talos-MDM", "description": "Warren Mercer, Paul Rascagneres, Andrew Williams. (2018, July 12). Advanced Mobile Malware Campaign in India uses Malicious MDM. Retrieved September 24, 2018.", "url": "https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html"}, {"source_name": "Symantec-iOSProfile", "description": "Yair Amit. (2013, March 12). Malicious Profiles \u2013 The Sleeping Giant of iOS Security. Retrieved September 24, 2018.", "url": "https://www.symantec.com/connect/blogs/malicious-profiles-sleeping-giant-ios-security"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html", "external_id": "STA-7"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:45.045Z", "name": "Install Insecure or Malicious Configuration", "description": "An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile).\n\nFor example, an unwanted Certification Authority (CA) certificate could be placed in the device's trusted certificate store, increasing the device's susceptibility to adversary-in-the-middle network attacks seeking to eavesdrop on or manipulate the device's network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)).\n\nOn iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device's network traffic through an adversary's system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On Android, the user can view trusted CA certificates through the device settings and look for unexpected certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies.\n\nOn iOS, the user can view installed Configuration Profiles through the device settings and look for unexpected profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "created": "2017-10-25T14:48:21.965Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1420", "external_id": "T1420"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html", "external_id": "STA-41"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:55.729Z", "name": "File and Directory Discovery", "description": "Adversaries may enumerate files and directories or search in specific device locations for desired information within a filesystem. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) during automated discovery to shape follow-on behaviors, including deciding if the adversary should fully infect the target and/or attempt specific actions. \n\nOn Android, Linux file permissions and SELinux policies typically stringently restrict what can be accessed by apps without taking advantage of a privilege escalation exploit. The contents of the external storage directory are generally visible, which could present concerns if sensitive data is inappropriately stored there. iOS's security architecture generally restricts the ability to perform any type of [File and Directory Discovery](https://attack.mitre.org/techniques/T1420) without use of escalated privileges. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On Android, users are presented with a permissions popup when an application requests access to external device storage.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "created": "2017-10-25T14:48:32.328Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1406", "external_id": "T1406"}, {"source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html", "external_id": "APP-21"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:55.894Z", "name": "Obfuscated Files or Information", "description": "Adversaries may attempt to make a payload or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the device or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. \n \nPayloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Portions of files can also be encoded to hide the plaintext strings that would otherwise help defenders with discovery. Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled.(Citation: Microsoft MalLockerB) ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "3.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "created": "2019-09-15T15:26:22.356Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1516", "external_id": "T1516"}, {"source_name": "bitwarden autofill logins", "description": "Bitwarden. (n.d.).  Auto-fill logins on Android . Retrieved September 15, 2019.", "url": "https://help.bitwarden.com/article/auto-fill-android/"}, {"source_name": "android-trojan-steals-paypal-2fa", "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/"}, {"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:56.042Z", "name": "Input Injection", "description": "A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android's accessibility APIs.\n\n[Input Injection](https://attack.mitre.org/techniques/T1516) can be achieved using any of the following methods:\n\n* Mimicking user clicks on the screen, for example to steal money from a user's PayPal account.(Citation: android-trojan-steals-paypal-2fa)\n* Injecting global actions, such as `GLOBAL_ACTION_BACK` (programatically mimicking a physical back button press), to trigger actions on behalf of the user.(Citation: Talos Gustuff Apr 2019)\n* Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.(Citation: bitwarden autofill logins)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Luk\u00e1\u0161 \u0160tefanko, ESET"], "x_mitre_deprecated": false, "x_mitre_detection": "Users can view applications that have registered accessibility services in the accessibility menu within the device settings.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", "created": "2017-10-25T14:48:25.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1464", "external_id": "T1464"}, {"source_name": "CNET-Celljammer", "description": "Chris Matyszczyk. (2014, May 1). FCC: Man used device to jam drivers' cell phone calls. Retrieved November 8, 2018.", "url": "https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/"}, {"source_name": "Arstechnica-Celljam", "description": "David Kravets. (2016, March 10). Man accused of jamming passengers\u2019 cell phones on Chicago subway. Retrieved November 8, 2018.", "url": "https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/"}, {"source_name": "NIST-SP800187", "description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.", "url": "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf"}, {"source_name": "NYTimes-Celljam", "description": "Matt Richtel. (2007, November 4). Devices Enforce Silence of Cellphones, Illegally. Retrieved November 8, 2018.", "url": "https://www.nytimes.com/2007/11/04/technology/04jammer.html"}, {"source_name": "Digitaltrends-Celljam", "description": "Trevor Mogg. (2015, June 5). Florida teacher punished after signal-jamming his students\u2019 cell phones. Retrieved November 8, 2018.", "url": "https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html", "external_id": "CEL-7"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html", "external_id": "CEL-8"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html", "external_id": "LPN-5"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html", "external_id": "GPS-0"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:56.195Z", "name": "Network Denial of Service", "description": "Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth that services rely on, or by jamming the signal going to or coming from devices. \n\nA Network DoS will occur when an adversary is able to jam radio signals (e.g. Wi-Fi, cellular, GPS) around a device to prevent it from communicating. For example, to jam cellular signal, an adversary may use a handheld signal jammer, which jam devices within the jammer\u2019s operational range.(Citation: NIST-SP800187) \n\nUsage of cellular jamming has been documented in several arrests reported in the news.(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Unexpected loss of radio signal could indicate that a device is being actively jammed.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.3", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "created": "2020-05-07T15:24:49.068Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1577", "external_id": "T1577"}, {"source_name": "Guardsquare Janus", "description": "Guarsquare. (2017, November 13). New Android vulnerability allows attackers to modify apps without affecting their signatures. Retrieved May 7, 2020.", "url": "https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures"}, {"source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:56.351Z", "name": "Compromise Application Executable", "description": "Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.\n\nThere are multiple ways an adversary can inject malicious code into applications. One method is by taking advantages of device vulnerabilities, the most well-known being Janus, an Android vulnerability that allows adversaries to add extra bytes to APK (application) and DEX (executable) files without affecting the file's signature. By being able to add arbitrary bytes to valid applications, attackers can seamlessly inject code into genuine executables without the user's knowledge.(Citation: Guardsquare Janus)\n\nAdversaries may also rebuild applications to include malicious modifications. This can be achieved by decompiling the genuine application, merging it with the malicious code, and recompiling it.(Citation: CheckPoint Agent Smith)\n\nAdversaries may also take action to conceal modifications to application executables and bypass user consent. These actions include altering modifications to appear as an update or exploiting vulnerabilities that allow activities of the malicious application to run inside a system application.(Citation: CheckPoint Agent Smith)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_detection": "This behavior is seamless to the user and is typically undetectable.", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", "created": "2022-03-30T14:25:41.721Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1624", "external_id": "T1624"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:56.521Z", "name": "Event Triggered Execution", "description": "Adversaries may establish persistence using system mechanisms that trigger execution based on specific events. Mobile operating systems have means to subscribe to events such as receiving an SMS message, device boot completion, or other device activities. \n\nAdversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via automatically and repeatedly executing malicious code. After gaining access to a victim\u2019s system, adversaries may create or modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2024-02-20T23:35:22.949Z", "name": "System Network Configuration Discovery", "description": "Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of devices they access or through information discovery of remote systems. \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. \n\nOn Android, details of onboard network interfaces are accessible to apps through the `java.net.NetworkInterface` class.(Citation: NetworkInterface) Previously, the Android `TelephonyManager` class could be used to gather telephony-related device identifiers, information such as the IMSI, IMEI, and phone number. However, starting with Android 10, only preloaded, carrier, the default SMS, or device and profile owner applications can access the telephony-related device identifiers.(Citation: TelephonyManager) \n\n \n\nOn iOS, gathering network configuration information is not possible without root access. \n\n \n\nAdversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1422) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery"}], "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.4", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "created": "2017-10-25T14:48:32.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1422", "external_id": "T1422"}, {"source_name": "NetworkInterface", "description": "Android. (n.d.). NetworkInterface. Retrieved December 21, 2016.", "url": "https://developer.android.com/reference/java/net/NetworkInterface.html"}, {"source_name": "TelephonyManager", "description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.", "url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63", "created": "2017-10-25T14:48:25.322Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1463", "external_id": "T1463"}, {"source_name": "FireEye-SSL", "description": "Adrian Mettler, Yulong Zhang, Vishwanath Raman. (2014, August 20). SSL VULNERABILITIES: WHO LISTENS WHEN ANDROID APPLICATIONS TALK?. Retrieved December 24, 2016.", "url": "https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html", "external_id": "APP-1"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:45.230Z", "name": "Manipulate Device Communication", "description": "If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to adversary-in-the-middle attacks (Citation: FireEye-SSL).", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Without Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "created": "2019-08-09T16:14:58.254Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1512", "external_id": "T1512"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html", "external_id": "APP-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:56.716Z", "name": "Video Capture", "description": "An adversary can leverage a device\u2019s cameras to gather information by capturing video recordings. Images may also be captured, potentially in specified intervals, in lieu of video files.  \n\n \n\nMalware or scripts may interact with the device cameras through an available API provided by the operating system. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1513) due to use of the device\u2019s cameras for video recording rather than capturing the victim\u2019s screen. \n\n \n\nIn Android, an application must hold the `android.permission.CAMERA` permission to access the cameras. In iOS, applications must include the `NSCameraUsageDescription` key in the `Info.plist` file. In both cases, the user must grant permission to the requesting application to use the camera. If the device has been rooted or jailbroken, an adversary may be able to access the camera without knowledge of the user.  ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions. During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", "created": "2022-04-06T15:52:07.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1481/003", "external_id": "T1481.003"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:56.869Z", "name": "One-Way Communication", "description": "Adversaries may use an existing, legitimate external Web service channel as a means for sending commands to a compromised system without receiving return output. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response. \n\n \n\nPopular websites and social media, acting as a mechanism for C2, may give a significant amount of cover. This is due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1475", "external_id": "T1475"}, {"source_name": "Oberheide-Bouncer", "description": "Jon Oberheide and Charlie Miller. (2012). Dissecting the Android Bouncer. Retrieved December 12, 2016.", "url": "https://jon.oberheide.org/files/summercon12-bouncer.pdf"}, {"source_name": "Oberheide-RemoteInstall", "description": "Jon Oberheide. (2010, June 25). Remote Kill and Install on Google Android. Retrieved December 12, 2016.", "url": "https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/"}, {"source_name": "Percoco-Bouncer", "description": "Nicholas J. Percoco and Sean Schulte. (2012). Adventures in BouncerLand. Retrieved December 12, 2016.", "url": "https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf"}, {"source_name": "Konoth", "description": "Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos. (n.d.). How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication. Retrieved December 12, 2016.", "url": "http://www.vvdveen.com/publications/BAndroid.pdf"}, {"source_name": "Petsas", "description": "Thanasis Petsas, Giannis Voyatzis, Elias Athanasopoulos, Michalis Polychronakis, Sotiris Ioannidis. (2014, April). Rage Against the Virtual Machine: Hindering Dynamic Analysis of Android Malware. Retrieved December 12, 2016.", "url": "http://dl.acm.org/citation.cfm?id=2592796"}, {"source_name": "Wang", "description": "Tielei Wang, Kangjie Lu, Long Lu, Simon Chung, and Wenke Lee. (2013, August). Jekyll on iOS: When Benign Apps Become Evil. Retrieved December 9, 2016.", "url": "https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html", "external_id": "ECO-4"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html", "external_id": "ECO-16"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html", "external_id": "ECO-17"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html", "external_id": "APP-20"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html", "external_id": "APP-21"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html", "external_id": "ECO-22"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:45.413Z", "name": "Deliver Malicious App via Authorized App Store", "description": "Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.\n\nApp stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:\n\n* [Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)\n* [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406)\n\nAdversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)\n\nAdversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)\n\nAdversaries may also use control of a target's Google account to use the Google Play Store's remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_detection": "* An EMM/MDM or mobile threat defense solution can identify the presence of unwanted or known insecure or malicious apps on devices.\n* Developers can scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer's identity.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", "created": "2017-10-25T14:48:10.285Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1471", "external_id": "T1471"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html", "external_id": "APP-28"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:57.034Z", "name": "Data Encrypted for Impact", "description": "An adversary may encrypt files stored on a mobile device to prevent the user from accessing them. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "3.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2023-09-28T15:38:41.106Z", "name": "Prevent Application Removal", "description": "Adversaries may abuse the Android device administration API to prevent the user from uninstalling a target application. In earlier versions of Android, device administrator applications needed their administration capabilities explicitly deactivated by the user before the application could be uninstalled. This was later updated so the user could deactivate and uninstall the administrator application in one step.\n\nAdversaries may also abuse the device accessibility APIs to prevent removal. This set of APIs allows the application to perform certain actions on behalf of the user and programmatically determine what is being shown on the screen. The malicious application could monitor the device screen for certain modals (e.g., the confirmation modal to uninstall an application) and inject screen input or a back button tap to close the modal. For example, Android's `performGlobalAction(int)` API could be utilized to prevent the user from removing the malicious application from the device after installation. If the user wants to uninstall the malicious application, two cases may occur, both preventing the user from removing the application.\n\n* Case 1: If the integer argument passed to the API call is `2` or `GLOBAL_ACTION_HOME`, the malicious application may direct the user to the home screen from settings screen \n\n* Case 2: If the integer argument passed to the API call is `1` or `GLOBAL_ACTION_BACK`, the malicious application may emulate the back press event ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_contributors": ["Shankar Raman, Gen Digital and Abhinand, Amrita University"], "x_mitre_deprecated": false, "x_mitre_detection": "Users can view a list of device administrators and applications that have registered accessibility services in device settings. Users can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_platforms": ["Android"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "created": "2022-04-01T18:44:32.808Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1629/001", "external_id": "T1629.001"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html", "external_id": "APP-22"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "created": "2017-10-25T14:48:33.574Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1421", "external_id": "T1421"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:57.189Z", "name": "System Network Connections Discovery", "description": "Adversaries may attempt to get a listing of network connections to or from the compromised device they are currently accessing or from remote systems by querying for information over the network. \n\n \n\nThis is typically accomplished by utilizing device APIs to collect information about nearby networks, such as Wi-Fi, Bluetooth, and cellular tower connections. On Android, this can be done by querying the respective APIs: \n\n \n\n* `WifiInfo` for information about the current Wi-Fi connection, as well as nearby Wi-Fi networks. Querying the `WiFiInfo` API requires the application to hold the `ACCESS_FINE_LOCATION` permission. \n\n* `BluetoothAdapter` for information about Bluetooth devices, which also requires the application to hold several permissions granted by the user at runtime. \n\n* For Android versions prior to Q, applications can use the `TelephonyManager.getNeighboringCellInfo()` method. For Q and later, applications can use the `TelephonyManager.getAllCellInfo()` method. Both methods require the application hold the `ACCESS_FINE_LOCATION` permission.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "System Network Connections Discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "2.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2023-09-29T19:45:39.608Z", "name": "Phishing", "description": "Adversaries may send malicious content to users in order to gain access to their mobile devices. All forms of phishing are electronically delivered social engineering. Adversaries can conduct both non-targeted phishing, such as in mass malware spam campaigns, as well as more targeted phishing tailored for a specific individual, company, or industry, known as \u201cspearphishing\u201d.  Phishing often involves social engineering techniques, such as posing as a trusted source, as well as evasion techniques, such as removing or manipulating emails or metadata/headers from compromised accounts being abused to send messages.\n\nMobile phishing may take various forms. For example, adversaries may send emails containing malicious attachments or links, typically to deliver and then execute malicious code on victim devices. Phishing may also be conducted via third-party services, like social media platforms.  \n\nMobile devices are a particularly attractive target for adversaries executing phishing campaigns.  Due to their smaller form factor than traditional desktop endpoints, users may not be able to notice minor differences between genuine and phishing websites. Further, mobile devices have additional sensors and radios that allow adversaries to execute phishing attempts over several different vectors, such as: \n\n- SMS messages: Adversaries may send SMS messages (known as \u201csmishing\u201d) from compromised devices to potential targets to convince the target to, for example, install malware, navigate to a specific website, or enable certain insecure configurations on their device.\n- Quick Response (QR) Codes: Adversaries may use QR codes (known as \u201cquishing\u201d) to redirect users to a phishing website. For example, an adversary could replace a legitimate public QR Code with one that leads to a different destination, such as a phishing website. A malicious QR code could also be delivered via other means, such as SMS or email. In the latter case, an adversary could utilize a malicious QR code in an email to pivot from the user\u2019s desktop computer to their mobile device.\n- Phone Calls: Adversaries may call victims (known as \u201cvishing\u201d) to persuade them to perform an action, such as providing login credentials or navigating to a malicious website. This could also be used as a technique to perform the initial access on a mobile device, but then pivot to a computer/other network by having the victim perform an action on a desktop computer.\n", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}], "x_mitre_contributors": ["Vijay Lalwani", "Will Thomas, Equinix", "Adam Mashinchi", "Sam Seabrook, Duke Energy", "Naveen Devaraja, bolttech", "Brian Donohue"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "created": "2023-09-21T19:35:15.552Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1660", "external_id": "T1660"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html", "external_id": "AUT-9"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-16T20:24:13.854Z", "name": "SSL Pinning", "description": "Adversaries may use [SSL Pinning](https://attack.mitre.org/techniques/T1521/003)  to protect the C2 traffic from being intercepted and analyzed.\n\n[SSL Pinning](https://attack.mitre.org/techniques/T1521/003)  is a technique commonly utilized by legitimate websites to ensure that encrypted communications are only allowed with a pre-defined certificate. If another certificate is presented, it could indicate device compromise, traffic interception, or another upstream issue. While benign usages are common, it is also possible for adversaries to abuse this technology to protect malicious C2 traffic.\n\nIn normal, not pinned SSL validation, when a client connects to a server using HTTPS, it typically checks whether the server\u2019s SSL/TLS certificate is signed by a trusted Certificate Authority (CA) in the device\u2019s trust store. If the certificate is valid and signed by a trusted CA, the connection is established. However, with [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) , the client is configured to trust a specific SSL/TLS certificate or public key, rather than relying on the device\u2019s trust store. This means that even if the server\u2019s certificate is signed by a trusted CA, the client will only establish the connection of the certificate or key is pinned.\n\nThere are two types of [SSL Pinning](https://attack.mitre.org/techniques/T1521/003) :\n\n1.\tCertificate Pinning: The client stores a copy of the server\u2019s certificate and compares it with the certificate received during the SSL handshake. If the certificates match, then the client proceeds with the connection. This approach also works with self-signed certificates.\n\n2.\tPublic Key Pinning: Instead of pinning the entire certificate, the client pins just the public key extracted from the certificate. This is often more flexible, as it allows the server to renew its certificate without having to update the pinned certificate or breaking the SSL connection.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_contributors": ["Takahashi Wataru, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India", "Pooja Natarajan, NEC Corporation India"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002", "created": "2024-03-29T15:04:38.566Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1521/003", "external_id": "T1521.003"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2023-10-16T16:23:05.146Z", "name": "Lockscreen Bypass", "description": "An adversary with physical access to a mobile device may seek to bypass the device\u2019s lockscreen. Several methods exist to accomplish this, including:\n\n* Biometric spoofing: If biometric authentication is used, an adversary could attempt to spoof a mobile device\u2019s biometric authentication mechanism. Both iOS and Android partly mitigate this attack by requiring the device\u2019s passcode rather than biometrics to unlock the device after every device restart, and after a set or random amount of time.(Citation: SRLabs-Fingerprint)(Citation: TheSun-FaceID)\n* Unlock code bypass: An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing (\u201cshoulder surfing\u201d) the device owner\u2019s use of the lockscreen passcode. Mobile OS vendors partly mitigate this by implementing incremental backoff timers after a set number of failed unlock attempts, as well as a configurable full device wipe after several failed unlock attempts.\n* Vulnerability exploit: Techniques have been periodically demonstrated that exploit mobile devices to bypass the lockscreen. The vulnerabilities are generally patched by the device or OS vendor once disclosed.(Citation: Wired-AndroidBypass)(Citation: Kaspersky-iOSBypass)\n", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}], "x_mitre_deprecated": false, "x_mitre_detection": "Users can see if someone is watching them type in their device passcode.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.3", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "created": "2017-10-25T14:48:24.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1461", "external_id": "T1461"}, {"source_name": "Wired-AndroidBypass", "description": "Andy Greenberg. (2015, September 15). Hack Brief: Emergency Number Hack Bypasses Android Lock Screens. Retrieved December 23, 2016.", "url": "https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/"}, {"source_name": "Kaspersky-iOSBypass", "description": "Chris Brook. (2016, November 17). iOS 10 Passcode Bypass Can Access Photos, Contacts. Retrieved December 23, 2016.", "url": "https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/"}, {"source_name": "TheSun-FaceID", "description": "Sean Keach. (2018, February 15). Brit mates BREAK Apple\u2019s face unlock and vow to never buy iPhone again. Retrieved September 18, 2018.", "url": "https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/"}, {"source_name": "SRLabs-Fingerprint", "description": "SRLabs. (n.d.). Fingerprints are not fit for secure device unlocking. Retrieved December 23, 2016.", "url": "https://srlabs.de/bites/spoofing-fingerprints/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe", "created": "2020-12-16T20:16:07.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1605", "external_id": "T1605"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:45.593Z", "name": "Command-Line Interface", "description": "Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java\u2019s `Runtime` package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken.\n\nIf the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "execution"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Command-Line Interface execution can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "created": "2022-04-01T13:17:52.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1636/003", "external_id": "T1636.003"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html", "external_id": "APP-13"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:57.342Z", "name": "Contact List", "description": "Adversaries may utilize standard operating system APIs to gather contact list data. On Android, this can be accomplished using the Contacts Content Provider. On iOS, this can be accomplished using the `Contacts` framework. \n\n \n\nIf the device has been jailbroken or rooted, an adversary may be able to access the [Contact List](https://attack.mitre.org/techniques/T1636/003) without the user\u2019s knowledge or approval. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["iOS", "Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "created": "2019-10-10T15:12:42.790Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1533", "external_id": "T1533"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-41.html", "external_id": "STA-41"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:57.505Z", "name": "Data from Local System", "description": "Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to exfiltration.  \n\n \n\nAccess to local system data, which includes information stored by the operating system, often requires escalated privileges. Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos. On Android, adversaries may also attempt to access files from external storage which may require additional storage-related permissions. \n\n ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Accessing data from the local system can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", "created": "2022-04-06T13:29:47.590Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1640", "external_id": "T1640"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:57.695Z", "name": "Account Access Removal", "description": "Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: credentials changed) to remove access to accounts. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Application vetting services could closely scrutinize applications that request Device Administrator permissions.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "created": "2017-10-25T14:48:19.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1426", "external_id": "T1426"}, {"source_name": "Android-Build", "description": "Android. (n.d.). Build. Retrieved December 21, 2016.", "url": "https://developer.android.com/reference/android/os/Build"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-12.html", "external_id": "APP-12"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:57.841Z", "name": "System Information Discovery", "description": "Adversaries may attempt to get detailed information about a device\u2019s operating system and hardware, including versions, patches, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1426) during automated discovery to shape follow-on behaviors, including whether or not to fully infects the target and/or attempts specific actions. \n\n \n\nOn Android, much of this information is programmatically accessible to applications through the `android.os.Build` class. (Citation: Android-Build) iOS is much more restrictive with what information is visible to applications. Typically, applications will only be able to query the device model and which version of iOS it is running. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "discovery"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "System information discovery can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9", "created": "2017-10-25T14:48:28.786Z", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1442", "external_id": "T1442"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:45.764Z", "name": "Fake Developer Accounts", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb", "created": "2019-07-26T14:15:31.451Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1510", "external_id": "T1510"}, {"source_name": "Android 10 Privacy Changes", "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.", "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data"}, {"source_name": "Dr.Webb Clipboard Modification origin August 2018", "description": "Dr.Webb. (2018, August 8). Android.Clipper.1.origin. Retrieved July 26, 2019.", "url": "https://vms.drweb.com/virus/?i=17517750"}, {"source_name": "Dr.Webb Clipboard Modification origin2 August 2018", "description": "Dr.Webb. (2018, August 8). Android.Clipper.2.origin. Retrieved July 26, 2019.", "url": "https://vms.drweb.com/virus/?i=17517761"}, {"source_name": "ESET Clipboard Modification February 2019", "description": "ESET. (2019, February 11). First clipper malware discovered on Google Play.. Retrieved July 26, 2019.", "url": "https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/"}, {"source_name": "Welivesecurity Clipboard Modification February 2019", "description": "Luk\u00e1\u0161 \u0160tefanko. (2019, February 8). First clipper malware discovered on Google Play. Retrieved July 26, 2019.", "url": "https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/"}, {"source_name": "Syracuse Clipboard Modification 2014", "description": "Zhang, X; Du, W. (2014, January). Attacks on Android Clipboard. Retrieved July 26, 2019.", "url": "http://www.cis.syr.edu/~wedu/Research/paper/clipboard_attack_dimva2014.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:45.935Z", "name": "Clipboard Modification", "description": "Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the <code>ClipboardManager.OnPrimaryClipChangedListener</code> interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes)\n\nAdversaries may use [Clipboard Modification](https://attack.mitre.org/techniques/T1510) to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.\n\n[Clipboard Modification](https://attack.mitre.org/techniques/T1510) had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Modifying clipboard content can be difficult to detect, and therefore enterprises may be better served focusing on detection at other stages of adversarial behavior.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "created": "2019-10-10T15:00:44.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1532", "external_id": "T1532"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:57.990Z", "name": "Archive Collected Data", "description": "Adversaries may compress and/or encrypt data that is collected prior to exfiltration. Compressing data can help to obfuscate its contents and minimize use of network resources. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender. \n\n \n\nBoth compression and encryption are done prior to exfiltration, and can be performed using a utility, programming library, or custom algorithm.  ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Many encryption mechanisms are built into standard application-accessible APIs and are therefore undetectable to the end user.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "created": "2022-03-30T20:36:03.177Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1627/001", "external_id": "T1627.001"}, {"source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:58.143Z", "name": "Geofencing", "description": "Adversaries may use a device\u2019s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)\n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fis accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device\u2019s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements. \n\nOne method to accomplish\u202f[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fon Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to  other\u202f[Geofencing](https://attack.mitre.org/techniques/T1627/001) methods, this requires that the user has granted the `ACCESS_FINE_LOCATION` and `ACCESS_BACKGROUND_LOCATION` permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include \"Allow only while using the app\", which will effectively prohibit background location collection.  \n\nSimilarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call\u202f`requestWhenInUseAuthorization()`\u202for\u202f`requestAlwaysAuthorization()`, depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device\u2019s location, including one-time use and only when the application is running in the foreground.  \n\n[Geofencing](https://attack.mitre.org/techniques/T1627/001)\u202fcan be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific input prompts and/or advertisements.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Users can review which applications have location permissions in the operating system\u2019s settings menu. On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background. Application vetting services can detect unnecessary and potentially abused location permissions or API calls.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2", "created": "2019-07-10T15:18:16.753Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1507", "external_id": "T1507"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:46.125Z", "name": "Network Information Discovery", "description": "Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "created": "2017-10-25T14:48:15.920Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1412", "external_id": "T1412"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:46.301Z", "name": "Capture SMS Messages", "description": "A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.\n\nOn Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.\n\nOn iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "collection"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On Android, the user can view which applications have permission to access SMS messages through the device settings, and the user can choose to revoke the permission.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2024-04-17T16:50:41.414Z", "name": "Conceal Multimedia Files", "description": "Adversaries may attempt to hide multimedia files from the user. By doing so, adversaries may conceal captured files, such as pictures, videos and/or screenshots, then later exfiltrate those files.  \n\nSpecific to Android devices, if the `.nomedia` file is present in a folder, multimedia files in that folder will not be visible to the user in the Gallery application. Additionally, other applications are asked not to scan the folder with the `.nomedia` file, effectively making the folder appear invisible to the user.  \n\nThis technique is often used by stalkerware and spyware applications.  ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_contributors": ["Shankar Raman, Amrita University, Gen Digital, Traboda"], "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_platforms": ["Android"], "x_mitre_version": "1.0", "type": "attack-pattern", "id": "attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3", "created": "2024-02-20T21:44:32.669Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1628/003", "external_id": "T1628.003"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "created": "2022-04-06T13:52:05.619Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1642", "external_id": "T1642"}, {"source_name": "Xiao-KeyRaider", "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"}, {"source_name": "Android resetPassword", "description": "Google. (n.d.). DevicePolicyManager. Retrieved October 1, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:58.297Z", "name": "Endpoint Denial of Service", "description": "Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users.\n\nOn Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode, preventing the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device\u2019s passcode.(Citation: Android resetPassword)\n\nOn iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode; they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On Android, users can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "created": "2022-04-06T15:27:34.300Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1644", "external_id": "T1644"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:58.451Z", "name": "Out of Band Data", "description": "Adversaries may communicate with compromised devices using out of band data streams. This could be done for a variety of reasons, including evading network traffic monitoring, as a backup method of command and control, or for data exfiltration if the device is not connected to any Internet-providing networks (i.e. cellular or Wi-Fi). Several out of band data streams exist, such as SMS messages, NFC, and Bluetooth. \n\n \n\nOn Android, applications can read push notifications to capture content from SMS messages, or other out of band data streams. This requires that the user manually grant notification access to the application via the settings menu. However, the application could launch an Intent to take the user directly there. \n\n \n\nOn iOS, there is no way to programmatically read push notifications. ", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "If a user sees a notification with text they do not recognize, they should review their list of installed applications.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "created": "2019-10-01T14:18:47.762Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1521", "external_id": "T1521"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:58.602Z", "name": "Encrypted Channel", "description": "Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Since data encryption is a common practice in many legitimate applications and uses standard programming language-specific APIs, encrypting data for command and control communication is regarded as undetectable to the user.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--ef771e03-e080-43b4-a619-ac6f84899884", "created": "2017-10-25T14:48:22.716Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1405", "external_id": "T1405"}, {"source_name": "EkbergTEE", "description": "Jan-Erik Ekberg. (2015, September 10). Android and trusted execution environments. Retrieved December 9, 2016.", "url": "https://usmile.at/symposium/program/2015/ekberg"}, {"source_name": "Thomas-TrustZone", "description": "Josh Thomas and Charles Holmes. (2015, September). An infestation of dragons: Exploring vulnerabilities in the ARM TrustZone architecture. Retrieved December 9, 2016.", "url": "https://usmile.at/symposium/program/2015/thomas-holmes"}, {"source_name": "QualcommKeyMaster", "description": "laginimaineb. (2016, June). Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption. Retrieved December 9, 2016.", "url": "https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html"}, {"source_name": "laginimaineb-TEE", "description": "laginimaineb. (2016, May). War of the Worlds - Hijacking the Linux Kernel from QSEE. Retrieved December 21, 2016.", "url": "http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:46.487Z", "name": "Exploit TEE Vulnerability", "description": "A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "credential-access"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "privilege-escalation"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2024-09-12T19:47:06.884Z", "name": "Suppress Application Icon", "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher. This hides the fact that it is installed, and can make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions. \n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker) \n\nBeginning in Android 10, changes were introduced to inhibit malicious applications\u2019 ability to hide their icon. If an app is a system app, requests no permissions, or does not have a launcher activity, the application\u2019s icon will be fully hidden. Further, if the device is fully managed or the application is in a work profile, the icon will be fully hidden. Otherwise, a synthesized activity is shown, which is a launcher icon that represents the app\u2019s details page in the system settings. If the user clicks the synthesized activity in the launcher, they are taken to the application\u2019s details page in the system settings.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_contributors": ["Emily Ratliff, IBM"], "x_mitre_deprecated": false, "x_mitre_detection": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application\u2019s icon, they should inspect the application to ensure it is genuine. Application vetting services could potentially detect the usage of APIs intended for suppressing the application\u2019s icon.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"], "type": "attack-pattern", "id": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "created": "2022-03-30T20:06:22.194Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1628/001", "external_id": "T1628.001"}, {"source_name": "Android 10 Limitations to Hiding App Icons", "description": "Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022.", "url": "https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons"}, {"source_name": "LauncherApps getActivityList", "description": "Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022.", "url": "https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist"}, {"source_name": "sunny-stolen-credentials", "description": "Luk\u00e1\u0161 \u0160tefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/"}, {"source_name": "android-trojan-steals-paypal-2fa", "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/"}, {"source_name": "bankbot-spybanker", "description": "NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved September 12, 2024.", "url": "https://www.cyber.nj.gov/threat-landscape/malware/trojans/bankbot-spy-banker"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "attack-pattern", "id": "attack-pattern--f1c3d071-0c24-483d-aca0-e8b8496ce468", "created": "2017-10-25T14:48:18.583Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1399", "external_id": "T1399"}, {"source_name": "Apple-iOSSecurityGuide", "description": "Apple. (2016, May). iOS Security. Retrieved December 21, 2016.", "url": "https://www.apple.com/business/docs/iOS_Security_Guide.pdf"}, {"source_name": "Roth-Rootkits", "description": "Thomas Roth. (2013). Next generation mobile rootkits. Retrieved December 21, 2016.", "url": "https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html", "external_id": "APP-27"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:46.662Z", "name": "Modify Trusted Execution Environment", "description": "If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device's Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}, {"kill_chain_name": "mitre-mobile-attack", "phase_name": "persistence"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_detection": "Devices may perform cryptographic integrity checks of code running within the TEE at boot time.\n\niOS devices will fail to boot if the software running within the Secure Enclave does not pass signature verification.(Citation: Apple-iOSSecurityGuide)", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a", "created": "2017-10-25T14:48:23.652Z", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1459", "external_id": "T1459"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:46.836Z", "name": "Device Unlock Code Guessing or Brute Force", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34", "created": "2017-10-25T14:48:21.667Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1466", "external_id": "T1466"}, {"source_name": "NIST-SP800187", "description": "Jeffrey Cichonski, Joshua M Franklin, Michael Bartock. (2017, December). Guide to LTE Security. Retrieved January 20, 2017.", "url": "http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html", "external_id": "CEL-3"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:47.035Z", "name": "Downgrade to Insecure Protocols", "description": "An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Without Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "created": "2023-07-12T20:29:48.758Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1655", "external_id": "T1655"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html", "external_id": "APP-14"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html", "external_id": "APP-31"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:58.771Z", "name": "Masquerading", "description": "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name, location, or appearance of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.\n\nRenaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1655)\n", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "\n", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf", "created": "2017-10-25T14:48:18.937Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1472", "external_id": "T1472"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:47.215Z", "name": "Generate Fraudulent Advertising Revenue", "description": "An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "impact"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df", "created": "2017-10-25T14:48:09.446Z", "revoked": true, "external_references": [{"source_name": "mitre-mobile-attack", "url": "https://attack.mitre.org/techniques/T1473", "external_id": "T1473"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:47.386Z", "name": "Malicious or Vulnerable Built-in Device Functionality", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_domains": ["mobile-attack"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_version": "1.0", "x_mitre_is_subtechnique": false}, {"type": "attack-pattern", "id": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df", "created": "2022-03-30T19:19:23.777Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1406/001", "external_id": "T1406.001"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:58.917Z", "name": "Steganography", "description": "Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Detection of steganography is difficult unless detectable artifacts with a known signature are left behind by the obfuscation process. Look for strings are other signatures left in system artifacts related to decoding steganography.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.0", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--fb3fa94a-3aee-4ab0-b7e7-abdf0a51286d", "created": "2017-10-25T14:48:06.524Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1449", "external_id": "T1449"}, {"source_name": "3GPP-Security", "description": "3GPP. (2000, January). A Guide to 3rd Generation Security. Retrieved December 19, 2016.", "url": "http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf"}, {"source_name": "CSRIC5-WG10-FinalReport", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", "url": "https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"}, {"source_name": "TheRegister-SS7", "description": "Iain Thomson. (2017, May 3). After years of warnings, mobile network hackers exploit SS7 flaws to drain bank accounts. Retrieved November 8, 2018.", "url": "https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/"}, {"source_name": "Positive-SS7", "description": "Positive Technologies. (n.d.). SS7 Attack Discovery. Retrieved December 19, 2016.", "url": "https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf"}, {"source_name": "Engel-SS7-2008", "description": "Tobias Engel. (2008, December). Locating Mobile Phones using SS7. Retrieved December 19, 2016.", "url": "https://www.youtube.com/watch?v=q0n5ySqbfdI"}, {"source_name": "Engel-SS7", "description": "Tobias Engel. (2014, December). SS7: Locate. Track. Manipulate.. Retrieved December 19, 2016.", "url": "https://berlin.ccc.de/~tobias/31c3-ss7-locate-track-manipulate.pdf"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html", "external_id": "CEL-37"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:47.575Z", "name": "Exploit SS7 to Redirect Phone Calls/SMS", "description": "An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker's control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "network-effects"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": true, "x_mitre_detection": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation as described by the Communications, Security, Reliability, and Interoperability Council (CSRIC). (Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.2", "x_mitre_tactic_type": ["Without Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "created": "2022-03-30T20:00:12.654Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1628", "external_id": "T1628"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:59.084Z", "name": "Hide Artifacts", "description": "Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Mobile operating systems have features and developer APIs to hide various artifacts, such as an application\u2019s launcher icon. These APIs have legitimate usages, such as hiding an icon to avoid application drawer clutter when an application does not have a usable interface. Adversaries may abuse these features and APIs to hide artifacts from the user to evade detection.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "The user can examine the list of all installed applications in the device settings. Application vetting services could potentially detect the usage of APIs intended for artifact hiding.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "created": "2022-03-30T18:13:26.003Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1632/001", "external_id": "T1632.001"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html", "external_id": "STA-7"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:59.231Z", "name": "Code Signing Policy Modification", "description": "Adversaries may modify code signing policies to enable execution of applications signed with unofficial or unknown keys. Code signing provides a level of authenticity on an app from a developer, guaranteeing that the program has not been tampered with and comes from an official source. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on a device. \n\nMobile devices generally enable these security controls by default, such as preventing the installation of unknown applications on Android. Adversaries may modify these policies in a number of ways, including [Input Injection](https://attack.mitre.org/techniques/T1516) or malicious configuration profiles.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "created": "2022-04-05T19:59:03.161Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1637/001", "external_id": "T1637.001"}, {"source_name": "Data Driven Security DGA", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"}, {"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:59.384Z", "name": "Domain Generation Algorithms", "description": "Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1637/001) (DGAs) to procedurally generate domain names for uses such as command and control communication   or malicious application distribution.(Citation: securelist rotexy 2018)\n\nDGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there could potentially be thousands of domains that malware can check for instructions.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "command-and-control"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Detecting dynamically generated domains can be challenging due to the number of different DGA algorithms, constantly evolving malware families, and the increasing complexity of the algorithms. There are a myriad of approaches for detecting a pseudo-randomly generated domain name, including using frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) CDN domains may trigger these detections due to the format of their domain names. In addition to detecting a DGA domain based on the name, a more general approach for detecting a suspicious domain is to check for recently registered names ", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": true, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "created": "2017-10-25T14:48:06.822Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1456", "external_id": "T1456"}, {"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}, {"source_name": "NIST Mobile Threat Catalogue", "url": "https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html", "external_id": "CEL-22"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:21:59.531Z", "name": "Drive-By Compromise", "description": "Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user's web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring an [Application Access Token](https://attack.mitre.org/techniques/T1550/001).\n\nMultiple ways of delivering exploit code to a browser exist, including:\n\n* A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.\n* Malicious ads are paid for and served through legitimate ad providers.\n* Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).\n\nOften the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Lookout-StealthMango)\n\nTypical drive-by compromise process:\n\n1. A user visits a website that is used to host the adversary controlled content.\n2. Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version. \n    * The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.\n3. Upon finding a vulnerable version, exploit code is delivered to the browser.\n4. If exploitation is successful, then it will give the adversary code execution on the user's system unless other protections are in place.\n    * In some cases a second visit to the website after the initial scan is required before exploit code is delivered.", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "initial-access"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "Mobile security products can often alert the user if their device is vulnerable to known exploits.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_version": "2.2", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"type": "attack-pattern", "id": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2", "created": "2019-07-11T18:09:42.039Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": true, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/techniques/T1508", "external_id": "T1508"}, {"source_name": "sunny-stolen-credentials", "description": "Luk\u00e1\u0161 \u0160tefanko. (2017, February 22). Sunny with a chance of stolen credentials: Malicious weather app found on Google Play. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/"}, {"source_name": "android-trojan-steals-paypal-2fa", "description": "Luk\u00e1\u0161 \u0160tefanko. (2018, December 11). Android Trojan steals money from PayPal accounts even with 2FA on. Retrieved July 11, 2019.", "url": "https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/"}, {"source_name": "bankbot-spybanker", "description": "NJCCIC. (2017, March 2). BankBot/Spy Banker. Retrieved July 11, 2019.", "url": "https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T18:00:47.756Z", "name": "Suppress Application Icon", "description": "A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application's icon programmatically does not require any special permissions.\n\nThis behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)", "kill_chain_phases": [{"kill_chain_name": "mitre-mobile-attack", "phase_name": "defense-evasion"}], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_deprecated": false, "x_mitre_detection": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings.", "x_mitre_domains": ["mobile-attack"], "x_mitre_is_subtechnique": false, "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android"], "x_mitre_version": "1.1", "x_mitre_tactic_type": ["Post-Adversary Device Access"]}, {"modified": "2025-03-28T15:23:16.915Z", "name": "Operation Triangulation", "description": "[Operation Triangulation](https://attack.mitre.org/campaigns/C0054) is a mobile campaign targeting iOS devices.(Citation: SecureList OpTriangulation 01Jun2023) The unidentified actors used zero-click exploits in iMessage attachments to gain [Initial Access](https://attack.mitre.org/tactics/TA0027), then executed exploits and validators, such as [Binary Validator](https://attack.mitre.org/software/S1215) before finally executing the [TriangleDB](https://attack.mitre.org/software/S1216) implant.  ", "aliases": ["Operation Triangulation"], "first_seen": "2019-01-01T08:00:00.000Z", "last_seen": "2023-06-01T07:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: SecureList OpTriangulation 01Jun2023)", "x_mitre_last_seen_citation": "(Citation: SecureList OpTriangulation 01Jun2023)", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "type": "campaign", "id": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "created": "2025-03-28T14:45:30.132Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0054", "external_id": "C0054"}, {"source_name": "SecureList OpTriangulation 01Jun2023", "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation/109842/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"]}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:16:18.582Z", "name": "Host Status", "description": "Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.\n\n*Data Collection Measures:*\n\n- Windows Event Logs:\n    - Event ID 1074 (System Shutdown): Detects unexpected system reboots/shutdowns.\n    - Event ID 6006 (Event Log Stopped): Logs when Windows event logging is stopped.\n    - Event ID 16 (Sysmon): Detects configuration state changes that may indicate log tampering.\n    - Event ID 12 (Windows Defender Status Change) \u2013 Detects changes in Windows Defender state.\n- Linux/macOS Monitoring:\n    - `/var/log/syslog`, `/var/log/auth.log`, `/var/log/kern.log`\n    - Journald (journalctl) for kernel and system alerts.\n- Endpoint Detection and Response (EDR) Tools:\n    - Monitor agent health status, detect sensor tampering, and alert on missing telemetry.\n- Mobile Threat Intelligence Logs:\n    - Samsung Knox, SafetyNet, iOS Secure Enclave provide sensor health status for mobile endpoints.", "x_mitre_data_source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "created": "2023-03-13T19:59:14.491Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:21.246Z", "name": "API Calls", "description": "API calls utilized by an application that could indicate malicious activity", "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:16.672Z", "name": "Network Traffic Content", "description": "The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.\n\n*Data Collection Measures:*\n\n- Network Packet Capture (Full Content Logging)\n    - Wireshark / tcpdump / tshark\n        - Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`\n    - Zeek (formerly Bro)\n        - Extracts protocol headers and payload details into structured logs. `echo \"redef Log::default_store = Log::ASCII;\" > local.zeek | zeek -Cr capture.pcap local.zeek`\n    - Suricata / Snort (IDS/IPS with PCAP Logging)\n        - Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`\n- Host-Based Collection\n    - Sysmon Event ID 22 \u2013 DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.\n    - Sysmon Event ID 3 \u2013 Network Connection Initiated, Logs process-to-network connection relationships.\n    - AuditD (Linux) \u2013 syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Traffic Collection\n    - AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.\n    - Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.", "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-04-11T15:10:14.209Z", "name": "C0033", "description": "[C0033](https://attack.mitre.org/campaigns/C0033) was a [PROMETHIUM](https://attack.mitre.org/groups/G0056) campaign during which they used [StrongPity](https://attack.mitre.org/software/S0491) to target Android users. [C0033](https://attack.mitre.org/campaigns/C0033) was the first publicly documented mobile campaign for [PROMETHIUM](https://attack.mitre.org/groups/G0056), who previously used Windows-based techniques.(Citation: welivesec_strongpity)", "aliases": ["C0033"], "first_seen": "2016-05-01T07:00:00.000Z", "last_seen": "2023-01-01T08:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: securelist_strongpity)", "x_mitre_last_seen_citation": "(Citation: welivesec_strongpity)", "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_contributors": ["Hiroki Nagahama, NEC Corporation", "Manikantan Srinivasan, NEC Corporation India", "Pooja Natarajan, NEC Corporation India"], "type": "campaign", "id": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "created": "2024-03-28T18:00:04.123Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0033", "external_id": "C0033"}, {"source_name": "securelist_strongpity", "description": "Baumgartner, K. (2016, October 3). On the StrongPity Waterhole Attacks Targeting Italian and Belgian Encryption Users. Retrieved March 28, 2024.", "url": "https://securelist.com/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/76147/"}, {"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack", "enterprise-attack"]}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "created": "2023-03-13T20:00:08.487Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:21.394Z", "name": "Permissions Requests", "description": "Permissions declared in an application's manifest or property list file", "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "created": "2023-03-13T20:48:14.540Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:21.541Z", "name": "System Settings", "description": "Settings visible to the user on the device", "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "intrusion-set", "id": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd", "created": "2020-01-27T16:55:39.688Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0097", "external_id": "G0097"}, {"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:02.103Z", "name": "Bouncing Golf", "description": "[Bouncing Golf](https://attack.mitre.org/groups/G0097) is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)", "aliases": ["Bouncing Golf"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "created": "2023-03-13T19:59:42.141Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:21.724Z", "name": "Network Communication", "description": "Network requests made by an application or domains contacted", "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:20.168Z", "name": "Network Traffic Flow", "description": "Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.\n\n*Data Collection Measures:*\n\n- Network Flow Logs (Metadata Collection)\n    - NetFlow \n        - Summarized metadata for network conversations (no packet payloads).\n    - sFlow (Sampled Flow Logging)\n        - Captures sampled packets from switches and routers.\n        - Used for real-time traffic monitoring and anomaly detection.\n    - Zeek (Bro) Flow Logs\n        - Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc.\n- Host-Based Collection\n    - Sysmon Event ID 3 \u2013 Network Connection Initiated\n        - Logs process-level network activity, useful for detecting malicious outbound connections.\n    - AuditD (Linux) \u2013 syscall=connect\n        - Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Flow Monitoring\n    - AWS VPC Flow Logs\n        - Captures metadata for traffic between EC2 instances, security groups, and internet gateways.\n    - Azure NSG Flow Logs / Google VPC Flow Logs\n        - Logs ingress/egress traffic for cloud-based resources.", "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-11-17T14:15:51.850Z", "name": "Windshift", "description": "[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)", "aliases": ["Windshift", "Bahamut"], "x_mitre_deprecated": false, "x_mitre_version": "1.1", "type": "intrusion-set", "id": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "created": "2020-06-25T17:16:39.168Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0112", "external_id": "G0112"}, {"source_name": "Bahamut", "description": "(Citation: SANS Windshift August 2018)"}, {"source_name": "SANS Windshift August 2018", "description": "Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved November 17, 2024.", "url": "https://www.scribd.com/document/661837258/WINDSHIFT-summit-archive-1554718868"}, {"source_name": "objective-see windtail1 dec 2018", "description": "Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.", "url": "https://objective-see.com/blog/blog_0x3B.html"}, {"source_name": "objective-see windtail2 jan 2019", "description": "Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.", "url": "https://objective-see.com/blog/blog_0x3D.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "mobile-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "created": "2023-03-13T20:47:24.038Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:21.873Z", "name": "Permissions Request", "description": "System prompts triggered when an application requests new or additional permissions", "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:30.145Z", "name": "Command Execution", "description": "Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: \n\n- Windows Command Prompt\n    - dir \u2013 Lists directory contents.\n    - net user \u2013 Queries or manipulates user accounts.\n    - tasklist \u2013 Lists running processes.\n- PowerShell\n    - Get-Process \u2013 Retrieves processes running on a system.\n    - Set-ExecutionPolicy \u2013 Changes PowerShell script execution policies.\n    - Invoke-WebRequest \u2013 Downloads remote resources.\n- Linux Shell\n    - ls \u2013 Lists files in a directory.\n    - cat /etc/passwd \u2013 Reads the user accounts file.\n    - curl http://malicious-site.com \u2013 Retrieves content from a malicious URL.\n- Container Environments\n    - docker exec \u2013 Executes a command inside a running container.\n    - kubectl exec \u2013 Runs commands in Kubernetes pods.\n- macOS Terminal\n    - open \u2013 Opens files or URLs.\n    - dscl . -list /Users \u2013 Lists all users on the system.\n    - osascript -e \u2013 Executes AppleScript commands.\n\nThis data component can be collected through the following measures:\n\nEnable Command Logging\n\n- Windows:\n    - Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" -Name EnableScriptBlockLogging -Value 1`\n    - Enable Windows Event Logging:\n        - Event ID 4688: Tracks process creation, including command-line arguments.\n        - Event ID 4104: Logs PowerShell script block execution.\n- Linux/macOS:\n    - Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT=\"%d/%m/%y %T \"`, `export PROMPT_COMMAND='history -a; history -w'`\n    - Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec`\n- Containers:\n    - Use runtime-specific tools like Docker\u2019s --log-driver or Kubernetes Audit Logs to capture exec commands.\n\nIntegrate with Centralized Logging\n\n- Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688:\n`index=windows EventID=4688 CommandLine=*`\n\nUse Endpoint Detection and Response (EDR) Tools\n\n- Monitor command executions via EDR solutions \n\nDeploy Sysmon for Advanced Logging (Windows)\n\n- Use Sysmon's Event ID 1 to log process creation with command-line arguments", "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-04-04T21:24:48.602Z", "name": "Scattered Spider", "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group that has been active since at least 2022.(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, [Scattered Spider](https://attack.mitre.org/groups/G1015) expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.(Citation: MSTIC Octo Tempest Operations October 2023) During campaigns, [Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "aliases": ["Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875"], "x_mitre_deprecated": false, "x_mitre_version": "2.0", "type": "intrusion-set", "id": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b", "created": "2023-07-05T17:54:54.789Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1015", "external_id": "G1015"}, {"source_name": "Roasted 0ktapus", "description": "(Citation: CrowdStrike Scattered Spider BYOVD January 2023)"}, {"source_name": "Octo Tempest", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "Storm-0875", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "CISA Scattered Spider Advisory November 2023", "description": "CISA. (2023, November 16). Cybersecurity Advisory: Scattered Spider (AA23-320A). Retrieved March 18, 2024.", "url": "https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a"}, {"source_name": "CrowdStrike Scattered Spider BYOVD January 2023", "description": "CrowdStrike. (2023, January 10). SCATTERED SPIDER Exploits Windows Security Deficiencies with Bring-Your-Own-Vulnerable-Driver Tactic in Attempt to Bypass Endpoint Security. Retrieved July 5, 2023.", "url": "https://www.crowdstrike.com/blog/scattered-spider-attempts-to-avoid-detection-with-bring-your-own-vulnerable-driver-tactic/"}, {"source_name": "CrowdStrike Scattered Spider Profile", "description": "CrowdStrike. (n.d.). Scattered Spider. Retrieved July 5, 2023.", "url": "https://www.crowdstrike.com/adversaries/scattered-spider/"}, {"source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}, {"source_name": "MSTIC Octo Tempest Operations October 2023", "description": "Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.", "url": "https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/"}, {"source_name": "Crowdstrike TELCO BPO Campaign December 2022", "description": "Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023.", "url": "https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "mobile-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:37.873Z", "name": "Process Metadata", "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-11-17T20:01:55.806Z", "name": "APT-C-23", "description": "[APT-C-23](https://attack.mitre.org/groups/G1028) is a threat group that has been active since at least 2014.(Citation: symantec_mantis) [APT-C-23](https://attack.mitre.org/groups/G1028) has primarily focused its operations on the Middle East, including Israeli military assets. [APT-C-23](https://attack.mitre.org/groups/G1028) has developed mobile spyware targeting Android and iOS devices since 2017.(Citation: welivesecurity_apt-c-23)", "aliases": ["APT-C-23", "Mantis", "Arid Viper", "Desert Falcon", "TAG-63", "Grey Karkadann", "Big Bang APT", "Two-tailed Scorpion"], "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_contributors": ["Sittikorn Sangrattanapitak"], "type": "intrusion-set", "id": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "created": "2024-03-26T18:38:00.759Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1028", "external_id": "G1028"}, {"source_name": "Big Bang APT", "description": "(Citation: checkpoint_interactive_map_apt-c-23) "}, {"source_name": "Grey Karkadann", "description": "(Citation: sentinelone_israel_hamas_war)"}, {"source_name": "Mantis", "description": "(Citation: symantec_mantis)(Citation: sentinelone_israel_hamas_war)"}, {"source_name": "Two-tailed Scorpion", "description": "(Citation: welivesecurity_apt-c-23)"}, {"source_name": "Arid Viper", "description": "(Citation: welivesecurity_apt-c-23)(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)"}, {"source_name": "Desert Falcon", "description": "(Citation: welivesecurity_apt-c-23)(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)"}, {"source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}, {"source_name": "sentinelone_israel_hamas_war", "description": "Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20240208234008/www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/"}, {"source_name": "checkpoint_interactive_map_apt-c-23", "description": "Kayal, A. (2018, August 26). Interactive Mapping of APT-C-23. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20230604112435/https://research.checkpoint.com/2018/interactive-mapping-of-apt-c-23/"}, {"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}, {"source_name": "symantec_mantis", "description": "Symantec Threat Hunter Team. (2023, April 4). Mantis: New Tooling Used in Attacks Against Palestinian Targets. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20231227054130/https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/mantis-palestinian-attacks"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["mobile-attack", "enterprise-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "created": "2023-03-13T20:47:52.557Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:22.106Z", "name": "System Notifications", "description": "Notifications generated by the OS", "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-04-11T02:42:07.325Z", "name": "Dark Caracal", "description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)", "aliases": ["Dark Caracal"], "x_mitre_deprecated": false, "x_mitre_version": "1.4", "type": "intrusion-set", "id": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0070", "external_id": "G0070"}, {"source_name": "Dark Caracal", "description": "(Citation: Lookout Dark Caracal Jan 2018)"}, {"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "mobile-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2025-03-10T20:15:06.958Z", "name": "APT28", "description": "[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Crowdstrike DNC June 2016)(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: FireEye APT28 January 2017)(Citation: GRIZZLY STEPPE JAR)(Citation: Sofacy DealersChoice)(Citation: Palo Alto Sofacy 06-2018)(Citation: Symantec APT28 Oct 2018)(Citation: ESET Zebrocy May 2019)\n\n[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.(Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034). ", "aliases": ["APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Swallowtail", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch"], "x_mitre_deprecated": false, "x_mitre_version": "5.2", "x_mitre_contributors": ["S\u00e9bastien Ruel, CGI", "Drew Church, Splunk", "Emily Ratliff, IBM", "Richard Gold, Digital Shadows"], "type": "intrusion-set", "id": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", "created": "2017-05-31T21:31:48.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0007", "external_id": "G0007"}, {"source_name": "SNAKEMACKEREL", "description": "(Citation: Accenture SNAKEMACKEREL Nov 2018)"}, {"source_name": "Fancy Bear", "description": "(Citation: Crowdstrike DNC June 2016)(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)"}, {"source_name": "Tsar Team", "description": "(Citation: ESET Sednit Part 3)(Citation: Talos Seduploader Oct 2017)(Citation: Talos Seduploader Oct 2017)"}, {"source_name": "APT28", "description": "(Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: Crowdstrike DNC June 2016) (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 3) (Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)(Citation: Symantec APT28 Oct 2018)(Citation: Securelist Sofacy Feb 2018)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)"}, {"source_name": "STRONTIUM", "description": "(Citation: Kaspersky Sofacy)(Citation: ESET Sednit Part 3)(Citation: Microsoft STRONTIUM Aug 2019)(Citation: Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)"}, {"source_name": "FROZENLAKE", "description": "(Citation: Leonard TAG 2023)"}, {"source_name": "Forest Blizzard", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "GruesomeLarch", "description": "(Citation: Nearest Neighbor Volexity)"}, {"source_name": "IRON TWILIGHT", "description": "(Citation: Secureworks IRON TWILIGHT Profile)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)"}, {"source_name": "Threat Group-4127", "description": "(Citation: SecureWorks TG-4127)"}, {"source_name": "TG-4127", "description": "(Citation: SecureWorks TG-4127)"}, {"source_name": "Pawn Storm", "description": "(Citation: SecureWorks TG-4127)(Citation: ESET Sednit Part 3)(Citation: TrendMicro Pawn Storm Dec 2020) "}, {"source_name": "Swallowtail", "description": "(Citation: Symantec APT28 Oct 2018)"}, {"source_name": "Group 74", "description": "(Citation: Talos Seduploader Oct 2017)"}, {"source_name": "Accenture SNAKEMACKEREL Nov 2018", "description": "Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.", "url": "https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50"}, {"source_name": "Crowdstrike DNC June 2016", "description": "Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.", "url": "https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/"}, {"source_name": "Leonard TAG 2023", "description": "Billy Leonard. (2023, April 19). Ukraine remains Russia\u2019s biggest cyber focus in 2023. Retrieved March 1, 2024.", "url": "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"}, {"source_name": "US District Court Indictment GRU Oct 2018", "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", "url": "https://www.justice.gov/opa/page/file/1098481/download"}, {"source_name": "GRIZZLY STEPPE JAR", "description": "Department of Homeland Security and Federal Bureau of Investigation. (2016, December 29). GRIZZLY STEPPE \u2013 Russian Malicious Cyber Activity. Retrieved January 11, 2017.", "url": "https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf"}, {"source_name": "ESET Zebrocy May 2019", "description": "ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.", "url": "https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/"}, {"source_name": "ESET Sednit Part 3", "description": "ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.", "url": "http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf"}, {"source_name": "Sofacy DealersChoice", "description": "Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/"}, {"source_name": "FireEye APT28 January 2017", "description": "FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024.", "url": "https://www.mandiant.com/sites/default/files/2021-09/APT28-Center-of-Storm-2017.pdf"}, {"source_name": "FireEye APT28", "description": "FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.", "url": "https://web.archive.org/web/20151022204649/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf"}, {"source_name": "Ars Technica GRU indictment Jul 2018", "description": "Gallagher, S. (2018, July 27). How they did it (and will likely try again): GRU hackers vs. US elections. Retrieved September 13, 2018.", "url": "https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/"}, {"source_name": "TrendMicro Pawn Storm Dec 2020", "description": "Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm\u2019s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.", "url": "https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html"}, {"source_name": "Securelist Sofacy Feb 2018", "description": "Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.", "url": "https://securelist.com/a-slice-of-2017-sofacy-activity/83930/"}, {"source_name": "Kaspersky Sofacy", "description": "Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.", "url": "https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/"}, {"source_name": "Nearest Neighbor Volexity", "description": "Koessel, Sean. Adair, Steven. Lancaster, Tom. (2024, November 22). The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access. Retrieved February 25, 2025.", "url": "https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/"}, {"source_name": "Palo Alto Sofacy 06-2018", "description": "Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/"}, {"source_name": "Talos Seduploader Oct 2017", "description": "Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.", "url": "https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html"}, {"source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}, {"source_name": "Microsoft STRONTIUM New Patterns Cred Harvesting Sept 2020", "description": "Microsoft Threat Intelligence Center (MSTIC). (2020, September 10). STRONTIUM: Detecting new patterns in credential harvesting. Retrieved September 11, 2020.", "url": "https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/"}, {"source_name": "Microsoft STRONTIUM Aug 2019", "description": "MSRC Team. (2019, August 5). Corporate IoT \u2013 a path to intrusion. Retrieved August 16, 2019.", "url": "https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/"}, {"source_name": "DOJ GRU Indictment Jul 2018", "description": "Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved November 17, 2024.", "url": "https://cdn.cnn.com/cnn/2018/images/07/13/gru.indictment.pdf"}, {"source_name": "Cybersecurity Advisory GRU Brute Force Campaign July 2021", "description": "NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.", "url": "https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF"}, {"source_name": "NSA/FBI Drovorub August 2020", "description": "NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.", "url": "https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF"}, {"source_name": "SecureWorks TG-4127", "description": "SecureWorks Counter Threat Unit Threat Intelligence. (2016, June 16). Threat Group-4127 Targets Hillary Clinton Presidential Campaign. Retrieved August 3, 2016.", "url": "https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign"}, {"source_name": "Secureworks IRON TWILIGHT Active Measures March 2017", "description": "Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.", "url": "https://www.secureworks.com/research/iron-twilight-supports-active-measures"}, {"source_name": "Secureworks IRON TWILIGHT Profile", "description": "Secureworks CTU. (n.d.). IRON TWILIGHT. Retrieved February 28, 2022.", "url": "https://www.secureworks.com/research/threat-profiles/iron-twilight"}, {"source_name": "Symantec APT28 Oct 2018", "description": "Symantec Security Response. (2018, October 04). APT28: New Espionage Operations Target Military and Government Organizations. Retrieved November 14, 2018.", "url": "https://www.symantec.com/blogs/election-security/apt28-espionage-military-government"}, {"source_name": "Sednit", "description": "This designation has been used in reporting both to refer to the threat group and its associated malware [JHUHUGIT](https://attack.mitre.org/software/S0044).(Citation: FireEye APT28 January 2017)(Citation: SecureWorks TG-4127)(Citation: Kaspersky Sofacy)(Citation: Ars Technica GRU indictment Jul 2018)"}, {"source_name": "Sofacy", "description": "This designation has been used in reporting both to refer to the threat group and its associated malware.(Citation: FireEye APT28)(Citation: SecureWorks TG-4127)(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 3)(Citation: Ars Technica GRU indictment Jul 2018)(Citation: Talos Seduploader Oct 2017)"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "mobile-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T02:52:27.131Z", "name": "BITTER", "description": "[BITTER](https://attack.mitre.org/groups/G1002) is a suspected South Asian cyber espionage threat group that has been active since at least 2013. [BITTER](https://attack.mitre.org/groups/G1002) has targeted government, energy, and engineering organizations in Pakistan, China, Bangladesh, and Saudi Arabia.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016)", "aliases": ["BITTER", "T-APT-17"], "x_mitre_deprecated": false, "x_mitre_version": "1.1", "type": "intrusion-set", "id": "intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9", "created": "2022-06-01T20:26:53.880Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1002", "external_id": "G1002"}, {"source_name": "T-APT-17", "description": "(Citation: Cisco Talos Bitter Bangladesh May 2022)"}, {"source_name": "Forcepoint BITTER Pakistan Oct 2016", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.", "url": "https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}, {"source_name": "Cisco Talos Bitter Bangladesh May 2022", "description": "Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.", "url": "https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "mobile-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-04-11T00:30:42.003Z", "name": "Operation Dust Storm", "description": "[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.(Citation: Cylance Dust Storm)\n\n[Operation Dust Storm](https://attack.mitre.org/campaigns/C0016) threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.(Citation: Cylance Dust Storm)", "aliases": ["Operation Dust Storm"], "first_seen": "2010-01-01T07:00:00.000Z", "last_seen": "2016-02-01T06:00:00.000Z", "x_mitre_first_seen_citation": "(Citation: Cylance Dust Storm)", "x_mitre_last_seen_citation": "(Citation: Cylance Dust Storm)", "x_mitre_deprecated": false, "x_mitre_version": "1.1", "type": "campaign", "id": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "created": "2022-09-29T20:00:38.136Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/campaigns/C0016", "external_id": "C0016"}, {"source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_domains": ["enterprise-attack", "mobile-attack"]}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:27.797Z", "name": "Process Creation", "description": "Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n    - EDRs provide process telemetry, tracking execution flows and arguments.\n- Windows Event Logs:\n    - Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process.\n- Sysmon (Windows):\n    - Event ID 1 (Process Creation): Provides detailed logging\n- Linux/macOS Monitoring:\n    - AuditD (execve syscall): Logs process creation.\n    - eBPF/XDP: Used for low-level monitoring of system calls related to process execution.\n    - OSQuery: Allows SQL-like queries to track process events (process_events table).\n    - Apple Endpoint Security Framework (ESF): Monitors process creation on macOS.\n- Network-Based Monitoring:\n    - Zeek (Bro) Logs: Captures network-based process execution related to remote shells.\n    - Syslog/OSSEC: Tracks execution of processes on distributed systems.\n- Behavioral SIEM Rules:\n    - Monitor process creation for uncommon binaries in user directories.\n    - Detect processes with suspicious command-line arguments. ", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-09-16T16:18:00.876Z", "name": "Earth Lusca", "description": "[Earth Lusca](https://attack.mitre.org/groups/G1006) is a suspected China-based cyber espionage group that has been active since at least April 2019. [Earth Lusca](https://attack.mitre.org/groups/G1006) has targeted organizations in Australia, China, Hong Kong, Mongolia, Nepal, the Philippines, Taiwan, Thailand, Vietnam, the United Arab Emirates, Nigeria, Germany, France, and the United States. Targets included government institutions, news media outlets, gambling companies, educational institutions, COVID-19 research organizations, telecommunications companies, religious movements banned in China, and cryptocurrency trading platforms; security researchers assess some [Earth Lusca](https://attack.mitre.org/groups/G1006) operations may be financially motivated.(Citation: TrendMicro EarthLusca 2022)\n\n[Earth Lusca](https://attack.mitre.org/groups/G1006) has used malware commonly used by other Chinese threat groups, including [APT41](https://attack.mitre.org/groups/G0096) and the [Winnti Group](https://attack.mitre.org/groups/G0044) cluster, however security researchers assess [Earth Lusca](https://attack.mitre.org/groups/G1006)'s techniques and infrastructure are separate.(Citation: TrendMicro EarthLusca 2022)", "aliases": ["Earth Lusca", "TAG-22", "Charcoal Typhoon", "CHROMIUM", "ControlX"], "x_mitre_deprecated": false, "x_mitre_version": "2.0", "type": "intrusion-set", "id": "intrusion-set--cc613a49-9bfa-4e22-98d1-15ffbb03f034", "created": "2022-07-01T20:12:30.184Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1006", "external_id": "G1006"}, {"source_name": "Charcoal Typhoon", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "ControlX", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "CHROMIUM", "description": "(Citation: Microsoft Threat Actor Naming July 2023) (Citation: Recorded Future RedHotel August 2023)"}, {"source_name": "TAG-22", "description": "(Citation: Recorded Future TAG-22 July 2021)"}, {"source_name": "TrendMicro EarthLusca 2022", "description": "Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca\u2019s Operations. Retrieved July 1, 2022.", "url": "https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf"}, {"source_name": "Recorded Future TAG-22 July 2021", "description": "INSIKT GROUP. (2021, July 8). Chinese State-Sponsored Activity Group TAG-22 Targets Nepal, the Philippines, and Taiwan Using Winnti and Other Tooling. Retrieved September 16, 2024.", "url": "https://www.recordedfuture.com/research/chinese-group-tag-22-targets-nepal-philippines-taiwan"}, {"source_name": "Recorded Future RedHotel August 2023", "description": "Insikt Group. (2023, August 8). RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale. Retrieved March 11, 2024.", "url": "https://go.recordedfuture.com/hubfs/reports/cta-2023-0808.pdf"}, {"source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "mobile-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"modified": "2024-10-10T14:31:35.326Z", "name": "APT41", "description": "[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.(Citation: apt41_mandiant) Notable behaviors include using a wide range of malware and tools to complete mission objectives. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)\n", "aliases": ["APT41", "Wicked Panda", "Brass Typhoon", "BARIUM"], "x_mitre_deprecated": false, "x_mitre_version": "4.1", "x_mitre_contributors": ["Kyaw Pyiyt Htet, @KyawPyiytHtet", "Nikita Rostovcev, Group-IB"], "type": "intrusion-set", "id": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "created": "2019-09-23T13:43:36.945Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0096", "external_id": "G0096"}, {"source_name": "Wicked Panda", "description": "(Citation: Crowdstrike GTR2020 Mar 2020)"}, {"source_name": "APT41", "description": "(Citation: FireEye APT41 2019)"}, {"source_name": "Brass Typhoon", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "BARIUM", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "Crowdstrike GTR2020 Mar 2020", "description": "Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.", "url": "https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf"}, {"source_name": "FireEye APT41 2019", "description": "FireEye. (2019). Double DragonAPT41, a dual espionage andcyber crime operationAPT41. Retrieved September 23, 2019.", "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf"}, {"source_name": "FireEye APT41 Aug 2019", "description": "Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.", "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf"}, {"source_name": "apt41_mandiant", "description": "Mandiant. (n.d.). APT41, A DUAL ESPIONAGE AND CYBER CRIME OPERATION. Retrieved June 11, 2024.", "url": "https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf"}, {"source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}, {"source_name": "Group IB APT 41 June 2021", "description": "Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.", "url": "https://www.group-ib.com/blog/colunmtk-apt41/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "mobile-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:23.639Z", "name": "Network Connection Creation", "description": "The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.\n\n*Data Collection Measures:*\n\n- Windows:\n    - Event ID 5156 \u2013 Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).\n    - Sysmon Event ID 3 \u2013 Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.\n- Linux/macOS:\n    - Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.\n    - AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.\n    - Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.\n- Cloud & Network Infrastructure:\n    - AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.\n    - Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.\n- Endpoint Detection & Response (EDR):\n    - Detect anomalous network activity such as new C2 connections or data exfiltration attempts.", "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "intrusion-set", "id": "intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f", "created": "2021-12-26T23:11:39.442Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0142", "external_id": "G0142"}, {"source_name": "TrendMicro Confucius APT Feb 2018", "description": "Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.", "url": "https://www.trendmicro.com/en_us/research/18/b/deciphering-confucius-cyberespionage-operations.html"}, {"source_name": "TrendMicro Confucius APT Aug 2021", "description": "Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.", "url": "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html"}, {"source_name": "Uptycs Confucius APT Jan 2021", "description": "Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.", "url": "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T20:37:36.476Z", "name": "Confucius", "description": "[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)", "aliases": ["Confucius", "Confucius APT"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "mobile-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-04-02T18:58:54.885Z", "name": "UNC788", "description": "[UNC788](https://attack.mitre.org/groups/G1029) is a group of hackers from Iran that has targeted people in the Middle East.(Citation: Meta Adversarial Threat Report 2022)", "aliases": ["UNC788"], "x_mitre_deprecated": false, "x_mitre_version": "1.0", "x_mitre_contributors": ["Denise Tan"], "type": "intrusion-set", "id": "intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258", "created": "2024-04-02T18:58:36.186Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1029", "external_id": "G1029"}, {"source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["mobile-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "intrusion-set", "id": "intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28", "created": "2023-09-25T18:11:05.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1019", "external_id": "G1019"}, {"source_name": "MoustachedBouncer ESET August 2023", "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", "url": "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T20:37:40.255Z", "name": "MoustachedBouncer", "description": "[MoustachedBouncer](https://attack.mitre.org/groups/G1019) is a cyberespionage group that has been active since at least 2014 targeting foreign embassies in Belarus.(Citation: MoustachedBouncer ESET August 2023)", "aliases": ["MoustachedBouncer"], "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-03-29T14:59:30.164Z", "name": "Application Assets", "description": "Additional assets included with an application", "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "type": "x-mitre-data-component", "id": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa", "created": "2024-03-29T14:59:30.164Z", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "created": "2023-03-13T20:00:38.029Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:22.260Z", "name": "Protected Configuration", "description": "Device configuration options that are not typically utilized by benign applications", "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2024-12-04T21:17:08.593Z", "name": "Sandworm Team", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)\n\nIn October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)", "aliases": ["Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44"], "x_mitre_deprecated": false, "x_mitre_version": "4.2", "x_mitre_contributors": ["Dragos Threat Intelligence", "Hakan KARABACAK"], "type": "intrusion-set", "id": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "created": "2017-05-31T21:32:04.588Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0034", "external_id": "G0034"}, {"source_name": "Voodoo Bear", "description": "(Citation: CrowdStrike VOODOO BEAR)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"}, {"source_name": "ELECTRUM", "description": "(Citation: Dragos ELECTRUM)(Citation: UK NCSC Olympic Attacks October 2020)"}, {"source_name": "Sandworm Team", "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014) (Citation: InfoSecurity Sandworm Oct 2014)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"}, {"source_name": "Quedagh", "description": "(Citation: iSIGHT Sandworm 2014) (Citation: F-Secure BlackEnergy 2014)(Citation: UK NCSC Olympic Attacks October 2020)"}, {"source_name": "FROZENBARENTS", "description": "(Citation: Leonard TAG 2023)"}, {"source_name": "APT44", "description": "(Citation: mandiant_apt44_unearthing_sandworm)"}, {"source_name": "IRIDIUM", "description": "(Citation: Microsoft Prestige ransomware October 2022)"}, {"source_name": "Seashell Blizzard", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "BlackEnergy (Group)", "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: UK NCSC Olympic Attacks October 2020)"}, {"source_name": "Telebots", "description": "(Citation: NCSC Sandworm Feb 2020)(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"}, {"source_name": "IRON VIKING", "description": "(Citation: Secureworks IRON VIKING )(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020)"}, {"source_name": "Leonard TAG 2023", "description": "Billy Leonard. (2023, April 19). Ukraine remains Russia\u2019s biggest cyber focus in 2023. Retrieved March 1, 2024.", "url": "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"}, {"source_name": "US District Court Indictment GRU Oct 2018", "description": "Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.", "url": "https://www.justice.gov/opa/page/file/1098481/download"}, {"source_name": "Dragos ELECTRUM", "description": "Dragos. (2017, January 1). ELECTRUM Threat Profile. Retrieved June 10, 2020.", "url": "https://www.dragos.com/resource/electrum/"}, {"source_name": "F-Secure BlackEnergy 2014", "description": "F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.", "url": "https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf"}, {"source_name": "iSIGHT Sandworm 2014", "description": "Hultquist, J.. (2016, January 7). Sandworm Team and the Ukrainian Power Authority Attacks. Retrieved October 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html"}, {"source_name": "CrowdStrike VOODOO BEAR", "description": "Meyers, A. (2018, January 19). Meet CrowdStrike\u2019s Adversary of the Month for January: VOODOO BEAR. Retrieved May 22, 2018.", "url": "https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/"}, {"source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}, {"source_name": "Microsoft Prestige ransomware October 2022", "description": "MSTIC. (2022, October 14). New \u201cPrestige\u201d ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.", "url": "https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/"}, {"source_name": "InfoSecurity Sandworm Oct 2014", "description": "Muncaster, P.. (2014, October 14). Microsoft Zero Day Traced to Russian \u2018Sandworm\u2019 Hackers. Retrieved October 6, 2017.", "url": "https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/"}, {"source_name": "NCSC Sandworm Feb 2020", "description": "NCSC. (2020, February 20). NCSC supports US advisory regarding GRU intrusion set Sandworm. Retrieved June 10, 2020.", "url": "https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory"}, {"source_name": "USDOJ Sandworm Feb 2020", "description": "Pompeo, M. (2020, February 20). The United States Condemns Russian Cyber Attack Against the Country of Georgia. Retrieved September 12, 2024.", "url": "https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia/index.html"}, {"source_name": "mandiant_apt44_unearthing_sandworm", "description": "Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.", "url": "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"}, {"source_name": "US District Court Indictment GRU Unit 74455 October 2020", "description": "Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.", "url": "https://www.justice.gov/opa/press-release/file/1328521/download"}, {"source_name": "Secureworks IRON VIKING ", "description": "Secureworks. (2020, May 1). IRON VIKING Threat Profile. Retrieved June 10, 2020.", "url": "https://www.secureworks.com/research/threat-profiles/iron-viking"}, {"source_name": "UK NCSC Olympic Attacks October 2020", "description": "UK NCSC. (2020, October 19). UK exposes series of Russian cyber attacks against Olympic and Paralympic Games . Retrieved November 30, 2020.", "url": "https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "ics-attack", "mobile-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:34.519Z", "name": "Process Termination", "description": "The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n    - Monitor process termination events.\n- Windows Event Logs:\n    - Event ID 4689 (Process Termination) \u2013 Captures when a process exits, including process ID and parent process.\n    - Event ID 7036 (Service Control Manager) \u2013 Monitors system service stops.\n- Sysmon (Windows):\n    - Event ID 5 (Process Termination) \u2013 Detects when a process exits, including parent-child relationships.\n- Linux/macOS Monitoring:\n    - AuditD (`execve`, `exit_group`, `kill` syscalls) \u2013 Captures process termination via command-line interactions.\n    - eBPF/XDP: Monitors low-level system calls related to process termination.\n    - OSQuery: The processes table can be queried for abnormal exits.", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "x-mitre-data-component", "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:31.145Z", "name": "OS API Execution", "description": "Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n    - Leverage tools to monitor API execution behaviors at the process level.\n    - Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation.\n- Process Monitor (ProcMon):\n    - Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis.\n- Windows Event Logs:\n    - Use Event IDs from Windows logs for specific API-related activities:\n        - Event ID 4688: A new process has been created (can indirectly infer API use).\n        - Event ID 4657: A registry value has been modified (to monitor registry-altering APIs).\n- Dynamic Analysis Tools:\n    - Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation.\n- Host-Based Logs:\n    - On Linux/macOS systems, leverage audit frameworks (e.g., `auditd`, `strace`) to capture and analyze system call usage that APIs map to.\n- Runtime Monitors:\n    - Runtime security tools like Falco can monitor system-level calls for API execution.\n- Debugging and Tracing:\n    - Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time.", "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2025-04-07T14:44:59.715Z", "name": "LAPSUS$", "description": "[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)", "aliases": ["LAPSUS$", "DEV-0537", "Strawberry Tempest"], "x_mitre_deprecated": false, "x_mitre_version": "2.1", "x_mitre_contributors": ["David Hughes, BT Security", "Matt Brenton, Zurich Insurance Group", "Flavio Costa, Cisco", "Caio Silva"], "type": "intrusion-set", "id": "intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7", "created": "2022-06-09T19:14:31.327Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G1004", "external_id": "G1004"}, {"source_name": "Strawberry Tempest", "description": "(Citation: Microsoft Threat Actor Naming July 2023)"}, {"source_name": "DEV-0537", "description": "(Citation: MSTIC DEV-0537 Mar 2022)"}, {"source_name": "BBC LAPSUS Apr 2022", "description": "BBC. (2022, April 1). LAPSUS: Two UK Teenagers Charged with Hacking for Gang. Retrieved June 9, 2022.", "url": "https://www.bbc.com/news/technology-60953527"}, {"source_name": "Microsoft Threat Actor Naming July 2023", "description": "Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.", "url": "https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide"}, {"source_name": "MSTIC DEV-0537 Mar 2022", "description": "MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.", "url": "https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/"}, {"source_name": "UNIT 42 LAPSUS Mar 2022", "description": "UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022.", "url": "https://unit42.paloaltonetworks.com/lapsus-group/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["enterprise-attack", "mobile-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0013", "external_id": "DS0013"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T20:39:11.418Z", "name": "Sensor Health", "description": "Information from host telemetry providing insights about system status, errors, or other notable functional activity", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Linux", "Windows", "macOS", "Android", "iOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["enterprise-attack", "mobile-attack"], "x_mitre_version": "1.1", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_collection_layers": ["Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203", "created": "2023-03-13T19:30:41.131Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0041", "external_id": "DS0041"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:20.420Z", "name": "Application Vetting", "description": "Application vetting report generated by an external cloud service.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_collection_layers": ["Report"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3", "created": "2021-10-20T15:05:19.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0029", "external_id": "DS0029"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:13.424Z", "name": "Network Traffic", "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["IaaS", "Linux", "Windows", "macOS", "Android", "iOS", "ESXi"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)", "ExtraHop"], "x_mitre_collection_layers": ["Cloud Control Plane", "Host", "Network"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8", "created": "2023-03-13T19:36:25.108Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0042", "external_id": "DS0042"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:22:20.681Z", "name": "User Interface", "description": "Visual activity on the device that could alert the user to potentially malicious behavior.", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Android", "iOS"], "x_mitre_deprecated": false, "x_mitre_domains": ["mobile-attack"], "x_mitre_version": "1.0", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_collection_layers": ["Device"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089", "created": "2021-10-20T15:05:19.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0017", "external_id": "DS0017"}, {"source_name": "Confluence Linux Command  Line", "description": "Confluence Support. (2021, September 8). How to enable command line audit logging in linux. Retrieved September 23, 2021.", "url": "https://confluence.atlassian.com/confkb/how-to-enable-command-line-audit-logging-in-linux-956166545.html"}, {"source_name": "Audit OSX", "description": "Gagliardi, R. (n.d.). Audit in a OS X System. Retrieved September 23, 2021.", "url": "https://www.scip.ch/en/?labs.20150108"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:11:26.880Z", "name": "Command", "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command  Line)(Citation: Audit OSX)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Containers", "Linux", "Network Devices", "Windows", "macOS", "Android", "iOS", "ESXi"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)", "Austin Clark, @c2defense"], "x_mitre_collection_layers": ["Container", "Host"]}, {"type": "x-mitre-data-source", "id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22", "created": "2021-10-20T15:05:19.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/datasources/DS0009", "external_id": "DS0009"}, {"source_name": "Microsoft Processes and Threads", "description": "Microsoft. (2018, May 31). Processes and Threads. Retrieved September 28, 2021.", "url": "https://docs.microsoft.com/en-us/windows/win32/procthread/processes-and-threads"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-18T15:10:24.655Z", "name": "Process", "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_platforms": ["Linux", "Windows", "macOS", "Android", "iOS", "ESXi"], "x_mitre_deprecated": false, "x_mitre_domains": ["ics-attack", "mobile-attack", "enterprise-attack"], "x_mitre_version": "1.2", "x_mitre_attack_spec_version": "3.2.0", "x_mitre_contributors": ["Center for Threat-Informed Defense (CTID)"], "x_mitre_collection_layers": ["Host"]}, {"modified": "2024-04-19T19:35:15.637Z", "name": "PROMETHIUM", "description": "[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium June 2020)", "aliases": ["PROMETHIUM", "StrongPity"], "x_mitre_deprecated": false, "x_mitre_version": "2.1", "type": "intrusion-set", "id": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", "created": "2018-01-16T16:13:52.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mitre-attack", "url": "https://attack.mitre.org/groups/G0056", "external_id": "G0056"}, {"source_name": "PROMETHIUM", "description": "(Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)"}, {"source_name": "Microsoft SIR Vol 21", "description": "Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.", "url": "http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf"}, {"source_name": "Talos Promethium June 2020", "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html"}, {"source_name": "Microsoft NEODYMIUM Dec 2016", "description": "Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.", "url": "https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/"}, {"source_name": "StrongPity", "description": "The name StrongPity has also been used to describe the group and the malware used by the group.(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)"}, {"source_name": "Bitdefender StrongPity June 2020", "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_domains": ["mobile-attack"], "x_mitre_attack_spec_version": "3.2.0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"}, {"type": "relationship", "id": "relationship--0008005f-ca51-47c3-8369-55ee5de1c65a", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:36.787Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) uses an Android broadcast receiver to automatically start when the device boots.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308", "created": "2023-02-06T19:04:33.224Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:37.022Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can monitor notifications.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341", "created": "2019-07-16T14:33:12.085Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:37.265Z", "description": "[Triada](https://attack.mitre.org/software/S0424) utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.(Citation: Google Triada June 2019)", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0100020b-97d4-4657-bc71-c6a1774055a6", "created": "2022-04-20T17:36:25.707Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:37.487Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has exfiltrated data via both SMTP and HTTP.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--01563962-2ccb-4bbc-8ef7-512a950ea47c", "created": "2025-03-28T15:09:39.238Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:37.713Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have obtained a list of installed applications.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--01965668-d033-4aca-a8e5-71a07070e266", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:37.912Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--01fd0686-d67f-4396-8812-3533063dd6b4", "created": "2023-08-16T16:38:47.766Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:38.112Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can remove artifacts of its presence and uninstall itself.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2", "created": "2020-09-15T15:18:12.398Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:38.324Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device networking information, including phone number, IMEI, and IMSI.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80", "created": "2020-07-20T13:49:03.692Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:38.545Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects the device\u2019s Android ID and serial number.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3", "created": "2023-02-06T18:50:12.251Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:38.768Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can check device system properties to potentially avoid running while under analysis.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--022e941f-30c3-45a9-9f6f-36e704b80060", "created": "2020-04-24T17:46:31.574Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:38.980Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) registers for the `SCREEN_ON` and `SMS_DELIVER` intents to perform actions when the device is unlocked and when the device receives an SMS message.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c", "created": "2017-10-25T14:48:53.747Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:39.209Z", "description": "Android 7 and later iOS versions introduced changes that prevent applications from performing Process Discovery without elevated privileges.  ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f", "created": "2020-09-11T14:54:16.640Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:39.418Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can encrypt exfiltrated data.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0291c9d5-8977-420d-8374-b786e3095a73", "created": "2023-03-20T18:49:53.204Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:39.649Z", "description": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:39.860Z", "description": "Some original variants of [BrainTest](https://attack.mitre.org/software/S0293) had the capability to automatically root some devices, but that behavior was not observed in later samples.(Citation: Lookout-BrainTest)", "relationship_type": "uses", "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc", "created": "2021-10-01T14:42:49.174Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:40.056Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can abuse existing root access to copy components into the system partition.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--02e4aedc-0674-4598-948b-0a32758af9ca", "created": "2022-04-01T13:14:43.195Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:40.269Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b", "created": "2020-12-24T22:04:27.914Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:40.482Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--03172b09-4f97-4fb8-95f0-92b2d8957408", "created": "2020-06-26T14:55:13.349Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:40.752Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) has encrypted base64-encoded payload data using RC4 and Curve25519.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0330db55-06e0-45a2-85a6-17617a37fdaf", "created": "2022-04-06T13:57:49.186Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:40.949Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8", "created": "2019-11-21T16:42:48.437Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:41.155Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect SMS messages.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--035bdf9a-dc4c-403a-b5c4-9b9b42675122", "created": "2025-03-28T14:40:32.390Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:41.387Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has loaded additional modules stored in memory.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--03ff6271-d7bc-40f3-b83d-25c541333694", "created": "2019-11-19T17:32:20.701Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:41.595Z", "description": "If a user sees a persistent notification they do not recognize, they should uninstall the source application and look for other unwanted applications or anomalies.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71", "created": "2022-04-18T15:49:00.561Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:41.838Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can download text files with commands from an FTP server and exfiltrate data via email.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--04530307-22d8-4a06-9056-55eea225fabb", "created": "2019-07-10T15:35:43.710Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:42.051Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--046acda0-91de-4385-bcfb-157570d8e51d", "created": "2023-03-30T15:25:00.442Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:42.263Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can search for installed applications that match a list of targets.(Citation: cleafy_sova_1122)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--049a5149-00c9-492a-8ffb-463f3d0cd910", "created": "2022-03-30T20:13:28.442Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android 10 Limitations to Hiding App Icons", "description": "Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022.", "url": "https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons"}, {"source_name": "LauncherApps getActivityList", "description": "Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022.", "url": "https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:42.468Z", "description": "Android 10 introduced changes to prevent malicious applications from fully suppressing their icon in the launcher.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--049b0c71-63e3-47ce-bb0b-149df0344b15", "created": "2020-12-24T21:45:56.965Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:42.695Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access device contacts.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--049c39ab-c036-457a-9b8f-4318416658b8", "created": "2022-03-30T19:54:24.468Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:42.902Z", "description": "A locked bootloader could prevent unauthorized modifications of protected operating system files. ", "relationship_type": "mitigates", "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112", "created": "2022-04-05T19:59:03.285Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:43.107Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "target_ref": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc", "created": "2023-03-20T18:37:57.767Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:43.318Z", "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe", "created": "2019-12-10T16:07:41.093Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:43.535Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) can download code and binaries from the C2 server to execute on the device as root.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--05243ccb-0aeb-4db4-bb03-51a65fb715ab", "created": "2020-09-11T14:54:16.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:43.752Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can be controlled using SMS messages.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--05563777-5771-4bd6-a1af-3e244cf42372", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Xiao-KeyRaider", "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:43.954Z", "description": "Most [KeyRaider](https://attack.mitre.org/software/S0288) samples search to find the Apple account's username, password and device's GUID in data being transferred.(Citation: Xiao-KeyRaider)", "relationship_type": "uses", "source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:44.154Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather SMS messages.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--05c36a8c-1526-4d5d-93c1-331fd132c30b", "created": "2023-09-21T19:38:21.735Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:44.375Z", "description": "Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76", "created": "2020-12-17T20:15:22.441Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:44.598Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) has collected all outgoing phone numbers that start with \u201c86\u201d.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--06348e22-9a06-4e4c-a57c-e438462e7fce", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:44.818Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can record audio via the microphone when an infected device is in a specified location.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--06869cb8-7384-4d85-aa0a-78256133c88d", "created": "2024-04-02T19:46:53.072Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SentinelLabs AridViper 2023", "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.", "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/"}, {"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:45.031Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can make phone calls.(Citation: welivesecurity_apt-c-23)(Citation: SentinelLabs AridViper 2023)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--068c3d23-8aa2-48e9-acb3-c72651c94f0b", "created": "2024-03-28T18:03:23.922Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "trendmicro_strongpity", "description": "Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023.", "url": "https://www.trendmicro.com/en_za/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:45.260Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) on a compromised website to distribute a malicious version of a legitimate application.(Citation: trendmicro_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--069b2328-442b-491e-962d-d3fe01f0549e", "created": "2019-09-04T14:28:15.479Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:45.481Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can be controlled via email and SMS from a set of \"control phones.\"(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--06e2e07f-7835-4ef8-bcc0-bb5e2886839d", "created": "2023-08-16T16:40:14.482Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:45.721Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather basic device information such as version, model, root status, and country.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85", "created": "2020-11-20T16:37:28.547Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:45.933Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect various pieces of device information, such as serial number and product information.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0727ac06-5b46-4f79-abe9-63c1b923d383", "created": "2023-02-06T19:05:56.974Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:46.140Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has included encoded shell scripts to potentially aid in the rooting process.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--076d8c54-e6f6-47c4-9f61-52964d4f1c35", "created": "2024-03-28T18:32:59.357Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:46.369Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to encrypt C2 communication using AES.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--078653a6-3613-4923-ae5a-1bccb8552e67", "created": "2020-09-11T16:22:03.250Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:46.582Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) has been installed in two stages and can secretly install new applications.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "PaloAlto-WireLurker", "description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:46.817Z", "description": "[WireLurker](https://attack.mitre.org/software/S0312) monitors for iOS devices connected via USB to an infected OSX computer and installs downloaded third-party applications or automatically generated malicious applications onto the device.(Citation: PaloAlto-WireLurker)", "relationship_type": "uses", "source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--079911c5-0db9-4eb2-ab85-6ed6e118fbbc", "created": "2022-03-30T19:36:20.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:47.021Z", "description": "Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--07c727a6-6323-477a-bb55-34e130959b4e", "created": "2023-10-10T15:33:57.556Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:47.257Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can mimic an app called \u201cStorage Settings\u201d if it cannot hide its icon.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--07dd3318-2965-4085-be64-a8e956c7b8da", "created": "2020-12-18T20:14:47.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:47.478Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has stored encoded strings.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e", "created": "2022-03-30T18:15:03.625Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:47.696Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f", "created": "2023-03-20T15:55:32.395Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:47.897Z", "description": "Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--082c3bd7-6088-4364-ae75-0eb45a635583", "created": "2025-03-27T22:48:11.444Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:48.109Z", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has checked if the device is jailbroken.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--084786ee-9384-4a00-9e1b-48f94ea70126", "created": "2019-09-03T19:45:48.517Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:48.317Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate calendar events.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--085f8397-0233-42d7-855e-3dbd709f2eca", "created": "2023-01-18T21:39:27.823Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:48.527Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use the Android \u201cDirect Reply\u201d feature to spread the malware to other devices. It can also download the full version of the malware after initial device compromise.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f", "created": "2023-03-20T18:58:33.787Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:48.746Z", "description": "Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8", "created": "2022-04-01T15:16:02.324Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "iOS Universal Links", "description": "Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020.", "url": "https://developer.apple.com/ios/universal-links/"}, {"source_name": "Android App Links", "description": "Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020.", "url": "https://developer.android.com/training/app-links/verify-site-associations"}, {"source_name": "IETF-PKCE", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", "url": "https://tools.ietf.org/html/rfc7636"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:48.952Z", "description": "Developers should use Android App Links(Citation: Android App Links) and iOS Universal Links(Citation: iOS Universal Links) to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE(Citation: IETF-PKCE) should be used to prevent use of stolen authorization codes. ", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--088c74f5-4b43-48aa-a2be-275f0c02ffc8", "created": "2023-07-21T19:38:06.254Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:49.166Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can retrieve account information for third party services, such as Google, Telegram, WeChat, or WhatsApp.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0891421a-8476-4d37-b274-645b90f139c7", "created": "2024-03-28T18:31:38.715Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "trendmicro_strongpity", "description": "Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023.", "url": "https://www.trendmicro.com/en_za/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:49.383Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect information regarding available Wi-Fi networks.(Citation: trendmicro_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--08a43019-d393-451f-a23c-2dfa17ec40b2", "created": "2023-01-18T19:15:24.775Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:49.584Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can steal incoming SMS messages and send SMS messages from compromised devices. (Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--08c81253-975c-4780-8e85-c72bc6a90c88", "created": "2020-10-29T19:21:23.225Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:49.813Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can generate revenue by automatically displaying ads.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b", "created": "2019-12-10T16:07:41.081Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:50.033Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) replaces `/system/bin/ip` with a malicious version. [Dvmap](https://attack.mitre.org/software/S0420) can inject code by patching `libdmv.so` or `libandroid_runtime.so`, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call `/system/bin/ip`, which was replaced with the malicious version.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--09059576-658b-4944-9f7b-df003319fdaa", "created": "2024-02-21T00:00:40.770Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:50.261Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--094f56d7-1a7d-4937-ac1a-d2337626feaa", "created": "2025-03-27T23:00:01.923Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:50.460Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has encrypted data using 3DES.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956", "created": "2020-11-24T17:55:12.873Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:50.672Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) has communicated with the C2 using HTTP requests or WebSockets as a backup.(Citation: Talos GPlayed) ", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0993769f-63fb-4720-bbcf-e6f37f71515e", "created": "2020-06-02T14:32:31.875Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:50.893Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s name, serial number, iOS version, total disk space, and free disk space.(Citation: Google Project Zero Insomnia) ", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--09ad7d9f-d618-46c2-a9f3-e4a943245a72", "created": "2023-09-21T19:37:48.020Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:51.093Z", "description": "Users can be trained to identify social engineering techniques and phishing emails.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca", "created": "2022-04-06T13:22:57.754Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:51.323Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", "target_ref": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--09c6bbd4-9058-4657-9d8e-656439637ac6", "created": "2023-03-16T18:32:47.895Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:51.523Z", "description": "Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d", "created": "2023-02-06T19:01:08.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:51.755Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has encoded files, such as exploit binaries, to potentially use during and after the rooting process.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:51.960Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb", "created": "2020-12-18T20:14:47.412Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:52.164Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has included native modules.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0a610208-06af-425f-a9af-cd0899261e33", "created": "2020-09-11T15:45:38.450Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:52.372Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can send SMS messages.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0a737289-c62d-4c0a-a857-6d116f774864", "created": "2020-06-26T15:12:40.077Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "ESET DEFENSOR ID", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:52.578Z", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can abuse the accessibility service to read any text displayed on the screen.(Citation: ESET DEFENSOR ID)", "relationship_type": "uses", "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0ae94053-1963-45ba-a3a9-62e508281c8e", "created": "2023-01-19T18:06:36.986Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:52.797Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can install malicious configurations on iPhones to allow malware to be installed via Ad Hoc distribution.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070", "created": "2022-04-15T17:18:44.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:52.998Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) obfuscated command information using a custom base85-based encoding.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d", "created": "2020-05-04T14:04:56.179Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:53.266Z", "description": "[Bread](https://attack.mitre.org/software/S0432) payloads have used several commercially available packers.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651", "created": "2023-04-11T19:54:52.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:53.464Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can programmatically tap the screen or swipe.(Citation: cleafy_sova_1122)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2", "created": "2023-03-20T15:28:54.837Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:53.668Z", "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1", "created": "2020-09-11T14:54:16.650Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:53.875Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) has been distributed in multiple stages.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253", "created": "2020-12-31T18:25:05.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:54.086Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has fingerprinted devices to uniquely identify them.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0bb6f851-4302-4936-a98e-d23feecb234d", "created": "2020-06-02T14:32:31.777Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Volexity Insomnia", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:54.320Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) exploits a WebKit vulnerability to achieve root access on the device.(Citation: Volexity Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349", "created": "2020-10-29T19:01:13.826Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:54.522Z", "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has registered to receive 14 different broadcast intents for automatically triggering malware payloads. (Citation: Microsoft MalLockerB)", "relationship_type": "uses", "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0bc73d69-e769-4d0f-9d44-368c94225b6e", "created": "2020-07-15T20:20:59.200Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:54.749Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access the device\u2019s contact list.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0bc73eaf-a771-4ed0-b1f9-081ff4ca73ad", "created": "2023-03-20T18:55:03.385Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:54.960Z", "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db", "created": "2019-08-09T17:59:48.988Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:55.163Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can record and take pictures using the front and back cameras.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0c077d44-1c79-473c-8623-d6267ab47f34", "created": "2025-03-28T14:58:52.516Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:55.387Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors exploited a kernel vulnerability to obtain root privileges.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0c417238-738d-4bda-8359-d37d39414ebe", "created": "2023-08-04T18:30:41.599Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:55.603Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate phone number and IMEI.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0c49a6e0-9837-424d-877b-4e232f5fe250", "created": "2024-03-28T18:33:46.367Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:55.810Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to communicate with the C2 server using HTTPS.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0c558826-5cea-422e-8e67-83e53c04d409", "created": "2020-06-26T15:32:25.146Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CheckPoint Cerberus", "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.", "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:56.020Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 using HTTP requests over port 8888.(Citation: CheckPoint Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0cabc5f9-045e-490c-a97f-efe00dbade86", "created": "2020-01-27T17:05:58.276Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:56.275Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can record video.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0cae6859-d7d1-483b-b473-4f32084938a9", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:56.483Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) has the ability to record device audio.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0cd58f68-2c93-4ecc-a7fb-b4aad483d14a", "created": "2025-03-27T22:53:40.058Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:56.713Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has used the Protobuf library for command and control communication.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0ce5bf43-39e1-4afb-a939-1984cc2d235c", "created": "2022-04-01T18:51:44.595Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:56.918Z", "description": "System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0cf39d51-2d80-4576-b088-e787b113513e", "created": "2023-09-28T17:39:48.745Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zimperium FlyTrap", "description": "A. Yaswant. (2021, August 9). FlyTrap Android Malware Compromises Thousands of Facebook Accounts. Retrieved September 28, 2023.", "url": "https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:57.132Z", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can use HTTP to communicate with the C2 server.(Citation: Zimperium FlyTrap)", "relationship_type": "uses", "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0cfbea52-d6ab-467f-97e5-8c74b332b16f", "created": "2020-12-24T21:55:56.749Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:57.380Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has hidden its app icon.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0d12ee41-9ac0-4083-bc28-6568be4b9d5b", "created": "2023-03-20T18:41:56.287Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:57.583Z", "description": "On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a", "created": "2021-02-17T20:43:52.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:57.814Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has used an online cell tower geolocation service to track targets.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0d305e1e-df8f-4028-bf6f-1d7fed9e6184", "created": "2022-03-30T17:53:56.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:58.016Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0d58e937-7e0f-4e1e-8c17-bab3906d7c43", "created": "2024-04-02T19:46:33.757Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:58.222Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) has used blank screen overlays to hide malicious activity from the user.(Citation: welivesecurity_apt-c-23)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0d82a9ed-4184-4f95-99f4-5ee467fe6594", "created": "2022-04-05T17:14:08.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:58.426Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0df1f5d1-f2fd-441e-b3ce-bcd64f5f5f50", "created": "2025-03-24T20:14:19.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:58.645Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has used both HTTPS and Websockets to communicate with the C2.(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0e8607f6-daab-44df-b167-105403a4ef41", "created": "2023-01-18T19:57:33.986Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:58.873Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use the \u201cDirect Reply\u201d feature of Android to automatically reply to notifications with a message provided by C2.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0e9968b7-ad1e-440d-9fe3-2599a1571f39", "created": "2020-06-26T14:55:13.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:59.077Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) communicates with the C2 using HTTP requests.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:59.320Z", "description": "[BrainTest](https://attack.mitre.org/software/S0293) uses root privileges (if available) to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.(Citation: Lookout-BrainTest)", "relationship_type": "uses", "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4", "created": "2020-06-02T14:32:31.885Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:59.528Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can track the device\u2019s location.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0efe4125-504f-4eea-b19f-a44c81ee31dd", "created": "2021-01-05T20:16:20.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:59.760Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can launch a fake Facebook login page.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0f116d99-9ce4-4790-aeda-ad9199d8bf7b", "created": "2023-02-28T20:31:03.379Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}, {"source_name": "bitdefender_flubot_0524", "description": "Filip TRU\u021a\u0102, R\u0103zvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.", "url": "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:46:59.983Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can send SMS phishing messages to other contacts on an infected device.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0f70bdf1-a6a7-406c-a4c0-cee509ff8369", "created": "2023-02-02T17:46:27.077Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:00.216Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can exfiltrate captured user credentials and event logs back to the C2 server. (Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:00.436Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) collects the device's location.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0f949bc5-9f6a-4ec8-a29a-87e309aa08a2", "created": "2020-12-24T22:04:28.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:00.657Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has modified or configured proxy information.(Citation: Lookout Uyghur Campaign) ", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--0fd34764-8a5d-43da-9bdf-5a0b7e436936", "created": "2019-08-29T18:57:55.926Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Samsung Keyboards", "description": "Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20201112021547/https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:00.868Z", "description": "When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.(Citation: Samsung Keyboards) An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--10560632-6449-4579-90eb-20fc46dcca08", "created": "2020-10-29T19:21:23.200Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:01.070Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--10c07066-df05-4dff-bb95-c76be02ea4ef", "created": "2020-09-14T14:13:45.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:01.280Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) imposes geo-restrictions when delivering the second stage.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451", "created": "2019-10-10T15:03:27.682Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:01.486Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) One encrypts data using XOR prior to exfiltration.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--11113fa5-150e-4574-89fc-5db66479e268", "created": "2023-12-18T18:13:28.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}, {"source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:01.709Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has used an initial dropper to download an additional malicious application, and downloads its configuration file from the C2 server.(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--112966ab-6e28-482b-8bea-ed9f4ed17064", "created": "2024-02-20T23:44:07.210Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:01.906Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device IP address and SIM information.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--114f4334-16f4-402e-981a-902b2c9be6fb", "created": "2024-04-17T16:42:31.778Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "trendmicro_strongpity", "description": "Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023.", "url": "https://www.trendmicro.com/en_za/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:02.111Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) distributed [StrongPity](https://attack.mitre.org/software/S0491) through the compromised official Syrian E-Gov website.(Citation: trendmicro_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--117a7e1e-d5dc-451d-ab79-f29bdfec40ae", "created": "2023-10-10T15:33:59.743Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CrowdStrike-Android", "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:02.315Z", "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) was placed in a repackaged version of an application used by Ukrainian artillery forces.(Citation: CrowdStrike-Android)", "relationship_type": "uses", "source_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--119b848b-84b4-4f86-a265-0c9eb8680072", "created": "2021-10-01T14:42:49.171Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:02.514Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can be controlled via IRC using freenode.net servers.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--11a1da8f-f0db-4abe-88bb-1ab06f271f3f", "created": "2023-10-10T15:33:57.223Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:02.718Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506)\u2019s second stage has masqueraded as \u201cSystem Updates\u201d, \u201cViber Update\u201d, and \u201cWhatsApp Update\u201d.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--11a992e7-83a3-4dc3-b391-fbd79e518943", "created": "2023-07-21T19:40:08.668Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:02.923Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can encrypt its data before exfiltration.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--11b20d60-6bec-4ce4-b02f-38ec276b3c9a", "created": "2025-03-24T14:58:31.408Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:03.132Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has attempted to detect anti-spam call applications.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--11e30c59-c1bf-4354-9255-a6eb67d7a79e", "created": "2025-03-28T15:11:21.490Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:03.369Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors stole data from SQLite databases.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879", "created": "2019-09-04T14:28:16.426Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:03.575Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) uses XOR to obfuscate its second stage binary.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "PaloAlto-Xbot", "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:03.804Z", "description": "[Xbot](https://attack.mitre.org/software/S0298) can remotely lock infected Android devices and ask for a ransom.(Citation: PaloAlto-Xbot)", "relationship_type": "uses", "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--122ffed0-5f5a-4588-88a4-16924db24e9e", "created": "2024-03-26T19:35:11.640Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:04.014Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can collect and exfiltrate files with specific extensions, such as .pdf, doc.(Citation: welivesecurity_apt-c-23) ", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1250f91c-723d-4b4c-afea-b3a71101951f", "created": "2019-08-07T15:57:13.415Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:04.224Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can query the device's IMEI.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--127e6672-d16a-4370-b277-4d04874a4cfe", "created": "2023-02-06T19:37:24.358Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:04.426Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use overlays capture banking credentials and credit card information, and can open arbitrary WebViews from the C2.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1284ba4a-c48c-4533-ac35-664828616ee3", "created": "2023-07-21T19:52:46.863Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:04.650Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can access and exfiltrate files, such as photos or video.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1284f6fe-d352-415c-9479-82141524380a", "created": "2022-03-30T18:06:48.250Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:04.846Z", "description": "Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--12852406-87df-4892-a177-e15e81739000", "created": "2023-03-20T18:50:14.139Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:05.058Z", "description": "Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--12d14048-793c-456c-a2b8-d812de547ca7", "created": "2023-09-28T17:19:38.041Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:05.263Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can read SMS messages on the device.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--12d61e7d-7fa6-422d-9817-901decf6b650", "created": "2019-07-10T15:35:43.663Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:05.466Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) uses phishing popups to harvest user credentials.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--12de5aeb-9427-4665-81a0-257c76d6f188", "created": "2023-03-03T16:20:48.781Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:05.676Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has replaced device apps with ones it has downloaded.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--12df8ac7-06a4-4389-8d86-d354c4536e28", "created": "2024-03-26T19:32:36.539Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cyware APT-C-23 2020", "description": "Cyware. (2020, October 2). APT\u2011C\u201123 is Still Active and Enhancing its Mobile Spying Capabilities. Retrieved December 2, 2024.", "url": "https://social.cyware.com/news/aptc23-is-still-active-and-enhancing-its-mobile-spying-capabilities-82e0cea4"}, {"source_name": "SentinelLabs AridViper 2023", "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.", "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/"}, {"source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"}, {"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:05.881Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) reads notifications from applications and connected wearables.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: SentinelLabs AridViper 2023)(Citation: Cyware APT-C-23 2020)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--13078a96-2cda-4d0b-99f8-693a65a4b63d", "created": "2020-12-18T20:14:47.297Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:06.103Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has generated non-human advertising impressions.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1317fb3d-ded3-4b84-8007-147f3b02948a", "created": "2022-04-05T19:52:38.539Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CSRIC-WG1-FinalReport", "description": "CSRIC-WG1-FinalReport"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:06.312Z", "description": "Filtering requests by checking request origin information may provide some defense against spurious operators.(Citation: CSRIC-WG1-FinalReport) ", "relationship_type": "mitigates", "source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124", "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1329a866-0f6b-4660-b537-a6d208352502", "created": "2023-06-09T19:11:12.827Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:06.509Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1343f1a3-0f03-4bcf-a9e6-4f5697ae35dd", "created": "2023-08-04T18:35:25.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:06.749Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can try to run arbitrary commands as root.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1348c744-3127-4a55-a5b4-2f439f41e941", "created": "2020-07-27T14:14:56.994Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:06.950Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can install itself on the system partition to achieve persistence. [Zen](https://attack.mitre.org/software/S0494) can also replace `framework.jar`, which allows it to intercept and modify the behavior of the standard Android API.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--13495d9c-6877-4bc9-888a-7d92362bcb40", "created": "2023-06-09T19:10:19.108Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:07.165Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect device contacts.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--13518e48-bb32-4ee3-9cd0-e5f367a2fb2d", "created": "2019-10-18T14:50:57.491Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:07.379Z", "description": "Security updates often contain patches for vulnerabilities.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--13aba849-5004-4457-9f3b-49e470b589e0", "created": "2023-03-20T18:43:44.617Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:07.597Z", "description": "Application vetting services could look for connections to unknown domains or IP addresses. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--13e69c40-1511-4fac-b4c3-d31fc4b6c579", "created": "2023-07-21T19:40:25.197Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:07.824Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can download and run code obtained from the C2.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--13efc415-5e17-4a16-81c2-64e74815907f", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "PaloAlto-XcodeGhost", "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:08.050Z", "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) can prompt a fake alert dialog to phish user credentials.(Citation: PaloAlto-XcodeGhost)", "relationship_type": "uses", "source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--14143e21-51bf-4fa7-a949-d22a8271f590", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:08.264Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can record audio using the device microphone.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1417d832-3fa5-4a87-a40b-5ca2d4ee5d1c", "created": "2022-04-01T14:59:39.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:08.471Z", "description": "Apple regularly provides security updates for known OS vulnerabilities.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--142532a6-bf7c-4b25-be23-16f01160f3c5", "created": "2020-09-15T15:18:12.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:08.702Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect account information stored on the device, as well as data in external storage.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--143833fb-8034-4e75-a030-d8e47f9bebef", "created": "2023-12-18T18:10:56.540Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:08.907Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can track the device's location.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--14474366-938a-4359-bf24-e2c718adfaf5", "created": "2020-06-26T14:55:13.382Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:09.130Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can download new libraries when instructed to.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--146275c0-b6dd-4700-bded-bc361a67d023", "created": "2020-09-14T14:13:45.253Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:09.364Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) can record audio.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--147d82a6-a61a-41d0-8eef-b6193bdd92d6", "created": "2022-03-30T15:18:21.256Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:09.574Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--148703c5-6d07-439c-a4ff-d77119c70857", "created": "2023-03-20T18:52:21.767Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:09.793Z", "description": "Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--15065492-1aef-4cf8-af3c-cc763eee5daf", "created": "2020-09-24T15:34:51.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:09.993Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can detect if it is being ran on an emulator.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1508c120-06fa-4da2-8fcd-7fdc133228fa", "created": "2025-03-28T15:05:17.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:10.223Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors removed files from the device.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--15706c6d-803b-4857-9fcb-ce9af2c9d73b", "created": "2025-03-24T20:13:23.329Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:10.469Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has retrieved files from the C2 server.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024) Examples of files from the C2 are ` amfidebilitate` (jailbreak component), ` jbexec ` (executable to verify jailbreak), `bb` (FrameworkLoader), `cc` (launchctl binary for persistence), `b.plist` (configuration for auto-start), and `resources.zip`, which contains additional jailbreak-related components.(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--15772932-8a5c-4616-9fea-b2bd1ecace4b", "created": "2025-04-14T17:40:59.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:10.710Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) uses the WifiList (or `libWifiList`) plugin to gather Wi-Fi network information, such as the SSID, BSSID, signal strength (RSSI), channel, security type, and previously saved networks.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)(Citation: Threatfabric LightSpy 2023)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd", "created": "2020-06-26T15:12:40.094Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "ESET DEFENSOR ID", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:10.904Z", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.(Citation: ESET DEFENSOR ID)", "relationship_type": "uses", "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--158f71f5-e24a-4c5b-95d9-6f7e03257052", "created": "2024-03-28T18:29:23.881Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:11.105Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect SMS messages.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--15d83ba8-be89-4151-9c6e-35d14df4fa80", "created": "2022-03-30T19:33:05.375Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:11.327Z", "description": "Security updates typically provide patches for vulnerabilities that enable device rooting.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9", "created": "2020-04-24T17:46:31.582Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:11.540Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1687c7a0-a453-4737-a10d-c57b94d5a458", "created": "2025-03-28T14:56:15.832Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}, {"source_name": "SecureList OpTriangulation 01Jun2023", "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation/109842/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:11.764Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors downloaded subsequent stages from the C2.(Citation: SecureList OpTriangulation 01Jun2023)(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d", "created": "2021-10-01T14:42:48.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:11.980Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect images stored on the device and browser history.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--16d969ca-59ae-4c87-888f-fa231ad863d1", "created": "2024-03-28T18:27:18.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:12.208Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect message notifications from 17 applications.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--17141729-226d-40d4-928d-ffbd2eed7d11", "created": "2022-04-05T19:37:16.086Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:12.412Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--173c0c41-c7e3-48e9-b785-d9e0232d85ca", "created": "2020-09-11T16:22:03.285Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:12.613Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device\u2019s contact list.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--17558571-7352-470b-b728-0511fb3f699d", "created": "2019-10-18T15:51:48.484Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:12.812Z", "description": "Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--17697784-f6e0-4062-adaa-7779e44e2d62", "created": "2024-02-20T23:57:03.657Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:13.024Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) checks if the device is connected via Wi-Fi or mobile data.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--17adf4c2-e278-41fc-9183-cda5c8b74de7", "created": "2022-03-31T19:53:01.320Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:13.275Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--17e94f34-e367-491c-9f9f-79294e124b4f", "created": "2020-12-17T20:15:22.501Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:13.482Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can intercept SMS messages.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--18186ee9-0ae4-405c-bf73-4d9ca1689744", "created": "2025-03-24T20:07:56.454Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:13.721Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s contact list.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1822e616-ae33-487c-8aa6-4fa81e724184", "created": "2021-02-08T16:36:20.785Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:13.928Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included contact list exfiltration in the malicious apps deployed as part of Operation BULL.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--185764e3-b559-4a65-818e-1cad4db6d105", "created": "2024-04-04T17:42:29.902Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:14.147Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) can send SMS messages.(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--188c09ee-ca3b-4bac-ad69-36489c50b5bd", "created": "2022-04-01T18:50:00.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:14.378Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--18905da3-a92e-4b1b-ae5c-1de1e4d35495", "created": "2024-02-20T23:52:29.033Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:14.583Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device networking information, including phone number, IMEI, and IMSI.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--18a6020d-8fea-4a6e-84ab-a18343f2acea", "created": "2022-04-06T13:40:14.515Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android 10 Privacy Changes", "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.", "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:14.795Z", "description": "Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device\u2019s default input method editor (IME).(Citation: Android 10 Privacy Changes)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Adware", "description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:15.006Z", "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is auto-rooting adware that embeds itself as a system application, making it nearly impossible to remove.(Citation: Lookout-Adware)", "relationship_type": "uses", "source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:15.233Z", "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted the full contents of text messages.(Citation: NYTimes-BackDoor)", "relationship_type": "uses", "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1987b242-c868-40b2-993d-9dbeea311d4b", "created": "2022-03-30T14:08:09.882Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:15.453Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--198b99e6-3954-4c93-90bc-4227b45270a4", "created": "2023-08-04T19:03:55.638Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:15.672Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can delete locally gathered files after uploading them to the C2 to avoid suspicion.(Citation: lookout_hornbill_sunbird_0221) ", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--19b95b83-bac0-455f-882f-0209abddb76f", "created": "2022-04-05T20:11:35.619Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:15.882Z", "description": "Applications that properly encrypt network traffic may evade some forms of AiTM behavior. ", "relationship_type": "mitigates", "source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--19df76ee-fa85-43cf-96ce-422d46f29a13", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:16.079Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) listens for the `BOOT_COMPLETED` broadcast intent in order to maintain persistence and activate its functionality at device boot time.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--19f220fd-94e8-4c8f-971d-ad37d7eeee80", "created": "2022-03-31T19:51:41.431Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:16.319Z", "description": "iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1a2f6cdc-7c52-4f6e-9182-bc5b16a638dd", "created": "2020-07-15T20:20:59.289Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:16.539Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1a5bde32-aaa9-42d0-ab70-c9f11b0ae81e", "created": "2020-09-14T14:13:45.299Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:16.762Z", "description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s Android version has used public key encryption for C2 communication.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1b633efc-762f-47f9-96c3-d08ba92e0e3e", "created": "2022-04-01T17:05:56.046Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:16.966Z", "description": "On Android 11 and up, users are not prompted with the option to select \u201cAllow all the time\u201d and must navigate to the settings page to manually select this option. On iOS 14 and up, users can select whether to provide Precise Location for each installed application. ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1b6d332b-0ced-4bf1-b212-f1fccc850bee", "created": "2025-03-14T17:59:16.502Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:17.172Z", "description": "The user can view a list of device administrators and applications that have registered Accessibility services in device settings. Applications that register an Accessibility service or request device administrator permissions should be scrutinized further for malicious behavior. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9", "created": "2020-09-11T14:54:16.548Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:17.395Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can obtain a list of installed applications.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1b9b145c-ce80-4d0e-99f2-d756b806745b", "created": "2023-07-21T19:35:17.565Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:17.613Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can access a device\u2019s microphone to record audio, as well as cell and VoIP application calls.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1bcd4b25-a1e0-4511-b0bf-3923a1e74c4e", "created": "2020-12-31T18:25:05.165Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:17.824Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has used HTTPS for C2 communication.(Citation: CYBERWARCON CHEMISTGAMES) ", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1be8aca9-d5a6-4cc5-9fbe-7625f7ff8d6a", "created": "2023-08-16T16:36:59.360Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:18.039Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather cookies and device logs.(Citation: cyble_chameleon_0423) ", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1c180c0e-c789-4176-b568-789ada9487bb", "created": "2020-10-29T19:21:23.162Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:18.283Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if *developer mode* is enabled.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CheckPoint-Judy", "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.", "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:18.489Z", "description": "[Judy](https://attack.mitre.org/software/S0325) uses infected devices to generate fraudulent clicks on advertisements to generate revenue.(Citation: CheckPoint-Judy)", "relationship_type": "uses", "source_ref": "malware--172444ab-97fc-4d94-b142-179452bfb760", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1c67b72f-7389-4c21-9347-2b1bba07aaaf", "created": "2023-02-06T18:59:46.976Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:18.704Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device IP address and SIM information.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73", "created": "2020-07-20T14:12:15.566Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Check Point-Joker", "description": "Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020.", "url": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:18.916Z", "description": "[Bread](https://attack.mitre.org/software/S0432) can collect device notifications.(Citation: Check Point-Joker)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1cc71849-142f-4097-9546-7946b0b546a6", "created": "2020-04-08T15:51:25.125Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:19.123Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can determine if it is running in an emulator.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1cca5e17-80ae-4b6e-8919-2768153aa966", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "PaloAlto-Xbot", "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:19.378Z", "description": "[Xbot](https://attack.mitre.org/software/S0298) uses phishing pages mimicking Google Play's payment interface as well as bank login pages.(Citation: PaloAlto-Xbot)", "relationship_type": "uses", "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1d027925-7d63-459c-b5a5-48ffb49ba1de", "created": "2023-03-20T15:57:00.953Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:19.593Z", "description": "The user is prompted for approval when an application requests device administrator permissions.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1d2daf8f-ce51-47b5-b985-63ae4edfad4b", "created": "2023-08-07T22:15:34.550Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:19.816Z", "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1d828f51-1c04-466c-beaf-2d4de741a544", "created": "2020-05-04T14:04:56.184Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:20.018Z", "description": "[Bread](https://attack.mitre.org/software/S0432) can access SMS messages in order to complete carrier billing fraud.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1db350b2-1e8b-4d58-9086-eac41de1b110", "created": "2022-04-05T17:13:56.584Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:20.286Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1e286a4a-63cd-47df-a034-11a5d92daceb", "created": "2022-04-06T15:41:03.981Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:20.492Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1e29a9ce-ed11-44ae-b66e-8b90ee79de6a", "created": "2020-06-26T15:32:24.962Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:20.706Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) hides its icon from the application drawer after being launched for the first time.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1e822ff0-b1e1-4d80-b1a2-956919511809", "created": "2023-12-18T19:06:20.411Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:20.917Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can communicate with the C2 using HTTPS requests.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e", "created": "2019-09-03T19:45:48.496Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:21.132Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat.(Citation: SWB Exodus March 2019)", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1f027bab-76d9-4f5f-a73e-ea733a1ab223", "created": "2020-11-20T16:37:28.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:21.382Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) has been distributed in two stages.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1f31e348-a4ee-4874-891f-393c65a7640a", "created": "2023-07-21T19:34:13.200Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:21.586Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can exfiltrate a device\u2019s contacts.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1f32e107-aef9-42f8-84d1-4c4fcd863b7f", "created": "2023-02-28T20:39:57.194Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:21.822Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can use Domain Generation Algorithms to connect to the C2 server.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1f44936e-b84c-404f-a92e-6fb7e24b5435", "created": "2022-04-05T19:51:08.770Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android 12 Features", "description": "Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022.", "url": "https://developer.android.com/about/versions/12/features"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:22.046Z", "description": "The `HIDE_OVERLAY_WINDOWS` permission was introduced in Android 12 allowing apps to hide overlay windows of type `TYPE_APPLICATION_OVERLAY` drawn by other apps with the `SYSTEM_ALERT_WINDOW` permission, preventing other applications from creating overlay windows on top of the current application.(Citation: Android 12 Features)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1f7428d7-6f6e-40d0-aedb-cb0578875ff9", "created": "2021-10-01T14:42:49.170Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:22.266Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can hide its icon.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1f7b7de2-10e8-4eec-9c8f-db44ac3f271b", "created": "2020-04-08T15:51:25.128Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:22.473Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can collect SMS messages.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87", "created": "2020-05-04T14:04:56.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:22.700Z", "description": "[Bread](https://attack.mitre.org/software/S0432) has utilized JavaScript within WebViews that loaded a URL hosted on a Bread-controlled server which provided functions to run. [Bread](https://attack.mitre.org/software/S0432) downloads billing fraud execution steps at runtime.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1f8f0021-6992-476c-ba1c-232542dc1633", "created": "2023-03-20T18:58:52.857Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:22.928Z", "description": "On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd", "created": "2020-04-08T18:55:29.205Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro Anubis", "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.", "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html"}, {"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:23.138Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis) ", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--1fdf9c43-0237-461f-86d4-1da843078744", "created": "2023-09-21T19:38:49.571Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:23.359Z", "description": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--20310407-9b05-4d7b-9548-961f545e14e1", "created": "2023-06-09T19:18:41.955Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:23.574Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) uses an infrequent data upload schedule to avoid user detection and battery drain. It also can delete on-device data after being sent to the C2, and stores collected data in hidden folders on external storage.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6", "created": "2020-07-20T13:27:33.553Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:23.816Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) sends the device\u2019s IMEI with each exfiltration request.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--204e30ed-5e69-400b-a814-b77e10596865", "created": "2022-04-06T15:50:42.481Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:24.029Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:24.296Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect SMS, MMS, and Gmail messages.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--209aa948-393c-46b0-9488-ef93a6252438", "created": "2022-03-30T20:07:19.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:24.513Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--20aaafe2-1f55-410f-9eb1-1fc979021fe0", "created": "2020-12-24T21:55:56.741Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:24.722Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the contact list.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--20dcd886-56c4-421d-ba36-0f37a47a3f86", "created": "2022-04-06T13:55:37.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:24.920Z", "description": "Users should be advised that applications generally do not require permission to send SMS messages.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--20e8cf98-b5c1-4ad8-bdba-a9bad0344bef", "created": "2024-03-26T19:30:26.368Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:25.131Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) listens for the `BOOT_COMPLETED` broadcast to activate malware.(Citation: welivesecurity_apt-c-23) ", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2115228b-c61a-4ebb-829a-df7355635fbf", "created": "2020-12-17T20:15:22.491Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:25.365Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can detect if the app is running on an emulator.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--212801c2-5d14-4381-b25a-340cda11a5ac", "created": "2020-12-18T20:14:47.310Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:25.579Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has displayed a form to collect user data after installation.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2167de58-8453-4ac3-977d-30a2b3526818", "created": "2025-02-12T15:22:13.938Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Mphasis SS_SIM_Swap Apr2024", "description": "Mphasis. (2024, April 17). Scattered Spider conducts SIM swapping attacks. Retrieved February 3, 2025.", "url": "https://www.mphasis.com/content/dam/mphasis-com/global/en/home/services/cybersecurity/scattered-spider-conducts-sim-swapping-attacks-12.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:25.798Z", "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used SIM swapping to maintain persistence on mobile carrier networks and SIM cards.(Citation: Mphasis SS_SIM_Swap Apr2024) ", "relationship_type": "uses", "source_ref": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b", "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--21ab4328-7908-4fef-9636-d4d162e4a0cf", "created": "2023-12-18T19:05:38.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:26.003Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can find and exfiltrate files with certain extensions, such as .jpg, .mp4, .html, .docx, and .pdf.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--21e179f2-49c9-4ec9-ac7a-b8eae8e15bd9", "created": "2020-07-20T13:27:33.509Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:26.218Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect the device\u2019s call log.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--22041a01-75e7-4ff6-8768-ad45188c53c7", "created": "2023-02-28T21:45:25.064Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:26.432Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can obtain a list of installed applications.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--22290cce-856a-46d5-9589-699f5dfc1429", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:26.652Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) covertly records phone calls.(Citation: TrendMicro-XLoader)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--22334426-e99f-4e97-b4dd-17e297da4118", "created": "2020-12-24T21:55:56.696Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:26.863Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has captured SMS and MMS messages.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--22512e29-4524-45d3-88b7-d9ca764f7b3d", "created": "2025-03-24T20:13:57.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:27.088Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has plugins for executing shell commands either from the C2 server or a library file called `zt.dylib`.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--22708018-defd-4690-8b0f-fe47e11cb5d6", "created": "2020-07-15T20:20:59.316Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:27.331Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can capture all device notifications and hide notifications from the user.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2270d987-4698-4b59-9186-3d7637cf6599", "created": "2025-03-28T14:39:53.955Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:27.537Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has extracted the device\u2019s keychain.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--22755928-b0e1-4004-a89e-5f5ea2504cf8", "created": "2023-08-04T18:32:57.089Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:27.770Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can record environmental and call audio.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--22773074-4a95-48e0-905f-688ce048b5ed", "created": "2020-04-24T17:46:31.593Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:27.991Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--22e90a62-3f31-4190-98ee-eabede72eb07", "created": "2025-03-28T14:59:44.638Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}, {"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:28.240Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used 3DES and AES to encrypt C2 communication and data.(Citation: SecureList OpTriangulation 21Jun2023)(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6", "created": "2021-01-05T20:16:20.484Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:28.462Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can track the device\u2019s location.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--22f5308c-77ee-4198-be1c-54062aa6a613", "created": "2020-12-31T18:25:05.160Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:28.701Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has used HTTPS for C2 communication.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14", "created": "2019-07-10T15:35:43.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:28.911Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) retrieves a list of all applications installed on the device.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--23522416-9493-4960-8408-f7befae7be60", "created": "2024-02-20T23:59:14.650Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:29.125Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has collected the device\u2019s phone number and can check if the active network connection is metered.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2359ad4b-b00b-4fd5-aef8-2d2be8bcf081", "created": "2023-01-18T19:19:01.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:29.381Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can use Accessibility Services to disable Google Play Protect.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--23a67f24-a8eb-4e31-acf1-11cb5e9f88b2", "created": "2023-01-18T19:57:13.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:29.580Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use Accessibility Services to detect which process is in the foreground.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--23cac1d7-27ca-4c78-bfa0-2d6023d21798", "created": "2020-10-29T19:01:13.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:29.792Z", "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has employed both name mangling and meaningless variable names in source. [AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has stored encrypted payload code in the Assets directory, coupled with a custom decryption routine that assembles a .dex file by passing data through Android Intent objects. (Citation: Microsoft MalLockerB)", "relationship_type": "uses", "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--23ecc134-0623-45ec-b8b5-52516483bda1", "created": "2023-04-14T14:10:04.452Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:29.989Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has used code abstraction and anti-emulation checks to potentially avoid running while under analysis.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--23fa0fcc-0193-45f2-9e0b-a5f68380015f", "created": "2022-04-01T18:52:13.171Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:30.254Z", "description": "Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--242dc659-c205-4e9e-95f9-14fee66195af", "created": "2022-04-01T15:29:36.082Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:30.450Z", "description": "Configuration of per-app VPN policies instead of device-wide VPN can restrict access to internal enterprise resource access via VPN to only enterprise-approved applications", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--243bafe0-206c-4a17-94a6-4ff0492ebc7a", "created": "2024-03-26T19:33:50.343Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"}, {"source_name": "threatpost AndroidSpyware 2020", "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.", "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/"}, {"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:30.665Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can capture pictures and videos.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: threatpost AndroidSpyware 2020)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53", "created": "2020-07-15T20:20:59.318Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:30.890Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--24a7379e-a994-411b-b17c-add6c6c6fc07", "created": "2020-12-24T21:45:56.949Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:31.109Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has hidden malicious functionality in a second stage file and has encrypted C2 server information.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--24bcb2cd-1532-4e98-a485-a55e06d2577d", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:31.332Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2", "target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--24de6f6e-86d3-4e4e-a965-3e0435205f48", "created": "2020-09-24T15:34:51.298Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:31.538Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can intercept SMS messages.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--25466097-53c6-4dc7-8409-197758e88673", "created": "2023-08-16T16:45:11.580Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:31.749Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can download HTML overlay pages after installation.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--25655385-5b0d-4700-a59f-d5d043625b84", "created": "2023-02-06T18:50:50.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:31.953Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can use rooting exploits to silently give itself permissions or install additional malware.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--257f4f86-950f-4f5a-b38c-0de85753d2d3", "created": "2023-12-18T18:09:56.997Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}, {"source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:32.267Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can uninstall itself and remove traces of infection.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--25cdb4f2-5b38-411c-bfb6-eca7ea4d4527", "created": "2019-09-04T14:28:16.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:32.477Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve nearby cell tower and Wi-Fi network information.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--25de6cf6-38d5-4d1e-b3f1-6956a0ff0ac3", "created": "2023-03-03T16:26:48.531Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:32.711Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected compromised device MAC addresses.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2621a020-8d4f-4ca4-b874-0be336a8cafd", "created": "2020-04-08T18:55:29.196Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:32.911Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) exfiltrates data encrypted (with RC4) by its ransomware module.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--268c12df-d3bc-46fa-99e9-32caab50b175", "created": "2022-03-30T15:52:09.759Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:33.130Z", "description": "Device attestation can often detect jailbroken or rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--268c2962-a557-4782-a40b-eef430c87740", "created": "2025-03-24T14:51:33.225Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:33.367Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has used the official icon of the Korean police application and  the package name \u201ckpo,\u201d which contain references related to the Korean police.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--269d4409-e287-4ef3-b5f3-765ec03e503e", "created": "2020-06-02T14:32:31.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:33.578Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) grants itself permissions by injecting its hash into the kernel\u2019s trust cache.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--26b1025b-5c08-4b6e-8c50-7d2baf29e7b7", "created": "2022-04-01T18:45:11.299Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:33.818Z", "description": "Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--26bf27dc-f65d-477d-abbd-f4c3ce475c51", "created": "2022-04-01T12:37:17.515Z", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:34.039Z", "description": "OS feature updates often enhance security and privacy around permissions. ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--26c2626b-92a0-4798-b9f3-00abf12a817b", "created": "2025-03-28T14:41:49.137Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:34.264Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has deleted an implant module or specified files.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--27050442-e578-44b7-9534-ada78824befe", "created": "2023-02-06T19:45:09.612Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:34.475Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can intercept and read SMS messages.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--271a311f-71bc-4558-a314-0edfbec44b64", "created": "2019-11-21T16:42:48.495Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:34.690Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) collects device information, including the device model and OS version.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--27247071-356b-4b5f-bc8f-6436a3fec095", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:34.884Z", "description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's location.(Citation: Lookout-EnterpriseApps)", "relationship_type": "uses", "source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--27490b14-8044-408a-8c6a-6d8427eb78ff", "created": "2023-03-20T18:44:26.233Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:35.083Z", "description": "The user can review which applications have location and sensitive phone information permissions in the operating system\u2019s settings menu. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--276bfd69-33cc-4665-8aa7-72bed65d01f9", "created": "2023-02-28T21:42:52.037Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:35.312Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request location permissions.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2793d721-df10-4621-8387-f3342def59a1", "created": "2022-03-30T18:14:36.786Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:35.525Z", "description": "On iOS, the `allowEnterpriseAppTrust` and `allowEnterpriseAppTrustModification` configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--279b016a-45c8-4961-88fa-48162e56c3fa", "created": "2024-02-21T20:49:34.244Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:35.752Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect network information, such as IP address, SIM card information, and Wi-Fi information.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea", "created": "2020-07-15T20:20:59.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:35.955Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can collect all accounts stored on the device.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c", "created": "2020-07-27T14:14:56.954Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:36.152Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can obtain root access via a rooting trojan in its infection chain.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--27f5dc22-6ab9-406f-9092-6cb610d777a6", "created": "2022-04-01T14:59:53.782Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:36.352Z", "description": "Device attestation can often detect jailbroken devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--280aa15d-c7ff-4005-9861-9fc5c3bfe95a", "created": "2020-12-28T18:47:52.357Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:36.551Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can run commands as root.(Citation: Palo Alto HenBox) ", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2836dc3d-cbea-493b-af31-5f1fa8279ec2", "created": "2020-04-24T17:46:31.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:36.762Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) communicates with the C2 by sending JSON objects over unencrypted HTTP requests.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--289f5e23-088a-4840-a2a6-bab30da2a64b", "created": "2022-04-01T16:51:04.584Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "GoogleIO2016", "description": "Adrian Ludwig. (2016, May 19). What's new in Android security (M and N Version). Retrieved December 9, 2016.", "url": "https://www.youtube.com/watch?v=XZzLjllizYs"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:36.985Z", "description": "Changes were introduced in Android 7 to make abuse of device administrator permissions more difficult.(Citation: GoogleIO2016)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2908f0f6-2408-41a1-aaab-cf3e7db06aad", "created": "2020-12-24T21:55:56.752Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:37.218Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used exploits to root devices and install additional malware on the system partition.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--290a627d-172d-494d-a0cc-685f480a1034", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}, {"source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:37.420Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects call logs.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--290c9d3f-f59b-4e2b-9b7b-115014845c15", "created": "2021-09-24T14:47:34.447Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:37.618Z", "description": "Device attestation can often detect rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--29357289-362c-447c-b387-9a38b50d7296", "created": "2022-04-15T17:20:06.338Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"}, {"source_name": "Check Point-Joker", "description": "Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020.", "url": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:37.831Z", "description": "[Bread](https://attack.mitre.org/software/S0432) uses various tricks to obfuscate its strings including standard and custom encryption, programmatically building strings at runtime, and splitting unencrypted strings with repeated delimiters to break up keywords. [Bread](https://attack.mitre.org/software/S0432) has also abused Java and JavaScript features to obfuscate code. [Bread](https://attack.mitre.org/software/S0432) payloads have hidden code in native libraries and encrypted JAR files in the data section of an ELF file. [Bread](https://attack.mitre.org/software/S0432) has stored DEX payloads as base64-encoded strings in the Android manifest and internal Java classes.(Citation: Check Point-Joker)(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224", "created": "2019-09-03T20:08:00.670Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:38.047Z", "description": " [Gustuff](https://attack.mitre.org/software/S0406) can capture files and photos from the compromised device.(Citation: Talos Gustuff Apr 2019) ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--299931f0-4c60-4a9b-8a6a-4adb6362e590", "created": "2019-09-23T13:36:08.543Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:38.276Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can access and upload the contacts list to the command and control server.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FireEye-RuMMS", "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:38.476Z", "description": "[RuMMS](https://attack.mitre.org/software/S0313) uploads incoming SMS messages to a remote command and control server.(Citation: FireEye-RuMMS)", "relationship_type": "uses", "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce", "created": "2020-12-18T20:14:47.339Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:38.691Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has used timer events in React Native to initiate the foreground service.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2a472430-c30e-4877-8933-2e75f1de9a01", "created": "2022-03-30T14:00:45.120Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:38.892Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2a5d081f-ba41-4dbe-873b-34b0efee1d92", "created": "2024-02-21T21:08:13.038Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:39.087Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2a5f4f05-bd60-4571-bcce-f3b764a5b5a0", "created": "2023-02-28T20:30:01.082Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}, {"source_name": "Europol FluBot Jun2022", "description": "Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.", "url": "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:39.299Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) has used the contact list to infect more devices.(Citation: proofpoint_flubot_0421)(Citation: Europol FluBot Jun2022) ", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2ac32eb8-ff7e-468a-8bbd-f5af82e0102a", "created": "2025-03-24T20:13:08.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:39.505Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s KeyChain data.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2acc0c1a-af30-4410-976b-31148df5378d", "created": "2022-03-28T19:39:42.538Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:39.720Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2ae97bcd-0481-415c-8337-12d3a30e6911", "created": "2024-02-20T23:58:31.474Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:39.927Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2af26be3-f910-4700-ab14-9d14532601cc", "created": "2023-07-21T19:53:32.703Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:40.142Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can access the device\u2019s call log.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2b065fcf-7ed1-4f88-8910-2eb46bde9ab7", "created": "2023-01-18T19:19:34.604Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:40.386Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can send stolen data back to the C2 server.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2b0f4c1d-8d99-4e80-8555-d9a454d5cab7", "created": "2023-03-20T18:55:33.546Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:40.646Z", "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2b9a3dc1-5842-458a-97ed-3a1339d10c22", "created": "2024-03-26T19:04:29.823Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:40.847Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can read SMS messages.(Citation: fb_arid_viper) ", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2bbd620d-6deb-4f81-a95b-98a7a74878e9", "created": "2023-03-20T18:51:07.547Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:41.067Z", "description": "Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2be3d0a4-2e24-4d04-859e-37d24835ff16", "created": "2021-02-17T20:43:52.420Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:41.267Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has retrieved device images for exfiltration.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:41.465Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole call logs.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2c5b36b4-5381-4d9e-9ce5-cd7cd19041b1", "created": "2020-07-20T13:27:33.514Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:41.690Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can delete files from the device.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd", "created": "2020-09-11T14:54:16.644Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:41.899Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can list files stored on external storage.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2ca6ff09-827d-4e2e-a60d-daa30f113b57", "created": "2024-03-26T18:41:48.583Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "checkpoint_hamas_android_malware", "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:42.099Z", "description": "[APT-C-23](https://attack.mitre.org/groups/G1028) can collect the victim\u2019s phone number, device information, IMSI, etc.(Citation: checkpoint_hamas_android_malware) ", "relationship_type": "uses", "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2caddf52-2bc2-4f75-90bb-0f292952ada6", "created": "2023-01-19T18:07:26.323Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:42.315Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can utilize WebViews to display fake authentication pages that capture user credentials.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2cb834dd-d7cf-46f3-a19b-bdbfb5bfee07", "created": "2023-03-20T18:54:25.458Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:42.533Z", "description": "The user can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2cdd5474-620c-499e-8b9c-835505febc2c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:42.754Z", "description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)", "relationship_type": "uses", "source_ref": "malware--d89c132d-7752-4c7f-9372-954a71522985", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2ce1e63a-2e9b-4cac-9469-3fb78bf4640f", "created": "2023-08-16T16:38:15.526Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:42.965Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can perform system checks to verify if the device is rooted or has ADB enabled and can avoid execution if found.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2d1b46d5-cc2e-4312-adf2-43fb130a506b", "created": "2021-02-17T20:49:24.542Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:43.165Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) can run arbitrary shell commands.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2d3198ff-a481-47ec-ae64-13d7be706929", "created": "2023-02-28T21:41:47.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:43.373Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can record video from the device camera.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "PaloAlto-XcodeGhost", "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:43.571Z", "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) can read and write data in the user\u2019s clipboard.(Citation: PaloAlto-XcodeGhost)", "relationship_type": "uses", "source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2e08820f-a81d-480e-9e60-f14db3e49080", "created": "2019-09-04T14:28:15.909Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:43.810Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can take photos and videos.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8", "created": "2019-09-04T15:38:56.994Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:44.008Z", "description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can take screenshots of other applications.(Citation: FlexiSpy-Features) ", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2e3a5d0d-a80a-4606-8be2-208302e995d1", "created": "2020-12-24T21:45:56.920Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:44.220Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has attempted to trick users into enabling installation of applications from unknown sources.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2e55d0cf-afe6-41f1-8ad3-0d1a910ad010", "created": "2023-12-18T18:08:09.656Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}, {"source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:44.433Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can capture and send real-time screen output.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e", "created": "2020-06-02T14:32:31.888Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Volexity Insomnia", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:44.649Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) obfuscates various pieces of information within the application.(Citation: Volexity Insomnia) ", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2e6d507e-afbb-4fa5-b459-2b060ab52db3", "created": "2020-12-18T20:14:47.316Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:44.858Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) checks whether its call stack has been modified, an indication that it is running in an analysis environment, and if so, does not decrypt its obfuscated strings(Citation: WhiteOps TERRACOTTA).", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2e797961-356f-4763-bdb2-0ebc2ad4c8b0", "created": "2019-09-04T20:01:42.722Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:45.076Z", "description": "Enterprise policies should block access to the Android Debug Bridge (ADB) by preventing users from enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development). An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2e7f8995-93ae-41bb-9baf-53178341d93e", "created": "2021-02-08T16:36:20.630Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:45.304Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has deployed anti-analysis capabilities during their Operation BULL campaign.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2e826926-fd5b-407c-adbc-e998058728d3", "created": "2019-09-04T15:38:56.786Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:45.506Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record both incoming and outgoing phone calls, as well as microphone audio.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2e913583-123a-47af-8872-98fc12ab4a6a", "created": "2020-11-24T17:55:12.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:45.715Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can send SMS messages.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2ebd5c4c-af03-4874-a6fd-1e58d51cc055", "created": "2020-01-27T17:05:58.310Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:45.926Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can collect SMS messages.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2f1e5d77-0054-4f8a-8e01-7c0318278a76", "created": "2019-10-18T14:50:57.472Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:46.131Z", "description": "Security updates frequently contain patches for known exploits.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2f2ae4a3-1ed9-4c90-86dc-d12c3a860349", "created": "2025-03-24T17:58:36.182Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:46.369Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has compromised iPhones running iOS 12.1 and 12.2 without any user interaction.(Citation: Shoshin_Kaspersky LightSpy 2020) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2f41ab75-3490-4642-8111-9d4d43b88df7", "created": "2023-08-04T18:32:23.019Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:46.575Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can take screenshots and abuse accessibility services to scrape BlackBerry Messenger and WhatsApp messages, contacts, and notifications(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2f55e452-f8b3-402b-a193-d261dac9f327", "created": "2022-04-01T18:53:48.715Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:46.799Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3", "created": "2021-04-19T14:29:46.530Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:46.994Z", "description": " [SilkBean](https://attack.mitre.org/software/S0549) can send SMS messages.(Citation: Lookout Uyghur Campaign) ", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2f9b95b2-0ef4-40b8-a230-86f273000dc7", "created": "2023-03-15T16:26:04.949Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:47.221Z", "description": "The user can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2f9c31d2-2e6c-4e95-9058-c9a8def46865", "created": "2023-09-28T17:21:02.298Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:47.418Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can take photos using the device cameras.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2fcc6291-9a68-45c2-a5c5-94b1973ed3d2", "created": "2022-04-01T13:27:29.919Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:47.620Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--2fdcc49e-1875-4618-b3c5-c0ecfab97386", "created": "2023-08-04T19:02:39.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:47.816Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) has impersonated chat applications such as Fruit Chat, Cucu Chat, and Kako Chat.(Citation: lookout_hornbill_sunbird_0221) ", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--300c824d-5586-411b-b274-8941a99a98fb", "created": "2022-03-30T14:06:01.859Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:48.013Z", "description": "Device attestation can often detect jailbroken or rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3020bb16-fb1f-46f9-9e1c-3b3317af6b96", "created": "2024-03-28T18:27:40.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:48.220Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect file lists on the victim device.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3057267c-fdd5-41d8-a9d8-76c0a87b28fa", "created": "2023-08-07T17:12:44.013Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:48.434Z", "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--30990c1a-ed7d-4552-a1aa-c5934ffa5761", "created": "2023-12-05T22:17:17.084Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:48.660Z", "description": "Security updates frequently contain patches for known software vulnerabilities.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--30ab9ce7-5369-402a-94ee-f8452642acb9", "created": "2022-03-30T19:50:37.739Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:48.873Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3115a062-e7d0-4eac-9d78-9a9c797e7546", "created": "2023-07-21T19:53:45.997Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:49.081Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can request camera permissions.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:49.314Z", "description": "(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", "target_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--31330d32-50c8-4499-91fb-e1dcffa9ea8f", "created": "2022-03-30T18:14:04.881Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Symantec-iOSProfile2", "description": "Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018.", "url": "https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles"}, {"source_name": "Android-TrustedCA", "description": "Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018.", "url": "https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:49.513Z", "description": "Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.(Citation: Symantec-iOSProfile2)(Citation: Android-TrustedCA)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--319d46b5-de41-4f23-9001-2fa75f954720", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:49.730Z", "description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)", "relationship_type": "uses", "source_ref": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--322d0123-ea4c-4562-a718-672952c83d05", "created": "2023-03-20T18:55:54.372Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:49.939Z", "description": "Application vetting services could look for misuse of dynamic libraries.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3230c032-17e0-49f7-b948-c157049aafe2", "created": "2017-10-25T14:48:53.742Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:50.156Z", "description": "Users should ensure bootloaders are locked to prevent arbitrary operating system code from being flashed onto the device.", "relationship_type": "mitigates", "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3272111a-f31d-47d5-a266-1749255b5016", "created": "2019-09-23T13:36:08.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:50.370Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can be controlled through SMS messages.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--327d0102-2113-4e12-be68-504db097a6fd", "created": "2019-08-07T15:57:13.409Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:50.562Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) communicates with the command and control server using HTTP requests.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--32958f57-ad9b-4fe1-abf3-6f92df895014", "created": "2019-08-05T13:22:03.917Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:50.774Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--32be51e2-f74d-441f-aa0d-952697a76494", "created": "2019-09-04T15:38:56.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:50.977Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) uses a `FileObserver` object to monitor the Skype and WeChat database file and shared preferences to retrieve chat messages, account information, and profile pictures of the account owner and chat participants. [FlexiSpy](https://attack.mitre.org/software/S0408) can also spy on popular applications, including Facebook, Hangouts, Hike, Instagram, Kik, Line, QQ, Snapchat, Telegram, Tinder, Viber, and WhatsApp.(Citation: FortiGuard-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--33316f49-f1fb-453a-9ba7-d6889982a010", "created": "2020-07-20T13:27:33.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:51.209Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can obtain a list of installed applications.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3364dd33-c012-4aaf-852b-86e63bd724ac", "created": "2023-02-06T19:38:22.312Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly"}, {"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:51.409Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can gather session cookies from infected devices. [S.O.V.A.](https://attack.mitre.org/software/S1062) can also abuse Accessibility Services to steal Google Authenticator tokens.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--33857221-2543-4a7f-8255-b0d140d70ad7", "created": "2020-07-20T13:27:33.461Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:51.609Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can record call audio.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--34351abd-1f58-420a-a893-ad822839815d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:51.819Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures call logs.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--346b7e4a-dbd1-486b-ba26-55ae2ac613d0", "created": "2020-12-14T14:52:03.396Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:52.021Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can download additional overlay templates.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--348d1acd-3f37-4523-95cd-ae002c02c975", "created": "2023-08-23T22:17:46.116Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:53.093Z", "description": "Users should be wary of iMessages from unknown senders. Additionally, users should be instructed not to open unrecognized links or other attachments in text messages.  ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3498d304-48e3-4fe4-a3ab-fc261104f413", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:53.321Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can record audio using the device microphone.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--349c2f82-1166-4dab-88d0-cfe920804b70", "created": "2023-12-18T19:06:41.939Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:53.524Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can exfiltrate collected data to the C2, such as audio recordings and files.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--34a8a945-cc6c-474b-8db1-ffe8b5ecf99f", "created": "2019-11-21T19:16:34.776Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CheckPoint SimBad 2019", "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:53.723Z", "description": "[SimBad](https://attack.mitre.org/software/S0419) registers for the `BOOT_COMPLETED` and `USER_PRESENT` broadcast intents, which allows the software to perform actions after the device is booted and when the user is using the device, respectively.(Citation: CheckPoint SimBad 2019)", "relationship_type": "uses", "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--34b6abb0-d199-46bb-af21-b65560e75658", "created": "2022-04-01T19:06:40.361Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:53.934Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--34dd5c26-eec9-4288-8e53-677271d490b2", "created": "2023-01-18T19:46:02.646Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:54.146Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use accessibility event logging to steal data in text fields.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--34f9aed0-48a7-4815-8456-5541a7b8210f", "created": "2019-09-04T14:28:16.487Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:54.362Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can record the user's keystrokes.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--352fabc8-48fe-4190-92b3-49b00348bb22", "created": "2019-03-11T15:13:40.454Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro-Anserver", "description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:54.565Z", "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.(Citation: TrendMicro-Anserver)", "relationship_type": "uses", "source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--35453bbb-c9b3-4421-8452-95efdd290d21", "created": "2021-01-20T16:01:19.323Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Zimperium z9", "description": "zLabs. (2019, November 12).  How Zimperium\u2019s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021.", "url": "https://blog.zimperium.com/how-zimperiums-z9-detected-unknown-mobile-malware-overlooked-by-the-av-industry/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:54.779Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can collect a list of running processes.(Citation: Zimperium z9)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3565140f-1570-494d-9d6f-91c9203ece69", "created": "2023-03-20T18:52:29.821Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:54.977Z", "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--35927c96-7645-4ef3-b3da-e44822386a10", "created": "2023-01-18T21:43:10.838Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:55.178Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) contains domain generation algorithms to use as backups in case the hardcoded C2 domains are unavailable.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3598ab6e-9271-40ca-9771-b9a6bbce497c", "created": "2023-08-16T16:44:09.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:55.381Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can use HTTP to communicate with the C2 server.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--35a12ae8-562d-4e24-979e-ef970dde0b94", "created": "2022-04-15T17:52:24.125Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:55.587Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:55.823Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) tricks the user into sending SMS messages to premium services and then deletes those messages.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3616bacc-6f6e-41f2-832c-cdbbae9622f3", "created": "2020-11-24T17:55:12.830Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:56.023Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can read SMS messages.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--36268322-9f5e-4749-8760-6430178a3d68", "created": "2020-06-26T14:55:13.311Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:56.223Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can intercept SMS messages.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--36298fd6-d909-4490-8a04-095aef9ffafe", "created": "2020-11-20T15:54:07.747Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:56.428Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can record audio from the microphone and phone calls.(Citation: Symantec GoldenCup) ", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:56.649Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) uses HTTP requests for C2 communication.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--36c71b5d-e453-488c-ae63-8fb063924c27", "created": "2023-08-10T21:57:51.879Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:56.853Z", "description": "The user can review available call logs for irregularities, such as missing or unrecognized calls.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--370bf74f-7499-4d66-9626-a61926af8f84", "created": "2023-09-21T22:32:19.683Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:57.068Z", "description": "Application vetting services may detect when an application requests permissions after an application update.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10", "created": "2020-06-26T15:32:25.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:57.285Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can update the malicious payload module on command.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631", "created": "2020-11-24T17:55:12.885Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:57.491Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) has used timers to enable Wi-Fi, ping the C2 server, register the device with the C2, and register wake locks on the system.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "HackerNews-OldBoot", "description": "Sudhir K Bansal. (2014, January 28). First widely distributed Android bootkit Malware infects more than 350,000 Devices. Retrieved December 21, 2016.", "url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:57.712Z", "description": "[OldBoot](https://attack.mitre.org/software/S0285) uses escalated privileges to modify the init script on the device's boot partition to maintain persistence.(Citation: HackerNews-OldBoot)", "relationship_type": "uses", "source_ref": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3752c235-0576-47dc-b05d-d3eaeaccfecc", "created": "2020-12-24T21:55:56.688Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:57.924Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has captured audio and can record phone calls.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--37d14338-b629-4b54-b734-446789b79f6f", "created": "2023-10-10T15:33:57.641Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:58.138Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) has used icons from popular applications.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--37fd2f2a-e4f4-4d39-8698-d17305fb2517", "created": "2023-08-16T16:45:37.235Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:58.369Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can communicate over port 7242 using HTTP.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3832d2cf-0568-451d-aac9-6fb809fc423d", "created": "2024-02-20T21:45:45.021Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cyfirma Bahamut", "description": "Cyfirma. (2023, February 10). APT Bahamut Attacks Indian Intelligence Operative using Android Malware. Retrieved February 23, 2024.", "url": "https://www.cyfirma.com/outofband/apt-bahamut-attacks-indian-intelligence-operative-using-android-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:58.568Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has hidden multimedia files from the user.(Citation: Cyfirma Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--383e5b12-061e-45c6-911b-b37187dd9254", "created": "2021-02-08T16:36:20.701Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:58.813Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included file enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3841024e-1047-40fa-9e25-ac6d5c14612a", "created": "2023-02-28T21:41:22.768Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:59.011Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view device contacts.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3857f790-6ea1-4f37-8d90-90904f175d63", "created": "2023-01-18T21:37:55.717Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:59.227Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) has C2 commands that can uninstall the app from the infected device.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--38634e49-f19e-41bc-bb6d-e711f0cabd91", "created": "2020-10-29T19:21:23.187Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:59.426Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can hide its icon and create a shortcut based on the C2 server response.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--386b0a9f-9951-4717-8bce-30c8fbe05050", "created": "2020-06-26T15:32:24.955Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:59.665Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) uses standard payload and string obfuscation techniques.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3874eaf6-aa14-4d8e-ad44-7ad227ecda1b", "created": "2024-02-23T19:53:28.913Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:47:59.870Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3", "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--38962b26-7cbe-4761-8b4f-50a022167c4d", "created": "2019-09-03T20:08:00.708Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:00.073Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) checks for antivirus software contained in a predefined list.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--38cb6365-40ba-47c6-a5e4-1a9be665f951", "created": "2023-01-19T18:08:14.716Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:00.312Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) has encrypted C2 details, email addresses, and passwords.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--38ec048f-7f6e-4bbd-9455-1b1e54968af4", "created": "2023-03-30T15:18:37.934Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:00.521Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can take screenshots and abuse the Android Screen Cast feature to capture screen data.(Citation: cleafy_sova_1122)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--38f37e3f-1d4b-4f04-b176-1cae6d22931e", "created": "2020-12-14T14:52:03.310Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:00.719Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can send SMS messages.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--38f96449-dfb1-49db-b0d0-f257c3ee2c5d", "created": "2020-09-11T14:54:16.587Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:00.926Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can retrieve SMS messages.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--393300c4-6852-466d-a163-1d51330fe055", "created": "2023-03-20T18:45:39.292Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:01.130Z", "description": "Mobile security products can potentially detect jailbroken devices.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--395cb6b2-0848-43c7-ac4a-617e103fb66a", "created": "2020-11-20T16:37:28.591Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:01.358Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) has communicated with the C2 using MQTT and HTTP.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3997b2a1-2b70-4eeb-aa8f-1053bb3744c2", "created": "2023-03-20T19:00:26.780Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:01.559Z", "description": "Application vetting services could potentially detect the usage of APIs intended for artifact hiding.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--39b854c1-5906-4d14-a0bc-1242c3eaa5b0", "created": "2022-04-11T20:05:56.540Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:01.767Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3a18f41d-876c-403a-80cc-47ef57ae630d", "created": "2023-09-25T19:53:56.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:01.976Z", "description": "Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3a282967-0536-474d-8831-30cd60b818a9", "created": "2023-09-28T17:20:38.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:02.214Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can initiate phone calls.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3a5dee7b-92a2-4382-aa02-2c14d0b82010", "created": "2024-02-20T23:51:50.439Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:02.417Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3a7d4872-2bfb-4df3-ad53-91c8229b9b41", "created": "2024-03-28T18:10:46.740Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:02.628Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to obfuscate code and strings to evade detection.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3a8fea40-69ba-4cfe-b577-c3112a60887a", "created": "2022-04-01T14:51:51.593Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:02.864Z", "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to notifications. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3abc80ad-4ea0-4e91-a170-f040469c2083", "created": "2020-07-20T13:27:33.483Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:03.071Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can take photos and videos.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3abcd7f4-5f6d-4b5d-9b37-eee68751dcbd", "created": "2022-04-01T15:02:43.475Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:03.283Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3acbaa64-fb6e-4c26-ada4-1aab88798265", "created": "2021-04-19T14:29:46.510Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:03.481Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has used HTTPS for C2 communication.(Citation: Lookout Uyghur Campaign) ", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3ae62d66-6405-413f-86e3-ccdb66fac7ba", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:03.690Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9", "target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:03.895Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) used HTTP uploads to a URL as a command and control mechanism.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3b24a287-36e1-49b9-811d-c0080147ff57", "created": "2023-03-20T18:41:47.754Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:04.098Z", "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3bcd5bc8-4998-4f71-85d6-27f0cb22e895", "created": "2025-03-28T15:08:46.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}, {"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:04.323Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors monitored the device\u2019s geolocation.(Citation: SecureList OpTriangulation 21Jun2023)(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3be6ad82-722d-4699-8e3a-c1ea60018244", "created": "2023-03-16T13:32:55.140Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:04.537Z", "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3bf4b093-a1a3-48da-9236-bce9514765eb", "created": "2022-04-05T19:46:05.853Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Samsung Keyboards", "description": "Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20201112021547/https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:04.757Z", "description": "When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.(Citation: Samsung Keyboards)", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3bf5a566-986b-478c-b2da-e57caf261378", "created": "2019-09-03T19:45:48.515Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:04.965Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3c0b0763-78d2-4d6e-8e57-b4f27af7e414", "created": "2019-10-18T14:50:57.521Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:05.169Z", "description": "Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. ", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3c291ee5-1782-4e5b-8131-5188c7388f45", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "FireEye-RuMMS", "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:05.389Z", "description": "[RuMMS](https://attack.mitre.org/software/S0313) gathers the device phone number and IMEI and transmits them to a command and control server.(Citation: FireEye-RuMMS)", "relationship_type": "uses", "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7", "created": "2019-10-15T19:33:42.204Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:05.594Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can track the device's location.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3c43d125-6719-420e-bb69-878cc91c2474", "created": "2020-09-15T15:18:12.428Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:05.821Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can register for the `BOOT_COMPLETED` broadcast Intent.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3c4ea7a5-251c-4d10-a724-f4a247f44637", "created": "2025-04-14T16:32:24.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:06.031Z", "description": "Using an XOR-chain algorithm, [LightSpy](https://attack.mitre.org/software/S1185) decrypts an embedded configuration blob containing URLs for jailbreak components and next-stage payloads. It also decrypts modules in memory and on disk using AES-ECB with the hardcoded key `3e2717e8b3873b29`.(Citation: Threatfabric LightSpy 2023)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) Additionally, [LightSpy](https://attack.mitre.org/software/S1185)\u2019s plugins have been encrypted during transmission.(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3c57ee56-34bc-4f0c-b363-68dab3e5e7b3", "created": "2023-10-10T15:33:58.361Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Proofpoint-Droidjack", "description": "Proofpoint. (2016, July 7). DroidJack Uses Side-Load\u2026It's Super Effective! Backdoored Pokemon GO Android App Found. Retrieved January 20, 2017.", "url": "https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:06.270Z", "description": "[DroidJack](https://attack.mitre.org/software/S0320) included code from the legitimate Pokemon GO app in order to appear identical to the user, but it also included additional malicious code.(Citation: Proofpoint-Droidjack)", "relationship_type": "uses", "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3c6776b9-258c-460c-b4b4-ea1a1453e5c5", "created": "2023-08-16T16:40:34.787Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:06.482Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather device location data.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3c874ffa-63c3-491f-8d8c-623b19a7fdad", "created": "2020-04-24T15:06:33.397Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:06.714Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect the device\u2019s call log.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3c90dc4c-8156-49ae-8144-76526268a6c1", "created": "2023-08-04T18:32:08.706Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:06.927Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can request device administrator privileges. (Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3ca284e7-062c-4f23-b95d-9f9c6a2d882a", "created": "2019-07-16T14:33:12.175Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky Triada March 2016", "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.", "url": "https://www.kaspersky.com/blog/triada-trojan/11481/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:07.125Z", "description": "[Triada](https://attack.mitre.org/software/S0424) variants capture transaction data from SMS-based in-app purchases.(Citation: Kaspersky Triada March 2016) ", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00", "created": "2020-09-15T15:18:12.421Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:07.365Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect a list of installed applications.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:07.568Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to exploit well-known Android OS vulnerabilities to escalate privileges.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3d5a1472-4042-49a4-8b66-7ff1fcfee92c", "created": "2024-04-18T15:36:58.833Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "MSTIC Octo Tempest Operations October 2023", "description": "Microsoft. (2023, October 25). Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction. Retrieved March 18, 2024.", "url": "https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:07.770Z", "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.(Citation: MSTIC Octo Tempest Operations October 2023)", "relationship_type": "uses", "source_ref": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b", "created": "2021-01-05T20:16:20.419Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:07.974Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can capture audio from the device\u2019s microphone and can record phone calls.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3d65c2b7-c907-45e1-b942-95f7d765e749", "created": "2023-03-20T18:53:34.056Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:08.196Z", "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3db58541-3870-424d-ad74-f2b84ff87abb", "created": "2023-07-14T19:06:42.839Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:08.492Z", "description": "Unexpected behavior from an application could be an indicator of masquerading.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3dd0cd4d-bcde-4105-b98e-b32add191083", "created": "2020-01-27T17:05:58.331Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:08.712Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) exfiltrates data using HTTP POST requests.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3dff770d-9627-4647-b945-7f24a97b2273", "created": "2019-09-15T15:26:22.926Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:08.919Z", "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3e11a61b-14b3-4268-a6dd-937d4baef6de", "created": "2023-06-09T19:17:12.858Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:09.121Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can record environmental and call audio.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3e2474d3-f36d-4193-92f6-273296befdd3", "created": "2022-04-05T19:38:18.760Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:09.351Z", "description": "Users should protect their account credentials and enable multi-factor authentication options when available. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3e2b9dc1-5da0-46a1-a576-4b41a10f3a60", "created": "2020-11-24T17:55:12.828Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:09.550Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can access the device\u2019s contact list.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CrowdStrike-Android", "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:09.760Z", "description": "(Citation: CrowdStrike-Android)", "relationship_type": "uses", "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c", "target_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3e5b5c7a-32e1-4745-8ceb-c46ce7276364", "created": "2023-02-06T19:46:19.592Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:09.976Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has C2 commands to add an infected device to a DDoS pool.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56", "created": "2017-10-25T14:48:53.738Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:10.210Z", "description": "Android 9 introduced a new security policy that prevents applications from reading or writing data to other applications\u2019 internal storage directories, regardless of permissions. ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3ebdc17d-401e-4f6a-af51-2dc57437b817", "created": "2019-09-20T18:03:57.062Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android 10 Execute", "description": "Android Developers. (n.d.). Behavior changes: all apps - Removed execute permission for app home directory. Retrieved September 20, 2019.", "url": "https://developer.android.com/about/versions/10/behavior-changes-all#execute-permission"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:10.410Z", "description": "Applications that target Android API level 29 or higher cannot execute native code stored in the application's internal data storage directory, limiting the ability of applications to download and execute native code at runtime. (Citation: Android 10 Execute)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3ec30b37-1db2-4048-9dd9-22d863f034bb", "created": "2024-03-26T16:14:04.853Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "blackberry_mobile_malware_apt_esp", "description": "BlackBerry Research and Insights Team. (n.d.). Mobile Malware and APT Espionage. Retrieved March 1, 2024.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:10.620Z", "description": "[BITTER](https://attack.mitre.org/groups/G1002) has delivered malicious applications to victims via shortened URLs distributed through SMS, WhatsApp, and various social media platforms.(Citation: blackberry_mobile_malware_apt_esp) ", "relationship_type": "uses", "source_ref": "intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3ee5c123-416f-4d02-920d-ce44be7f11a5", "created": "2025-03-28T14:42:05.150Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:10.830Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has obtained a list of installed applications.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3efe7dcc-a572-45ac-aff2-2932206a0632", "created": "2019-08-07T15:57:13.441Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:11.040Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can access and upload the device's contact list to the command and control server.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3f2daf2e-c28c-46cd-bf91-ae35e873f365", "created": "2019-09-04T14:28:15.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:11.268Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3f31b209-dbc7-4c7e-bb0a-e37801121c13", "created": "2020-10-29T17:48:27.425Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:11.488Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) has registered to receive the `BOOT_COMPLETED` broadcast intent.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3f392718-87c4-483b-b89f-4f0cc056d251", "created": "2020-07-20T13:58:53.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:11.731Z", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) can obtain the device\u2019s UDID, version number, and product number.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3f47f048-badd-4476-8534-d06e20c02ec6", "created": "2023-06-09T19:18:59.889Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:11.949Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can use HTTP and HTTP POST to communicate information to the C2.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3f5dbd48-5899-4e97-96a6-ad7e68b673cd", "created": "2023-03-20T18:43:03.117Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:12.147Z", "description": "Application vetting services could look for use of the accessibility service or features that typically require root access.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3f81a680-3151-4608-b83f-550756632013", "created": "2020-07-20T13:58:53.604Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:12.375Z", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) can obtain the device\u2019s IMEM, ICCID, and MEID.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3f973c3c-45f8-432a-9859-e8749f2e7418", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:12.575Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3fcd2177-2030-4781-bd19-8b9fa8c6e645", "created": "2021-02-08T16:36:20.655Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:12.775Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included phone call and audio recording capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a", "created": "2020-06-26T14:55:13.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:12.979Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can display popups over running applications.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--3fdb8bfb-1b2d-4fac-bb41-d26a5ad18dbb", "created": "2023-08-16T16:44:30.692Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:13.215Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can send stolen data over HTTP.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4009ff40-4616-4b1c-bff9-599e52ccab37", "created": "2020-01-27T17:05:58.263Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:13.438Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device\u2019s contact list.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4088b31b-d542-4935-84b4-82b592159591", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:13.663Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect contacts and messages from popular applications, including Facebook Messenger, WhatsApp, Skype, Viber, Line, WeChat, Hangouts, Telegram, and BlackBerry Messenger.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--40c9adb5-9d1a-4f51-8ef2-a80c2d78e4e4", "created": "2022-04-05T19:38:41.538Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:13.858Z", "description": "If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device\u2019s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--40f30137-4db9-4596-b4c7-a12f1497fd92", "created": "2020-11-10T17:08:35.831Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:14.058Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has performed rudimentary SSL certificate validation to verify C2 server authenticity before establishing a SSL connection.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4159bc09-ddf3-4d88-9bf0-853ace9c8151", "created": "2023-12-18T18:50:27.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:14.262Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can request the user unlock the device, or remotely unlock the device.(Citation: securelist_brata_0819)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--418168ad-fee9-42c8-ac27-11f7472a5f86", "created": "2019-09-03T19:45:48.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:14.475Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) One checks in with the command and control server using HTTP POST requests.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--41b7cdc1-0b0a-49da-b694-774c22e6cd27", "created": "2025-03-28T14:40:13.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:14.694Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has monitored the device\u2019s geolocation, which includes coordinates, altitude, bearing and speed.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--41da5845-a1a8-4d10-8929-053be3496396", "created": "2022-04-20T17:46:43.542Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}, {"source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:14.903Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) uses HTTP data exfiltration.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4220ec84-3c30-462b-9bad-4fb4de42cfd4", "created": "2022-04-06T15:28:20.249Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:15.122Z", "description": "Users should be instructed to not grant applications unexpected or unnecessary permissions. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--42342d72-a37c-477e-b8f1-1768273fcb7f", "created": "2019-10-18T15:51:48.451Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:15.321Z", "description": "Users should be advised not to grant consent for screen captures to occur unless expected. Users should avoid enabling USB debugging (Android Debug Bridge) unless explicitly required. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--42510b9a-7e72-4a52-bc7a-6e1a7ebacff7", "created": "2023-08-16T16:33:12.493Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:15.528Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) has disguised itself as other applications, such as a cryptocurrency app called \u2018CoinSpot\u2019, and IKO bank in Poland. It has also used familiar icons, such as the Chrome and Bitcoin logos.(Citation: cyble_chameleon_0423) ", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--42536c96-ae61-41ab-a1bf-3e7d126a4000", "created": "2022-03-30T15:13:42.462Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:15.746Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--42624ee9-1bf5-46aa-87d0-9fda0de9a06e", "created": "2020-06-26T15:32:24.921Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:15.945Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4267ebfa-d932-4949-9d7f-8e183f51f2d9", "created": "2023-12-18T18:10:38.421Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:16.164Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can perform a factory reset.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--429a4b02-f774-4b1e-aaef-5fd9c654dd09", "created": "2021-02-08T16:36:20.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:16.410Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has exfiltrated local account data and calendar information as part of Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Gooligan Citation", "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:16.647Z", "description": "[Gooligan](https://attack.mitre.org/software/S0290) can install adware to generate revenue.(Citation: Gooligan Citation)", "relationship_type": "uses", "source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396", "created": "2020-12-14T15:02:35.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:16.858Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) has stored encrypted strings in the APK file.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b", "created": "2020-07-20T13:27:33.549Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:17.058Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can record the screen and take screenshots to capture messages from Line, Facebook Messenger, and WhatsApp.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--433af79b-ce77-4a4c-84f7-6cdc34e70674", "created": "2023-01-18T19:56:01.025Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:17.268Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can intercept SMS messages.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:17.492Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather cellular IDs.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--437f719c-d602-4cb8-a2b9-c33e85ad7c50", "created": "2020-06-26T15:32:25.025Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:17.720Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can obtain the device\u2019s contact list.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--439d905b-1ad8-461a-ab0d-b2f426cb2c3a", "created": "2023-03-20T18:53:35.012Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:17.932Z", "description": "On Android, the user is presented with a permissions popup when an application requests access to external device storage.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38", "created": "2020-05-11T16:37:36.616Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:18.142Z", "description": " [Ginp](https://attack.mitre.org/software/S0423) can inject input to make itself the default SMS handler.(Citation: ThreatFabric Ginp) ", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--43af5696-ac4d-4618-9da9-0784b8f7e433", "created": "2023-12-18T19:07:55.393Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:18.376Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can collect the device\u2019s contact list.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--43eeee7f-339a-4f6e-9df3-ccbf08ecf358", "created": "2020-11-10T17:08:35.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:18.591Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has looked for specific applications, such as MiCode.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--442dd700-2d7d-4cad-8282-9027e4f69133", "created": "2022-03-30T20:31:41.927Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:18.816Z", "description": "New OS releases frequently contain additional limitations or controls around device location access.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--44304163-9a44-4760-bd04-0e14adb33299", "created": "2022-04-01T15:13:40.779Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro iOS URL Hijacking", "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12).  iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:19.024Z", "description": "iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4449ac76-8329-4483-b152-99b990006cbc", "created": "2019-09-04T15:38:56.937Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:19.270Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect a list of known Wi-Fi access points.(Citation: FlexiSpy-Features) ", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4454a696-7619-40ee-971b-cbf646e4ee61", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:19.473Z", "description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to send messages to premium SMS messages.(Citation: Lookout-EnterpriseApps)", "relationship_type": "uses", "source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--44a673c9-7ce7-42a0-8ab4-60bbb5001ce2", "created": "2023-03-20T18:53:15.929Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:19.690Z", "description": "Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--44b63426-1ea7-456e-907b-0856e3eab0c3", "created": "2020-12-31T18:25:05.142Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:19.892Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has collected the device\u2019s location.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--44da429b-9dee-43c9-9397-445c6f9e647e", "created": "2022-03-30T19:54:59.651Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:20.091Z", "description": "Android includes system partition integrity mechanisms that could detect unauthorized modifications. ", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:20.333Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--45253350-c802-4566-a72d-57d43d05fd63", "created": "2020-05-07T15:24:49.530Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:20.548Z", "description": "Security updates frequently contain patches to vulnerabilities.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--45383213-4323-4f77-9f9f-360d6d43c128", "created": "2024-04-02T19:13:21.430Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:20.765Z", "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can retrieve a device\u2019s contact list.(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--45505ae7-0e54-4279-82c3-f92f4a832ed9", "created": "2022-04-06T13:57:38.847Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:20.968Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--455b1287-5784-42b4-91fb-01dac007758d", "created": "2020-09-29T13:24:15.234Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:21.219Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can open a dialog box to ask the user for passwords.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4586277d-bebd-4717-87c6-a31a9be741ed", "created": "2020-12-24T21:45:56.982Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:21.432Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can get file lists on the SD card.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--45da5ed9-3a9b-4491-98cb-96db68e245bb", "created": "2020-12-14T14:52:03.184Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:21.651Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has used malicious overlays to collect banking credentials.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--465b7a4a-32d5-475c-9fb9-6335c44fb0d1", "created": "2022-04-05T19:48:31.354Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:21.875Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--465d14e7-eb9e-4794-9cb3-1de2cff86a8e", "created": "2020-01-27T17:05:58.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:22.077Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) registers for the `USER_PRESENT` broadcast intent and uses it as a trigger to take photos with the front-facing camera.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4667e169-d85a-4d0c-9da7-2fe22d1ba873", "created": "2025-03-28T14:39:33.150Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:22.303Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has collected a list of running processes.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4761145d-34ac-4b45-a0d6-a09b1907a196", "created": "2020-12-18T20:14:47.367Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:22.509Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can inject clicks to launch applications, share posts on social media, and interact with WebViews to perform fraudulent actions.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--476e269e-3c49-4fda-a54b-3f0cb577c5af", "created": "2020-12-14T14:52:03.322Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:22.710Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect the device\u2019s contact list.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--477edf7d-cc1f-49b7-9d96-f88399808775", "created": "2022-04-05T20:15:43.660Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:22.920Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4819f391-01de-4525-992b-7e4a4f6667de", "created": "2020-11-20T15:46:51.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:23.116Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can take pictures with the camera.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--481e5d33-eca4-453c-9fec-27ee01d50989", "created": "2023-02-28T21:45:41.365Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:23.329Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view files and media.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--48486680-530c-4ed9-aca3-94969aa262b6", "created": "2019-07-10T15:35:43.665Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:23.533Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) accesses and exfiltrates the call log.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--48552acc-5f1a-422f-90fa-37108446f36d", "created": "2022-03-30T19:14:20.374Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:23.777Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa", "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--48854999-1c12-4454-bb7c-051691a081f9", "created": "2022-03-28T19:25:49.640Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:23.994Z", "description": "Ensure Verified Boot is enabled on devices with that capability.", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4896e256-fb04-403c-bbb7-2323b158a6e0", "created": "2022-03-30T19:52:05.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:24.227Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4897ef75-0035-4ae5-b325-de2f6b27565f", "created": "2023-09-21T22:31:28.428Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:24.429Z", "description": "Application vetting services may look for indications that the application\u2019s update includes malicious code at runtime. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74", "created": "2021-01-05T20:16:20.511Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:24.770Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has contained an alarm that triggers every three minutes and timers for communicating with the C2.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--48cd0af5-9ad1-44b3-beeb-d576974dadee", "created": "2023-09-28T17:19:00.464Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:24.984Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can request the `DISABLE_KEYGUARD` permission to disable the device lock screen password.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4920a041-86f7-495b-896c-4d964950ed7e", "created": "2020-12-17T20:15:22.454Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:25.212Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) has contained native libraries.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--492d5699-f885-411a-8431-254fcf33fb12", "created": "2019-08-09T16:14:58.367Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android Capture Sensor 2019", "description": "Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019.", "url": "https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:25.422Z", "description": "Android 9 and above restricts access to the mic, camera, and other device sensors from applications running in the background. iOS 14 and Android 12 introduced a visual indicator on the status bar (green dot) when an application is accessing the device\u2019s camera.(Citation: Android Capture Sensor 2019)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4943cca6-69b1-4565-ac09-87ebda04584c", "created": "2022-04-01T18:52:02.211Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:25.625Z", "description": "Users should be taught the dangers of rooting or jailbreaking their device.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--494ece43-ebba-4519-86be-cd5c4d4dd337", "created": "2025-04-14T19:24:14.837Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:25.838Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) collects and compresses data to be exfiltrated using SSZipArchive.(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--496976ef-4a0c-4782-95e7-231bd44df162", "created": "2020-12-14T15:02:35.295Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:26.046Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device information, including device model and OS version.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--49c0c003-433c-467f-93b7-ca585aab8232", "created": "2023-08-16T16:46:17.841Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:26.280Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can register as an `SMSBroadcast` receiver to monitor incoming SMS messages.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4a408dee-07da-4855-b2ff-be512480ccb5", "created": "2023-01-19T18:08:41.596Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:26.483Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can gather device UDIDs.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4a4aba6e-2dc4-43a5-bcac-876c89114a57", "created": "2023-03-20T18:43:49.345Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android-AppLinks", "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.", "url": "https://developer.android.com/training/app-links/index.html"}, {"source_name": "IETF-OAuthNativeApps", "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.", "url": "https://tools.ietf.org/html/rfc8252"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:26.704Z", "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4a608d3b-aa02-4563-8b6b-c64a491856f5", "created": "2023-03-03T16:26:20.400Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:26.923Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected information about running processes.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e", "created": "2020-04-24T15:06:33.519Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:27.134Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application\u2019s notification content.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4a77c56b-ed2c-4e43-bd0f-7acf9cce1952", "created": "2020-04-24T17:46:31.564Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:27.369Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can intercept SMS messages.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4a936488-526c-40c1-b2d5-490052cb0e73", "created": "2020-12-31T18:25:05.162Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:27.569Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can run bash commands.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4aae6ab8-2a67-4780-a69e-b15ecff7fc5d", "created": "2023-02-28T21:43:12.487Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:27.776Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can make and block phone calls.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4ab1867c-b924-4b0d-a332-c0e150a28d7d", "created": "2023-03-16T18:28:40.419Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:27.979Z", "description": "Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257", "created": "2020-10-29T17:48:27.469Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:28.177Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can forward SMS messages.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4ae0c45f-4ff0-4296-aaf4-c3e0d2e355e3", "created": "2020-09-15T15:18:12.462Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:28.396Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can hide its icon if it detects that it is being run on an emulator.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4aec0738-2c76-4dc7-af8a-87785e658193", "created": "2021-10-01T14:42:49.152Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:28.591Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can run shell commands.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4af26643-880f-4c34-a4a8-23e89b950c9d", "created": "2019-09-04T15:38:56.883Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:28.807Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect the device calendars.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4b16e681-9542-4f32-b23a-f1b0caf44b6a", "created": "2020-12-24T21:55:56.726Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:29.016Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has downloaded additional code to root devices, such as TowelRoot.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4b3cfd7c-5e41-4d9e-8879-b126ba66eaf1", "created": "2021-10-01T14:42:49.176Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:29.262Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4b68bcb1-a512-40f7-9aee-235b3668f022", "created": "2020-01-27T17:05:58.271Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:29.466Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain clipboard contents.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4b7e117b-0c82-49d0-bee6-119158b3355b", "created": "2023-02-28T20:32:37.800Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}, {"source_name": "Europol FluBot Jun2022", "description": "Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.", "url": "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:29.693Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can disable Google Play Protect to prevent detection.(Citation: proofpoint_flubot_0421)(Citation: Europol FluBot Jun2022) ", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4b838636-bfa4-4592-b72f-3044946b8187", "created": "2020-09-14T14:13:45.236Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:29.889Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) can exfiltrate the device\u2019s contact list.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61", "created": "2020-04-24T15:06:33.495Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:30.097Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can track the device\u2019s location.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4bdda427-2fff-428d-ba19-4bee5d2508e1", "created": "2021-02-08T16:36:20.801Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:30.323Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included video recording in the malicious apps deployed as part of Operation BULL.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4c035760-9bf2-40cd-87d1-f286afd76376", "created": "2023-07-21T19:41:45.173Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:30.532Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect clipboard data.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4c6f1475-3b92-4a37-8bb5-4dcc69660b11", "created": "2022-09-29T20:08:54.389Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:30.752Z", "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors capable of exfiltrating specific files directly from the infected devices.(Citation: Cylance Dust Storm)", "relationship_type": "uses", "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4c7e776d-ed19-4e5a-842c-81612f5c07bd", "created": "2019-09-03T19:45:48.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:30.950Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can download the address book.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4cb926c1-c242-45c2-be46-07c22435a8a5", "created": "2022-09-30T19:23:02.689Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:31.145Z", "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors that would send information and data from a victim's mobile device to the C2 servers.(Citation: Cylance Dust Storm)", "relationship_type": "uses", "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4cc8a16f-562a-42c7-b5d9-10e1088af89c", "created": "2019-09-03T20:08:00.687Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:31.364Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) can intercept two-factor authentication codes transmitted via SMS.(Citation: Talos Gustuff Apr 2019) ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4cccb708-b51b-4e71-94a1-78d6819eaac1", "created": "2023-03-20T15:16:19.428Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:31.575Z", "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4d431474-1dcc-4d0e-9906-129eb02f00b3", "created": "2023-02-06T19:43:43.574Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:31.778Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can uninstall itself.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4d4dfc26-3ab7-4798-abf2-be8dc278fdfa", "created": "2020-11-24T17:55:12.804Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:32.000Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) has the capability to remotely load plugins and download and compile new .NET code.(Citation: Talos GPlayed) ", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4d537065-9a82-42d5-923d-45194453cc25", "created": "2025-02-12T15:20:54.813Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:32.214Z", "description": "Enterprises should monitor for SIM card changes on the Enterprise Mobility Management (EMM) or the Mobile Device Management (MDM).  ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4d542595-1eb0-45aa-9702-9d494142b390", "created": "2019-08-09T18:08:07.109Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:32.411Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can record video or capture photos when an infected device is in a specified location.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4d6a900d-d1c4-4a91-bded-c9062aae384b", "created": "2021-01-05T20:16:20.492Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:32.617Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has registered for device boot, incoming, and outgoing calls broadcast intents.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FireEye-RuMMS", "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:32.825Z", "description": "[RuMMS](https://attack.mitre.org/software/S0313) uses HTTP for command and control.(Citation: FireEye-RuMMS)", "relationship_type": "uses", "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4d88c5ac-68c0-4304-9474-d07372d0ad99", "created": "2023-09-21T22:19:04.080Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:33.023Z", "description": "Enterprises can provision policies to mobile devices for application allow-listing, ensuring only approved applications are installed onto mobile devices.  ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4dcbb081-a0b3-4b80-a63e-28547cb6f89c", "created": "2023-12-18T18:10:16.764Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}, {"source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}, {"source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:33.228Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can log device keystrokes.(Citation: securelist_brata_0819)(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4de3f794-63df-4f9e-8bd8-59796d91aa36", "created": "2020-05-07T15:33:32.895Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:33.439Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) shows fraudulent ads to generate revenue.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4df6a22e-489f-400c-b953-cc53bfb708a3", "created": "2020-09-14T14:13:45.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:33.663Z", "description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s iOS version can collect device information.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4e68feca-083f-40ed-88d8-2b6a3935c949", "created": "2023-01-18T19:12:11.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:33.862Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can use the Android `CallScreeningService` to silently block incoming calls.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4e6b726d-9ef4-4eb6-b9a7-74059caee5b7", "created": "2020-07-20T13:27:33.440Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:34.064Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect SMS messages.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819", "created": "2019-08-07T15:57:13.412Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:34.265Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can retrieve a list of installed applications. Installed application names are then checked against an adversary-defined list of targeted applications.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4e9f021d-3cf4-4790-8f7d-f87f33133446", "created": "2020-12-14T14:52:03.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:34.465Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect SMS messages.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4ed97a0d-2fcf-4c53-8aaa-21e174b28309", "created": "2024-03-28T18:28:13.667Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:34.667Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect call logs.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4ee57616-7205-490c-86c3-c27dcffd8689", "created": "2022-04-06T13:35:43.203Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:34.929Z", "description": "Recent OS versions have limited access to certain APIs unless certain conditions are met, making [Data Manipulation](https://attack.mitre.org/techniques/T1641) more difficult", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4efa4953-7854-4144-8837-d7831ccbe35d", "created": "2020-04-24T17:46:31.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:35.127Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect a list of installed applications.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:35.364Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) uses SMS for command and control.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:35.572Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses call logs.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4f6f4def-e76d-4d1b-9416-b6543e7dbc54", "created": "2021-10-01T14:42:48.744Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:35.767Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can record audio.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4f812a57-efdc-463b-bf37-baa4bca7502b", "created": "2020-05-04T14:22:20.348Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:35.969Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can uninstall itself from a device on command by abusing the accessibility service.(Citation: SecurityIntelligence TrickMo) ", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4fc165fd-185e-4c70-b423-c242cf715510", "created": "2019-10-07T16:32:27.127Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:36.171Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) checks if it is running in an analysis environment.(Citation: securelist rotexy 2018) ", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4ff5f854-bfe9-45bc-b11a-196cf826b760", "created": "2022-03-30T14:41:20.735Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android Changes to System Broadcasts", "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.", "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:36.370Z", "description": "Android 8 introduced additional limitations on the implicit intents that an application can register for.(Citation: Android Changes to System Broadcasts)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--4ff9b16f-3643-4fa0-b107-f93a9bb847c3", "created": "2023-02-28T21:44:45.063Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:36.569Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can use overlays to cover legitimate applications or screens.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:36.769Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can view contacts.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--501c3f2a-1ae0-4832-9730-3fdf5f31df5c", "created": "2025-03-27T22:38:07.896Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Europol FluBot Jun2022", "description": "Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.", "url": "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:36.973Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) has collected credentials, banking details and other information from the victim device.(Citation: Europol FluBot Jun2022) ", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--502fc83c-ce03-4ce7-a202-095bbe0b492b", "created": "2023-07-21T19:51:08.375Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:37.222Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can access a device\u2019s location.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--503ca6f2-a747-43fb-8fc5-7be095dcb966", "created": "2023-08-04T18:31:30.237Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:37.499Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can access images stored on external storage.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--506d657b-1634-442e-8179-7187f82feb3a", "created": "2020-12-24T21:55:56.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:37.715Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the call logs.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24", "created": "2020-01-27T17:05:58.267Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:37.917Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can track the device\u2019s location.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--50ad2a8c-ed45-4376-be31-8bafa26ba794", "created": "2020-04-08T15:41:19.451Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:38.121Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can collect the device\u2019s ID.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--50bab448-fee6-49e9-a296-498fe06eacc7", "created": "2019-11-21T16:42:48.490Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:38.317Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can obtain a list of installed applications.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--50c81a85-8c70-48df-a338-8622d2debc74", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:38.523Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather call logs.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--50d8e788-d405-45e8-b6b7-0f02f353cc97", "created": "2023-09-28T17:20:00.981Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:38.729Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can request coarse and fine location permissions to track the device.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--50e3b570-2e9a-409b-973a-3ce91b9579d4", "created": "2024-03-28T18:32:05.099Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:38.945Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to receive files from the C2 and execute them via the parent application.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--50f03c00-5488-49fe-a527-a8776e526523", "created": "2020-11-24T17:55:12.820Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:39.146Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect a list of installed applications.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5107be8a-b5fc-4442-af0d-2c92e086a912", "created": "2020-05-11T16:13:43.062Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:39.375Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) checks if a targeted application is running in user-space prior to infection.(Citation: CheckPoint Agent Smith) ", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--51457698-e98b-435a-88c2-75a82cdc2bda", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:39.579Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads call logs.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5151b976-cfcf-4771-a75a-995d49bcc1ab", "created": "2022-04-11T20:06:38.811Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:39.792Z", "description": "Mobile security products that are part of the Samsung Knox for Mobile Threat Defense program could examine running applications while the device is idle, potentially detecting malicious applications that are running primarily when the device is not being used.", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--51757971-17ac-40c3-bae7-78365579db49", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro-Obad", "description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:39.996Z", "description": "[OBAD](https://attack.mitre.org/software/S0286) abuses device administrator access to make it more difficult for users to remove the application.(Citation: TrendMicro-Obad)", "relationship_type": "uses", "source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--51b0a4fb-a308-4694-9437-95702a50ebd5", "created": "2020-09-11T16:22:03.231Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:40.234Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can take photos with the device camera.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--51bd38a1-465b-49c0-9218-5984f391a51c", "created": "2023-12-18T19:03:44.550Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:40.452Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can register with the `BOOT_COMPLETED` broadcast to start when the device turns on.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--51bf6ffc-85c7-4910-8821-9736a1ec60f1", "created": "2019-09-04T15:38:57.037Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:40.669Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record keystrokes and analyze them for keywords.(Citation: FlexiSpy-Features)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--51d31e17-6c80-4ab3-9e8e-6231483e0999", "created": "2020-11-24T17:55:12.818Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:40.876Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can register for the `BOOT_COMPLETED` broadcast intent.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--51f75dd5-b584-482f-8f7f-dbee2d5cf6f3", "created": "2019-10-18T15:51:48.487Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:41.079Z", "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--520668a0-2523-4515-8ed9-f8059023632f", "created": "2024-02-20T23:59:59.854Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:41.315Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can check to see if WiFi is enabled.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--520c7112-9768-42c5-8917-1950efd182f9", "created": "2023-02-06T19:38:45.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:41.520Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use keylogging to capture user input.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--526099a3-132d-430f-9559-fc067e39b227", "created": "2025-03-24T20:28:37.281Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:41.783Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has collected a list of running processes.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--52649ab6-8d1c-41d0-9804-3fd4b6a1ba48", "created": "2023-03-16T18:37:55.715Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:41.977Z", "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--526ce88f-ee58-4a55-a1b2-b72e1b5971aa", "created": "2022-04-01T16:52:36.974Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:42.208Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--529107fd-6420-4573-8dbf-cdcd49c2708c", "created": "2020-06-26T14:55:13.307Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:42.411Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can gather device network information.(Citation: Cybereason EventBot) ", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25", "created": "2020-09-11T15:55:43.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:42.614Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) deletes incoming SMS messages from specified numbers, including those that contain particular strings.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--52f7e464-db89-4201-aea8-38d9b44bbd1b", "created": "2020-12-18T20:14:47.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:42.818Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has utilized foreground services.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--53364899-1ea5-47fa-afde-c210aed64120", "created": "2019-07-10T15:47:19.659Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:43.024Z", "description": "(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", "target_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--533e5ce5-138c-4bfc-9a59-eb0ced8e6e1a", "created": "2023-10-10T15:33:59.484Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:43.252Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has impersonated several apps, including official Google apps, chat apps, VPN apps, and popular games.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5340f466-abf0-4bb9-a7e9-44694014561d", "created": "2025-03-24T20:09:44.817Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:43.461Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s call log.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--535d2425-21aa-4fe5-ae6d-5b677f459020", "created": "2022-03-28T19:41:37.162Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:43.673Z", "description": "Security updates may contain patches for devices that were compromised at the supply chain level.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--53ebd5b6-e60e-4aa4-a342-de586917f06d", "created": "2023-03-20T18:38:36.873Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:43.889Z", "description": "The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--54151897-cc7e-4f92-af50-bed41ea78d92", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky-MobileMalware", "description": "Roman Unuchek and Victor Chebyshev. (2014, February 24). Mobile Malware Evolution: 2013. Retrieved December 22, 2016.", "url": "https://securelist.com/mobile-malware-evolution-2013/58335/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:44.095Z", "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)", "relationship_type": "uses", "source_ref": "malware--28e39395-91e7-4f02-b694-5e079c964da9", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5417959b-9478-49fb-b779-3c82a10ad080", "created": "2020-12-17T20:15:22.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:44.326Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can obtain a list of running apps.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--544e8fc3-c656-4081-9b4f-8a5d60926f47", "created": "2022-04-01T17:08:41.293Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:44.526Z", "description": "If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device\u2019s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--545d9313-3fcc-4d4a-b9d2-7555430df8f2", "created": "2019-09-04T14:28:15.482Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:44.748Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can reset the user's password/PIN.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5482462c-08bc-4e28-bc20-bfbbc60f3f81", "created": "2022-04-05T20:03:46.789Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:44.949Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--54bfecbc-4d1d-4bca-bb9c-652d09b29515", "created": "2023-06-09T19:10:48.877Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:45.146Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect the device ID, model, manufacturer, and Android version. It can also check available storage space and if the screen is locked.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--54ce9375-cc0f-456e-ac22-e6fe822a6cec", "created": "2022-04-01T15:54:48.924Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:45.369Z", "description": "Applications very rarely require administrator permission. Developers should be cautioned against using this higher degree of access to avoid being flagged as a potentially malicious application. ", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--54da16fe-c3af-4283-8e73-434beca633d4", "created": "2025-03-28T15:05:00.278Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:45.574Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors use the heartbeat beacons from the implant to obtain device information, such as the IMEI, MEID, and the serial number.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--54dac52d-5279-407f-b7b4-5484ae90b98c", "created": "2021-02-17T20:43:52.402Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:45.814Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has downloaded and installed additional applications.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--554ec347-c8b2-43da-876b-36608dcc543d", "created": "2017-10-25T14:48:53.746Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TelephonyManager", "description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.", "url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:46.010Z", "description": "Android 10 introduced changes that prevent normal applications from accessing sensitive device identifiers.(Citation: TelephonyManager) ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--557e6d99-d7d8-4e2f-bc01-66b0754de089", "created": "2022-03-28T19:41:27.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:46.225Z", "description": "Application developers should be cautious when selecting third-party libraries to integrate into their application.", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15", "created": "2020-04-24T15:06:33.319Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:46.434Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect voice notes, device accounts, and gallery images.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--55b3df0f-252d-4208-bdb8-91fa1e1119b4", "created": "2021-01-05T20:16:20.507Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:46.649Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can execute commands .(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--55f1c604-f3e1-4eef-8313-d136425be83d", "created": "2025-01-10T16:25:28.944Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SentinelLabs AridViper 2023", "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.", "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:46.852Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) has obfuscated code and anti-virtualization techniques to hinder analysis.(Citation: SentinelLabs AridViper 2023)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5619e263-d48c-47a5-ab68-8677fe080a15", "created": "2022-03-30T14:42:27.821Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:47.054Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--56551987-326a-46ad-a34a-59bb7ab793a9", "created": "2020-12-14T14:52:03.266Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:47.259Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can request device administrator permissions.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--56758bb5-230e-43ac-9851-167c296c3dfa", "created": "2023-03-20T18:38:27.730Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:47.474Z", "description": "During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--56816b86-3c80-429b-8360-7b4e77538c97", "created": "2025-03-24T18:00:24.386Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:47.670Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has collected payment history from WeChat Pay.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--56a0173f-68ec-48f6-88d8-ed1e7a2470ba", "created": "2023-12-18T19:08:12.976Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:47.869Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can track the device\u2019s location.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--56a255a5-9fa2-45bb-8848-fd0a68514467", "created": "2022-04-11T20:06:56.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:48.065Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--56c8af86-2924-46f8-a1d7-8309ee6f0282", "created": "2023-07-21T19:36:35.822Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:48.265Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect network information, such as IP address, SIM card information, and Wi-Fi information.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5706742b-733d-44e9-a032-62b81ba05bcf", "created": "2020-06-02T14:32:31.897Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:48.465Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can retrieve SMS messages and iMessages.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--57293fc9-8838-4acd-a16f-48f516d0921e", "created": "2020-04-08T15:51:25.122Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:48.694Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) hides its icon after installation.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5738479d-47fb-4d6f-9f04-5ce988327694", "created": "2023-12-18T19:07:31.393Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:48.913Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can collect the device\u2019s call log.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5749763a-0aef-460a-b081-849adba8d58f", "created": "2023-12-18T18:18:44.171Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:49.117Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has injected string contents into the device clipboard.(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--576dfa89-d400-4cac-b32d-8ee85a9de5d7", "created": "2023-03-20T18:57:42.922Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:49.332Z", "description": "Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--57881f4b-8463-430c-912a-0e3c961e7784", "created": "2023-07-21T19:52:30.528Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:49.536Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can copy and exfiltrate a device\u2019s contact list.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--57a069a0-399f-43ab-9efc-50432a41b26b", "created": "2020-12-24T21:55:56.743Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:49.761Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has deleted or renamed specific files.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--57a5ae72-6932-45e6-83f2-609943902b35", "created": "2023-03-20T18:50:33.248Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:49.967Z", "description": "In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--57df3046-2f14-4bb8-93e9-84a9c8b46791", "created": "2022-03-30T19:33:17.520Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:50.219Z", "description": "Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--57e441f8-6799-4d1b-8e2a-13d8ac1c8e78", "created": "2023-02-28T20:37:59.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:50.409Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can obfuscated class, string, and method names in newer malware versions.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--583720d0-8b15-4662-822e-bb40bc1df940", "created": "2023-12-18T18:09:02.735Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:50.614Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can retrieve Android system and hardware information.(Citation: securelist_brata_0819)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72", "created": "2020-11-24T17:55:12.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:50.825Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect the device\u2019s IMEI, phone number, and country.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--58c15bce-1593-4be1-ae56-7e7b2634fc56", "created": "2020-06-26T15:32:25.045Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:51.030Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect SMS messages from a device.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--58c857f8-4f40-48e0-b3ac-41944d82b576", "created": "2020-12-24T22:04:27.991Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:51.268Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected a list of contacts.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--592331d2-60a7-4264-b844-fbeb89b6386c", "created": "2023-03-20T18:58:56.942Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:51.460Z", "description": "The user can view the default SMS handler in system settings.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--597579b4-7e2f-4843-8cd3-f9143eca34f2", "created": "2023-12-18T19:06:59.289Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:51.666Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can use an encryption key received from its C2 to encrypt and decrypt configuration files and exfiltrated data.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5976af4f-2fd4-46a0-baab-a4ae69e98bc1", "created": "2025-04-15T18:05:36.895Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:51.863Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has exfiltrated collected data to the C2.(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5977289e-d38f-4974-912b-2151fc00c850", "created": "2020-11-20T16:37:28.524Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:52.068Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect the device\u2019s phone number and IMSI.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--59aaa62b-a629-42c8-9bd2-8e75810135a9", "created": "2022-04-05T19:52:32.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:52.319Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--59c2bfb5-a55b-43d3-b1e9-3fbaff0fb7fc", "created": "2023-03-20T18:14:50.401Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:52.520Z", "description": "Mobile security products can use attestation to detect compromised devices.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--59ccdf54-af53-45f2-9ada-549bbc9fb53f", "created": "2025-03-28T14:57:39.909Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 01Jun2023", "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation/109842/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:52.727Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors deleted the initial exploitation message and exploit attachment.(Citation: SecureList OpTriangulation 01Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--59d463d3-3a41-4269-be9a-7a69f44eca78", "created": "2020-10-29T19:21:23.215Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:52.929Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has communicated with the C2 server using HTTP.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--59e225fa-b181-4906-9f0b-ef8f6ce7f2ef", "created": "2022-04-05T20:14:17.442Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:53.152Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5a036fb8-9f72-4383-91c5-0f47b33b2c9d", "created": "2019-07-10T15:35:43.658Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:53.358Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) gathers and exfiltrates data about nearby Wi-Fi access points.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5a18e6c3-4bbf-4418-8815-55ebf283c8a1", "created": "2020-10-29T17:48:27.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:53.561Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain a list of installed applications and can detect if an antivirus application is running, and close it if it is.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5a277966-4559-487e-bdfb-7be6366ccdb6", "created": "2019-09-03T19:45:48.508Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:53.773Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can take pictures with the device cameras.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3", "created": "2020-06-26T14:55:13.351Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:53.975Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can collect a list of installed applications.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5a50d9da-3fa5-443e-8367-8a0520d58cae", "created": "2020-12-24T22:04:27.902Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:54.213Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has used HTTP POST requests for C2.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5a55b7a2-52ab-4cf8-abc1-8ec4e42102cb", "created": "2025-01-10T16:17:20.835Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SentinelLabs AridViper 2023", "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.", "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:54.420Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can access the device's location.(Citation: SentinelLabs AridViper 2023)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5a64b957-32fb-4dd6-84ae-48a2c74c560f", "created": "2023-03-20T15:56:34.418Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:54.649Z", "description": "Application vetting services can check for the string `BIND_DEVICE_ADMIN` in the application\u2019s manifest. This indicates it can prompt the user for device administrator permissions.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Tripwire-MazarBOT", "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.", "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:54.849Z", "description": "[MazarBOT](https://attack.mitre.org/software/S0303) can send messages to premium-rate numbers.(Citation: Tripwire-MazarBOT)", "relationship_type": "uses", "source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:55.051Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uses commands received from text messages for C2.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5a836ae1-c2a0-49b8-a0b4-851b7f3939fb", "created": "2025-03-24T14:53:31.951Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:55.263Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214)\u2019s payload has obtained the C2 address via Twitter accounts.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0", "created": "2019-09-15T15:32:17.563Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:55.466Z", "description": "Application developers could be encouraged to avoid placing sensitive data in notification text.", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5aa167b8-4166-440b-b49f-bf1bab597237", "created": "2019-11-21T16:42:48.441Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:55.666Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect the device\u2019s call log.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5b04c8d0-c026-4838-9383-e4146de36d4d", "created": "2023-03-16T18:33:19.941Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:55.869Z", "description": "Application vetting services could detect usage of standard clipboard APIs.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5b235ed4-548d-49f2-ae01-1874666e6747", "created": "2022-03-30T19:51:56.543Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:56.071Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5b37d94a-64a3-432a-b340-1c9a4f553d02", "created": "2020-12-17T20:15:22.452Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:56.321Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) has obfuscated components using XOR, ZIP with a single-byte key or ZIP/Zlib compression wrapped with RC4 encryption.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5b4128cc-ae1b-4a1b-bc51-d4fdc507bc27", "created": "2024-03-26T19:38:28.204Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "checkpoint_hamas_android_malware", "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"}, {"source_name": "SentinelLabs AridViper 2023", "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.", "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/"}, {"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:56.523Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can download more malware to the victim device.(Citation: welivesecurity_apt-c-23)(Citation: checkpoint_hamas_android_malware)(Citation: SentinelLabs AridViper 2023)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5b5586b9-75ee-476f-b3eb-49878254302c", "created": "2019-07-16T14:33:12.117Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:56.733Z", "description": "[Triada](https://attack.mitre.org/software/S0424) is able to modify code within the com.android.systemui application to gain access to `GET_REAL_TASKS` permissions. This permission enables access to information about applications currently on the foreground and other recently used apps.(Citation: Google Triada June 2019) ", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5b670281-0054-42b4-8e54-ea01a692f5bf", "created": "2021-10-01T14:42:48.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:56.952Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can open a hidden menu when a specific phone number is called from the infected device.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5b7c73d3-a983-456e-82fe-1c823a282eb0", "created": "2024-03-26T19:06:59.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}, {"source_name": "sentinelone_israel_hamas_war", "description": "Hegel, T., Milenkoski, A. (2023, October 24). The Israel-Hamas War | Cyber Domain State-Sponsored Activity of Interest. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20240208234008/www.sentinelone.com/labs/the-israel-hamas-war-cyber-domain-state-sponsored-activity-of-interest/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:57.156Z", "description": "(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)", "relationship_type": "uses", "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "target_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5b87bb01-9587-42bd-aa6b-30158ca8f55f", "created": "2020-04-08T15:41:19.427Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:57.384Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can send, receive, and delete SMS messages.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5b9a2c93-95bf-4f39-aeac-b2af051faca9", "created": "2023-08-23T22:50:55.591Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:57.599Z", "description": "Application vetting services may detect API calls to `performGlobalAction(int)`. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c", "created": "2021-02-17T20:43:52.324Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:57.822Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has collected phone metadata such as cell location, mobile country code (MCC), and mobile network code (MNC).(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5c447471-2b97-4d96-b75f-1cbb574b39cf", "created": "2023-03-20T15:46:49.646Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:58.017Z", "description": "Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5c746ac8-4034-4ae3-98c3-66d89f5a6d6a", "created": "2020-07-27T14:14:56.996Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:58.260Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can inject code into the Setup Wizard at runtime to extract CAPTCHA images. [Zen](https://attack.mitre.org/software/S0494) can inject code into the `libc` of running processes to infect them with the malware.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5c7508ae-5d05-49fd-a489-b944d3b45dd0", "created": "2020-12-24T22:04:27.997Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:58.459Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has tracked location.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5ceb24c4-f32d-4eca-ad91-aed9ef8d459b", "created": "2025-04-10T19:58:19.002Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:58.676Z", "description": "(Citation: MelikovBlackBerry LightSpy 2024)", "relationship_type": "uses", "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7", "target_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5ced57a7-b674-40d4-98b8-a090963a6ade", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:58.890Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5d0fdc8a-af17-4334-88e6-111aa290b22f", "created": "2023-03-20T18:43:14.051Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:59.093Z", "description": "The user can see a list of applications that can use accessibility services in the device settings.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5d2a3a9f-2467-4ac6-ab64-ffe91ec584da", "created": "2021-09-24T14:52:41.308Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:59.321Z", "description": " [Monokle](https://attack.mitre.org/software/S0407) can hook itself to appear invisible to the Process Manager.(Citation: Lookout-Monokle) ", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5d37400f-80f9-4500-9357-185650e5a7b2", "created": "2023-02-06T18:54:13.573Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:59.525Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can use HTTP to communicate with the C2 server.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5dc4eaca-ff82-412a-a8dd-168de1857d8c", "created": "2023-01-18T21:38:58.113Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:59.762Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use input injection via Accessibility Services to simulate user touch inputs, prevent applications from opening, change device settings, and bypass MFA protections.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5dd9e0aa-e4dc-4776-9580-5a765c2cc08d", "created": "2023-02-06T18:52:40.543Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:48:59.979Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can intercept SMS messages containing two factor authentication codes.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5de0caa8-81f8-453c-b70c-a74e7ea9e5c2", "created": "2022-03-30T19:12:31.481Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:00.213Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5e360913-4986-4423-8d3c-46d3202b7787", "created": "2019-09-04T14:28:15.471Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:00.409Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve the salt used when storing the user\u2019s password, aiding an adversary in computing the user\u2019s plaintext password/PIN from the stored password hash. [Monokle](https://attack.mitre.org/software/S0407) can also capture the user\u2019s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5e6cb0d7-6e82-450a-bcf5-e0113e7ad41e", "created": "2024-03-29T15:05:17.290Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:00.609Z", "description": "Users should be advised to not trust or install self-signed certificates.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5e74f4f8-5057-42f4-9796-aee60122cf6d", "created": "2019-09-23T13:36:08.451Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:00.826Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) procedurally generates subdomains for command and control communication.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5e95ca90-bf75-4031-a28f-f8565c02185c", "created": "2020-11-24T17:55:12.883Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:01.026Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can lock the user out of the device by showing a persistent overlay.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5ec3fcbb-d2ac-44ba-a2d4-99e7ddacf3a2", "created": "2023-03-20T18:59:57.364Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:01.259Z", "description": "The user can examine the list of all installed applications in the device settings. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--5fb59cf9-9af5-4dd5-9878-dda2ba228ae5", "created": "2023-12-18T18:12:37.010Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}, {"source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:01.459Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has employed code obfuscation and encryption of configuration files.(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6001f77a-da30-4ebc-85fd-5bf9afe5f0a1", "created": "2023-03-15T16:24:12.588Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:01.672Z", "description": "Application vetting services can detect when an application requests administrator permission.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--603df08f-22d3-4418-9151-4b3a3c9c7c24", "created": "2023-03-15T16:40:37.553Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:01.873Z", "description": "Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--60439118-3ceb-490b-9df5-e35e7fca9009", "created": "2024-03-28T18:26:14.625Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:02.072Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to receive the following broadcast events to establish persistence: `BOOT_COMPLETED`, `BATTERY_LOW`,`USER_PRESENT`, `SCREEN_ON`, `SCREEN_OFF`, or `CONNECTIVITY_CHANGE`.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--605d95a1-0493-418e-9d81-de58531c4421", "created": "2020-04-24T15:12:11.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:02.283Z", "description": "[Concipit1248](https://attack.mitre.org/software/S0426) communicates with the C2 server using HTTP requests.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--606b07b9-b5a4-464f-8381-062e2134d0ab", "created": "2023-12-18T18:14:22.223Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}, {"source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:02.491Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can remove installed antivirus applications as well as disable Google Play Protect.(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--60782df8-1e96-48eb-a6b7-843c94b32b59", "created": "2023-02-06T19:43:17.802Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:02.710Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can hide its application icon.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:02.920Z", "description": "[BrainTest](https://attack.mitre.org/software/S0293) provided capabilities that allowed developers to use compromised devices to post positive reviews on their own malicious applications as well as download other malicious applications they had submitted to the Play Store.(Citation: Lookout-BrainTest)", "relationship_type": "uses", "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--609ec9f8-f702-444b-b837-72a0880d429b", "created": "2023-09-22T19:17:01.704Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:03.127Z", "description": "The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--60ad088f-3133-4b0c-a441-e1e06fff1765", "created": "2023-02-06T19:37:56.416Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:03.367Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can gather data about the device.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--60da837d-a635-4533-b96a-db2689cc4771", "created": "2024-04-02T19:39:49.029Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:03.578Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can send SMS messages.(Citation: welivesecurity_apt-c-23)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb", "created": "2020-01-27T17:05:58.308Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:03.803Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) encodes its configurations using a customized algorithm.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--60e2ebd0-90dc-4131-ba4f-adc9b49ec113", "created": "2020-06-26T15:32:25.032Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:04.024Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can generate fake notifications and launch overlay attacks against attacker-specified applications.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3", "created": "2019-07-10T15:35:43.712Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:04.258Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) has the ability to delete attacker-specified files from compromised devices.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71", "created": "2019-07-10T15:42:09.606Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:04.468Z", "description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) controls implants using standard HTTP communication.(Citation: Lookout Dark Caracal Jan 2018) ", "relationship_type": "uses", "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--61550ef4-41f0-4354-af5c-f47db8aca654", "created": "2020-06-02T14:32:31.910Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:04.696Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c", "created": "2020-01-21T15:29:27.041Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:04.893Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can download attacker-specified files.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--618ec7db-fb08-4693-905b-49e9e2a0ad95", "created": "2025-03-28T15:06:20.821Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:05.096Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have obtained a list of processes.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6209cccd-2877-4941-ac0c-bec3ba7a5544", "created": "2022-04-05T19:40:25.071Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:05.321Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a", "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--62623afc-8222-4d59-b5d0-7bc1ccc7fadc", "created": "2023-02-06T19:41:40.104Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:05.526Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can silently intercept and manipulate notifications. [S.O.V.A.](https://attack.mitre.org/software/S1062) can also inject cookies via push notifications.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--626d4c6c-97e4-4aa3-922b-c1a81e677213", "created": "2023-03-20T15:32:36.972Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:05.752Z", "description": "Application vetting services can detect malicious code in applications.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--628435f7-7d1e-40f1-a29a-7c5861b14c7d", "created": "2022-03-30T20:13:40.625Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:05.962Z", "description": "Users should be shown what a synthetic activity looks like so they can scrutinize them in the future.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6294e276-e4ac-4097-a5cd-3b81e0d4498f", "created": "2020-12-14T15:02:35.287Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:06.166Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) has implemented functions in native code.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--62cc60d9-1581-4a0f-b7e2-a18d386511e6", "created": "2022-03-30T13:48:43.977Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:06.375Z", "description": "Mobile security products can typically detect jailbroken or rooted devices. ", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6315b6ec-35f8-4b28-8603-664664311a33", "created": "2023-08-16T16:44:53.770Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:06.578Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can read the name of application packages.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--634071ce-d386-4143-8e6e-b88bc077de6d", "created": "2020-07-27T14:14:56.961Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:06.813Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can dynamically load executable code from remote sources.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:07.013Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--63e67cba-4eae-4495-8897-2610103a0c41", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:07.226Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) exploits iOS vulnerabilities to escalate privileges.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--642a2599-a50c-480c-8e07-2a3a217f4a46", "created": "2023-07-21T19:52:13.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:07.434Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can turn on a device\u2019s microphone to capture audio.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--64489abc-5c2f-4620-833d-9ac010040955", "created": "2023-08-14T16:19:54.684Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "unit42_strat_aged_domain_det", "description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.", "url": "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/"}, {"source_name": "Data Driven Security DGA", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:07.649Z", "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--644a19d3-c94f-40d9-87ac-02ef20b14eda", "created": "2023-02-06T19:02:00.135Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:07.852Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself microphone permissions.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65", "created": "2021-04-19T17:05:42.574Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:08.065Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has collected files from the infected device.(Citation: Lookout Uyghur Campaign)\t", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff", "created": "2019-09-04T14:28:16.478Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:08.277Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can record the screen as the user unlocks the device and can take screenshots of any application in the foreground. [Monokle](https://attack.mitre.org/software/S0407) can also abuse accessibility features to read the screen to capture data from a large number of popular applications.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e", "created": "2020-07-15T20:20:59.382Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:08.491Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) has communicated with the C2 server over TCP port 7777.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4", "created": "2020-04-08T15:51:25.157Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:08.711Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can capture device screenshots and stream them back to the C2.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6588186c-2fa1-408d-bef4-2d63ccf49c28", "created": "2023-10-10T15:33:58.533Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:08.913Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has masqueraded as popular South Korean applications.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6588914f-d270-47d3-b889-046564ad616f", "created": "2023-08-16T16:35:21.853Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:09.125Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather SMS messages.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61", "created": "2020-01-27T17:05:58.201Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:09.377Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can collect local accounts on the device, pictures, bookmarks/histories of the default browser, and files stored on the SD card. [GolfSpy](https://attack.mitre.org/software/S0421) can list image, audio, video, and other files stored on the device. [GolfSpy](https://attack.mitre.org/software/S0421) can copy arbitrary files from the device.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--65acbbe2-48e1-4fba-a781-39fb040a711d", "created": "2019-09-03T19:45:48.505Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:09.582Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) One, after checking in, sends a POST request and then downloads  [Exodus](https://attack.mitre.org/software/S0405) Two, the second stage binaries.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--65dc7cc1-e047-4087-8b2b-7d0d0f67576a", "created": "2023-08-16T16:34:14.088Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:09.807Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can perform overlay attacks against a device by injecting HTML phishing pages into a webview.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6603a556-9732-4f8b-ac9c-5c3949b251ed", "created": "2023-09-21T22:20:53.256Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "app_hibernation", "description": "Android Developers. (2023, August 28). App hibernation. Retrieved September 21, 2023.", "url": "https://developer.android.com/topic/performance/app-hibernation"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:10.017Z", "description": "Android 11 and above implement application hibernation, which can hibernate an application that has not been used for a few months and can reset the application\u2019s permission requests.(Citation: app_hibernation)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6609b892-d388-4b8a-ac21-5cbf12e0d574", "created": "2023-10-10T15:33:58.701Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Forbes Cerberus", "description": "Z. Doffman. (2019, August 16). Warning As Devious New Android Malware Hides In Fake Adobe Flash Player Installations (Updated). Retrieved June 26, 2020.", "url": "https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/#1563fef26d9c"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:10.271Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) has pretended to be an Adobe Flash Player installer.(Citation: Forbes Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--66132260-65d1-4bf5-8200-abdb2014be6f", "created": "2020-09-15T15:18:12.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:10.474Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can detect if it is running in an emulator and adjust its behavior accordingly.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6661823b-4fdd-4879-ad5d-64c9a4b12519", "created": "2022-04-05T17:03:53.457Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:10.690Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--66ba3094-7c14-41b9-b7c1-814d026156b9", "created": "2020-09-11T15:58:40.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:10.890Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can delete and send SMS messages.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42", "created": "2020-11-10T17:08:35.593Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:11.097Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has seen native libraries used in some reported samples (Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--66fb8a34-9d48-4599-a56e-19b057380030", "created": "2023-03-20T18:46:08.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:11.315Z", "description": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6701f90c-6fce-4f7b-a785-a585601d366a", "created": "2025-03-24T14:58:02.964Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:11.542Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has exfiltrated SMS and MMS messages.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--670a0995-a789-4674-9e91-c74316cdef90", "created": "2020-09-11T14:54:16.621Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:11.764Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can record audio from phone calls and the device microphone.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--67aa692c-24e4-483e-996e-02ce1e861ec8", "created": "2023-02-28T20:37:29.206Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:11.965Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can add display overlays onto banking apps to capture credit card information.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--67c2b73d-cd51-4894-a7bd-fdd5d14b33a2", "created": "2019-09-03T20:08:00.704Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:12.172Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) code is both obfuscated and packed with an FTT packer.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--67db22d4-6f89-40c6-b31b-737c1e3dec3f", "created": "2021-01-20T16:01:19.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro Anubis", "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.", "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:12.371Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) has used motion sensor data  to attempt to determine if it is running in an emulator.(Citation: Trend Micro Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--681161b2-4e30-4d49-8524-6cc0d94585cb", "created": "2023-03-16T13:33:26.925Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:12.572Z", "description": "Many properly configured firewalls may naturally block bidirectional command and control traffic.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:12.773Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f", "target_ref": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6846dc09-b66a-42d3-aea2-c80b51f22952", "created": "2023-02-28T21:42:31.008Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:12.992Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can record audio using the device microphone.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--684c17bb-2075-4e1f-9fcb-17408511222d", "created": "2021-09-20T13:54:19.957Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:13.220Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can silently accept an incoming phone call.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6859be95-c11a-4085-b8d3-c4ea4e2add44", "created": "2024-04-02T19:14:16.279Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:13.424Z", "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can access and retrieve files on a device.(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--686a6bc8-d660-40ad-97bc-9c900195cd5b", "created": "2025-03-28T15:09:23.738Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:13.621Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have obtained a list of files in a specified directory using the `fts` API.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6885280e-5423-422a-94f1-e91d557e043e", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "PaloAlto-XcodeGhost1", "description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"}, {"source_name": "PaloAlto-XcodeGhost", "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:13.816Z", "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) was injected into apps by a modified version of Xcode (Apple's software development tool).(Citation: PaloAlto-XcodeGhost1)(Citation: PaloAlto-XcodeGhost)", "relationship_type": "uses", "source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9", "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--68c17e9b-1fda-49dd-982b-566d473cc32b", "created": "2022-04-06T15:51:11.939Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:14.017Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--68e5789c-9f60-421e-9c79-fae207a29e83", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:14.225Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole SMS message content.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6920d0d0-27f4-4d29-8622-c8a92090eec3", "created": "2020-07-20T13:27:33.486Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:14.432Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect the device\u2019s contact list.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6935752c-e400-4dfa-863f-1d44a8f6dd50", "created": "2021-09-20T13:50:02.036Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:14.667Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can make phone calls.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6945812f-959b-4f4c-9bf4-6dbdc6d9f7c8", "created": "2025-03-28T15:08:25.021Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}, {"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:14.876Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have dumped the device\u2019s keychain.(Citation: SecureList OpTriangulation 21Jun2023)(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--694857ba-92e8-462e-8900-a9f6fdcf495d", "created": "2020-12-31T18:25:05.133Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:15.085Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has encrypted its DEX payload.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6961eec4-8e31-4be1-88d9-dca682e38b8c", "created": "2019-08-09T18:02:06.688Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler-SuperMarioRun", "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.", "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:15.306Z", "description": "[DroidJack](https://attack.mitre.org/software/S0320) can capture video using device cameras.(Citation: Zscaler-SuperMarioRun)", "relationship_type": "uses", "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:15.508Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) modifies the system partition to maintain persistence.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--697f5584-667f-4489-a535-586dd1a8b48c", "created": "2023-10-10T15:33:59.823Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:15.722Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has inserted trojan functionality into legitimate apps, including popular apps within the Uyghur community, VPNs, instant messaging apps, social networking, games, adult media, and Google searching.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CheckPoint-Charger", "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:15.925Z", "description": "[Charger](https://attack.mitre.org/software/S0323) locks the device if it is granted admin permissions, displaying a message demanding a ransom payment.(Citation: CheckPoint-Charger)", "relationship_type": "uses", "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--69de3f7e-faa7-4342-b755-4777a68fd89b", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler-SuperMarioRun", "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.", "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:16.144Z", "description": "[DroidJack](https://attack.mitre.org/software/S0320) is capable of recording device phone calls.(Citation: Zscaler-SuperMarioRun)", "relationship_type": "uses", "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6a1d8b2f-9007-46ba-b559-356b81632cee", "created": "2023-10-10T15:33:58.444Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:16.362Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has masqueraded as TikTok.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b", "created": "2020-09-14T14:13:45.259Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:16.565Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) can exfiltrate device pictures.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6a5926f3-8c44-4806-83c2-e8ed0be36bc2", "created": "2022-04-01T15:13:55.124Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:16.772Z", "description": "Users should be instructed to not open links in applications they don\u2019t recognize.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6a5f151f-36cb-496a-9d0c-d726f1b00d4e", "created": "2023-03-16T18:26:45.940Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:16.980Z", "description": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6a715733-cde6-4903-b967-35562b584c6f", "created": "2020-06-02T14:32:31.878Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:17.225Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can obtain a list of installed non-Apple applications.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6a813057-5fe0-46b5-89a3-c804d223568c", "created": "2023-08-04T18:30:16.933Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:17.437Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate the victim device ID, model, manufacturer, and Android version.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6a821e14-8247-408b-af37-9cecbba616ec", "created": "2020-05-07T15:33:32.945Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:17.666Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) obtains the device\u2019s application list.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6a87a107-e607-460b-a08c-cc693b15268c", "created": "2024-03-26T19:31:52.738Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"}, {"source_name": "threatpost AndroidSpyware 2020", "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.", "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/"}, {"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:17.864Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can exfiltrate the victim device\u2019s contact list.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: threatpost AndroidSpyware 2020)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6a924f93-6a3a-4931-b0b3-b8bc37f0587a", "created": "2024-03-26T18:49:57.818Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:18.072Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can masquerade as the chat application \"Magic Smile.\"(Citation: fb_arid_viper)", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6ac2d9a5-248b-42c5-af71-3ffad7bc7f3e", "created": "2023-09-21T22:18:06.516Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:18.278Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) initially poses as a benign application, then malware is downloaded and executed after an application update.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6ad4f199-99fe-4366-87be-7a462f6c89b0", "created": "2023-06-09T19:11:38.612Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:18.482Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can access a device\u2019s location and check if GPS is enabled. [Hornbill](https://attack.mitre.org/software/S1077) has logic to only log location changes greater than 70 meters.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6b41d649-bcd0-4427-baa1-15a145bace6e", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:18.710Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) downloads and executes root exploits from a remote server.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6b623a18-a3cf-4f94-b3a8-19f7369a2b61", "created": "2024-03-26T18:43:59.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:18.928Z", "description": "", "relationship_type": "uses", "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "target_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6b64d3f4-96d6-48e5-a57e-b5cf897670f9", "created": "2021-01-05T20:16:20.500Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:19.127Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect SMS messages from the device.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6b74d347-4d28-401f-9ac2-b3e1c9428bab", "created": "2023-01-18T19:16:15.534Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:19.364Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can use keylogging to steal user banking credentials.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6ba09d73-4ed5-4a37-8191-fc54a8f01696", "created": "2022-03-28T19:38:23.189Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:19.571Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6bac4ccd-d810-40f4-937e-3ac4bfa959ec", "created": "2025-03-14T17:57:19.692Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Promon FjordPhantom Oct2024", "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.", "url": "https://promon.io/security-news/fjordphantom-android-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:19.805Z", "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) uses a virtualization solution to steal credentials.(Citation: Promon FjordPhantom Oct2024)", "relationship_type": "uses", "source_ref": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4", "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6bb4de7d-1ef9-4bc8-8d34-62e176d4188a", "created": "2023-03-03T15:42:28.475Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:20.011Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can send large amounts of device data over its C2 channel, including the device\u2019s manufacturer, model, version and serial number, telephone number, and IP address.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6bdc24f1-36a7-4cf8-8a3e-f7f36840a7b2", "created": "2025-03-27T22:49:03.986Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:20.220Z", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has obtained a list of installed applications.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6c0105f3-e919-499d-b080-d127394d2837", "created": "2022-03-30T18:14:23.210Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:20.419Z", "description": "Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6c35f99c-153d-4023-a29a-821488ce5418", "created": "2020-04-08T15:41:19.383Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:20.617Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can collect a list of installed applications to compare to a list of targeted applications.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82", "created": "2020-09-11T16:22:03.301Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:20.824Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect system information, including brand, manufacturer, and serial number.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6c887e1b-ff9a-4d7f-baec-7d19e1c982bd", "created": "2023-08-07T22:48:30.275Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:21.032Z", "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e", "created": "2021-02-08T16:36:20.692Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:21.257Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6cace9e3-f095-4914-bddc-24cec8bcc859", "created": "2020-09-24T15:34:51.276Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:21.450Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can collect the device\u2019s photos, browser history, bookmarks, and accounts stored on the device.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6ce36374-2ff6-4b41-8493-148416153232", "created": "2020-07-20T13:27:33.443Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:21.666Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect user account, photos, browser history, and arbitrary files.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6d2c7743-fc75-4524-b217-13867ca1dd10", "created": "2019-09-03T20:08:00.649Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:21.878Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) can collect the contact list.(Citation: Talos Gustuff Apr 2019) ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6d38782e-2c88-411b-8328-72347d4c6024", "created": "2025-03-14T18:01:12.030Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Promon FjordPhantom Oct2024", "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.", "url": "https://promon.io/security-news/fjordphantom-android-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:22.088Z", "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) has injected malicious code   and a hooking framework through a virtualization solution, i.e. [Virtualization Solution](https://attack.mitre.org/techniques/T1670), into the process of the hosted application.(Citation: Promon FjordPhantom Oct2024) ", "relationship_type": "uses", "source_ref": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4", "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6d659130-545b-4917-891c-6c1b7d54ed07", "created": "2021-01-05T20:16:20.505Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:22.322Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can send SMS messages.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6d88242f-e45b-481c-bd41-b66a662618ce", "created": "2022-04-06T13:57:24.730Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:22.521Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6d8ffc4a-6496-423e-a44d-d5a973ee1acf", "created": "2024-03-26T19:32:59.976Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cyware APT-C-23 2020", "description": "Cyware. (2020, October 2). APT\u2011C\u201123 is Still Active and Enhancing its Mobile Spying Capabilities. Retrieved December 2, 2024.", "url": "https://social.cyware.com/news/aptc23-is-still-active-and-enhancing-its-mobile-spying-capabilities-82e0cea4"}, {"source_name": "SentinelLabs AridViper 2023", "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.", "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/"}, {"source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"}, {"source_name": "threatpost AndroidSpyware 2020", "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.", "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/"}, {"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:22.718Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can record phone calls and audio.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: SentinelLabs AridViper 2023)(Citation: Cyware APT-C-23 2020)(Citation: threatpost AndroidSpyware 2020)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6d910b1c-df72-4fcb-9d9e-0bb666c9c108", "created": "2023-03-20T18:57:17.059Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:22.920Z", "description": "On Android, the user can review which applications can use premium SMS features in the \"Special access\" page within application settings. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6dada572-9e79-4835-9f8c-fcb6a94947af", "created": "2025-03-28T14:55:59.605Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}, {"source_name": "SecureList OpTriangulation 01Jun2023", "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation/109842/"}, {"source_name": "SecureList OpTriangulation Dec2023", "description": "Larin, B. (2023, December 27). Operation Triangulation: The last (hardware) mystery. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:23.125Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors sent iMessage messages with malicious exploits that executed without user interaction.(Citation: SecureList OpTriangulation 01Jun2023)(Citation: SecureList OpTriangulation 23Oct2023)(Citation: SecureList OpTriangulation Dec2023) Additionally, the threat actors have used various exploits, such as CVE-2023-41990, CVE-2023-32435, CVE-2023-32434 and CVE-2023-38606, to obtain privilege escalation.(Citation: SecureList OpTriangulation Dec2023)   ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6db7839a-5699-4e2a-8410-4e33bf88ba05", "created": "2023-12-18T18:18:56.785Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:23.364Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has performed country and language checks.(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23", "created": "2020-09-11T14:54:16.566Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:23.581Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect device metadata and can check if the device is rooted.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6e642c09-751c-43d8-9b99-aabb1703cad7", "created": "2025-03-24T17:57:15.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "FirshSecureList LightSpy 2020", "description": "Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.", "url": "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/"}, {"source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:23.803Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) gains initial execution when a victim visits a compromised or adversary-controlled website, including those mimicking legitimate sources such as a Hong Kong newspaper. Upon loading `index.html`, a Safari WebKit exploit is triggered, leading to the download of a Mach-O binary disguised with a `.png` extension.(Citation: FirshSecureList LightSpy 2020)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6e811d89-6526-480f-be40-1ad6483182ff", "created": "2023-10-10T15:33:58.801Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:24.013Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) has used the Play Store icon as well as the name \u201cGoogle Play Marketplace\u201d.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6ee69225-7c42-49e6-bfe4-c7009c82e76a", "created": "2023-03-20T18:44:36.073Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:24.260Z", "description": "The user can view and manage installed third-party keyboards.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6f240b1d-de8f-465d-a0f1-f75e828493c3", "created": "2023-08-04T18:29:05.423Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:24.455Z", "description": "(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f", "target_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60", "created": "2020-09-11T14:54:16.585Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:24.665Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect attacker-specified files, including files located on external storage.(Citation: Lookout Desert Scorpion)\t", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87", "created": "2020-06-26T15:12:40.098Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "ESET DEFENSOR ID", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:24.873Z", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can retrieve a list of installed applications.(Citation: ESET DEFENSOR ID)", "relationship_type": "uses", "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d", "created": "2019-07-10T15:25:57.585Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:25.092Z", "description": "[FinFisher](https://attack.mitre.org/software/S0182) accesses and exfiltrates the call log.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c", "created": "2020-11-10T17:08:35.624Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:25.312Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can dynamically load additional functionality.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--6faacfdd-d17d-4c6e-a33e-5fdea2cc3998", "created": "2020-04-08T15:41:19.385Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:25.519Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can create overlays to capture user credentials for targeted applications.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--70000e5a-cdff-4ff8-a565-5f7db60f8c49", "created": "2024-04-02T19:13:36.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:25.720Z", "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can activate a device\u2019s microphone.(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7017085c-c612-48b2-b655-e18d7822d0e7", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:25.930Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests phone call history from victims.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:26.141Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) maintains persistence by installing an Android application package (APK) on the system partition.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:26.375Z", "description": "Original samples of [BrainTest](https://attack.mitre.org/software/S0293) download their exploit packs for rooting from a remote server after installation.(Citation: Lookout-BrainTest)", "relationship_type": "uses", "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e", "created": "2020-01-14T17:47:08.826Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:26.584Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) checks the Android version to determine which system library to patch.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "PaloAlto-Xbot", "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:26.808Z", "description": "[Xbot](https://attack.mitre.org/software/S0298) can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.(Citation: PaloAlto-Xbot)", "relationship_type": "uses", "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--70fa8498-6117-4e15-ae3c-f53d63996826", "created": "2020-06-26T15:32:25.050Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:27.012Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect the device\u2019s location.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--71490fdb-e271-4a67-b932-5288924b1dae", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "PaloAlto-DualToy", "description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:27.216Z", "description": "[DualToy](https://attack.mitre.org/software/S0315) collects the connected iOS device\u2019s information including IMEI, IMSI, ICCID, serial number and phone number.(Citation: PaloAlto-DualToy)", "relationship_type": "uses", "source_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--716f68ee-1e77-4254-8f67-d8f3c71db678", "created": "2021-09-20T13:59:00.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:27.417Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can be controlled via phone call from a set of \"control phones.\"(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--717feaf1-493b-4a3e-b886-40652f41168d", "created": "2024-03-28T18:31:04.700Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:27.621Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to obtain a list of installed applications.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--718a612e-50c5-40ab-9081-b88cefeafcb6", "created": "2021-04-26T15:33:55.905Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CitizenLab Circles", "description": "Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020.", "url": "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:27.836Z", "description": "[Circles](https://attack.mitre.org/software/S0602) can track the location of mobile devices.(Citation: CitizenLab Circles)", "relationship_type": "uses", "source_ref": "malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24", "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--71fbb52a-1808-45a1-8cc2-13b461376e4a", "created": "2024-02-20T23:53:09.490Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro FlyTrap", "description": "Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts \u2014 Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.", "url": "https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:28.073Z", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can collect IP address and network configuration information.(Citation: Trend Micro FlyTrap)", "relationship_type": "uses", "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Tripwire-MazarBOT", "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.", "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:28.317Z", "description": "[MazarBOT](https://attack.mitre.org/software/S0303) can intercept two-factor authentication codes sent by online banking apps.(Citation: Tripwire-MazarBOT)", "relationship_type": "uses", "source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--724e1b64-7c9b-4a8f-a2ab-3f9cab539e68", "created": "2023-10-10T19:19:38.654Z", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:28.530Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) has exfiltrated cached data from infected devices.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7258542e-029b-45b9-be69-6e76d9c93b35", "created": "2020-09-14T13:35:45.886Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ESET-Twitoor", "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:28.749Z", "description": "[Twitoor](https://attack.mitre.org/software/S0302) can hide its presence on the system.(Citation: ESET-Twitoor)", "relationship_type": "uses", "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--725dc68b-e56d-42ac-b35e-651a7b3a2db8", "created": "2024-03-26T16:18:25.630Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:28.952Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) can take photos and videos using the device cameras.(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0", "created": "2017-10-25T14:48:53.741Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:29.149Z", "description": "Security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af", "created": "2020-04-24T15:06:33.531Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:29.367Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can take pictures using the camera and can record MP4 files.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--72a88d43-4144-444e-8f71-ac0d19ae3710", "created": "2020-09-14T14:13:45.256Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:29.568Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) can track the device\u2019s location.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--732ca9b5-961d-4734-9f8d-339078457457", "created": "2024-04-02T19:15:19.864Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:29.779Z", "description": "(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258", "target_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--73410b22-5aca-4b86-8efc-98c1ad75399a", "created": "2023-10-10T15:33:59.572Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:29.977Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) has masqueraded as \u201cGoogle service\u201d, \u201cGooglePlay\u201d, and \u201cFlash update\u201d.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9", "created": "2020-09-11T15:52:12.520Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:30.206Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can block, forward, hide, and send SMS messages.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--73d22490-4043-42d7-ad25-74e4a642bf6a", "created": "2023-03-20T18:41:45.186Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CSRIC5-WG10-FinalReport", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:30.417Z", "description": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:30.621Z", "description": "Enterprises can provision policies to mobile devices that require a minimum complexity (length, character requirements, etc.) for the device passcode, and cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. Enterprises can also provision policies to disable biometric authentication, however, biometric authentication can help make using a longer, more complex passcode more practical because it does not need to be entered as frequently. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--73e78aab-bcd9-4d3c-96f8-832f399bf2ee", "created": "2024-02-20T23:56:14.156Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:30.830Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--74080f4f-1de2-464f-8ec1-0635fc142273", "created": "2023-08-08T16:23:41.141Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:31.040Z", "description": "Application vetting services may be able to list domains and/or IP addresses that applications communicate with. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8", "created": "2020-04-24T17:46:31.613Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:31.253Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--746eaf98-bd95-4e9a-a4ed-0e3f20402276", "created": "2023-10-10T15:33:57.989Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:31.448Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can be bound to legitimate applications prior to installation on devices.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--749dcdbd-9be9-403b-850f-8ee5452b7aed", "created": "2023-03-20T18:58:56.347Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:31.664Z", "description": "Application vetting services can detect unnecessary and potentially abused location permissions.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--74a137c7-b3f8-421f-bc52-bf9f0785d0ba", "created": "2023-09-22T19:15:56.498Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:31.870Z", "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes.  ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0", "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69", "created": "2020-04-08T15:51:25.078Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:32.070Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--74c8c9e7-cd8b-4f3a-830d-a7e6e9668330", "created": "2022-04-01T15:01:53.321Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:32.280Z", "description": "Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary\u2019s access to password stores.", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe", "created": "2020-07-15T20:20:59.282Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:32.483Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can record the screen.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--75400f2e-8a9a-4bc6-a40b-f860b38868b6", "created": "2023-03-16T13:31:29.822Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android Privacy Indicators", "description": "Google. (n.d.). Privacy Indicators. Retrieved April 20, 2022.", "url": "https://source.android.com/devices/tech/config/privacy-indicators"}, {"source_name": "iOS Mic Spyware", "description": "ZecOps Research Team. (2021, November 4). How iOS Malware Can Spy on Users Silently. Retrieved April 1, 2022.", "url": "https://blog.zecops.com/research/how-ios-malware-can-spy-on-users-silently/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:32.694Z", "description": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78", "created": "2019-10-10T15:17:00.972Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:32.909Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can monitor device photos and can also access browser history and bookmarks.(Citation: FlexiSpy-Features)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--75770898-93a7-45e3-bdb2-03172004a88f", "created": "2022-03-30T14:49:47.451Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:33.116Z", "description": "Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.(Citation: Android-VerifiedBoot) ", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--75989cf6-c023-4ed3-9d23-a83f55690186", "created": "2023-02-28T21:43:36.886Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:33.328Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can read incoming text messages.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--759a2e09-32b6-4857-9b6d-adf5dcee142b", "created": "2020-12-14T15:02:35.286Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:33.521Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device network configuration information, such as mobile network operator.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--75a8614f-bf92-455d-b2ef-7085aff9a64d", "created": "2023-08-16T16:33:56.014Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:33.722Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can log keystrokes and gather the lock screen password of an infected device by abusing Accessibility Services.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--75ed2348-279f-4485-97a3-9a5ada27d799", "created": "2023-02-06T19:06:17.406Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:33.925Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can disable Play Protect.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--760037f0-f027-41bb-adf8-1ced6c7085be", "created": "2023-10-10T15:33:59.225Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:34.121Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has mimicked Facebook and Google icons on the \u201cRecent apps\u201d screen to avoid discovery and uses the `com.google.xxx` package name to avoid detection.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--760faa7b-06cb-48b7-9103-1c52f2ca408f", "created": "2020-11-10T17:08:35.644Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:34.372Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--76336d14-0dcb-4fc4-8423-9996dca9a9f2", "created": "2024-04-02T19:47:46.198Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:34.575Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) has used obfuscation techniques to hide its hardcoded C2 address.(Citation: welivesecurity_apt-c-23)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--764ba23e-9902-4a60-8ec3-e0ae1abf92ce", "created": "2023-09-22T19:16:35.609Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:34.789Z", "description": "The user is prompted for approval when an application requests device administrator permissions.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7657a4d4-1ba3-4b66-83f7-6db5eab14847", "created": "2022-04-06T13:30:03.526Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:34.987Z", "description": "Users should be taught that Device Administrator permissions are very dangerous, and very few applications need it.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7696b512-ba2f-4310-86e1-7c528529fc5e", "created": "2020-09-15T15:18:12.425Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:35.213Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) stores its malicious code in encrypted asset files that are decrypted at runtime. Newer versions of [FakeSpy](https://attack.mitre.org/software/S0509) encrypt the C2 address.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--76cc66f4-ce85-4873-a63e-879b4a14a540", "created": "2023-03-03T16:23:20.764Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:35.423Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has connected to the C2 server via HTTP.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--76f852f3-f218-40e2-8fa1-6fb15c4cbf98", "created": "2023-10-10T15:33:59.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:35.648Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has masqueraded as legitimate media player, social media, and VPN applications.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7793a066-d72b-4a60-9579-e16369ea7185", "created": "2023-03-20T18:57:55.221Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:35.870Z", "description": "The user can view a list of apps with accessibility service privileges in the device settings.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--77efa84c-5ef0-4554-b774-2dbfcca74087", "created": "2020-10-29T19:20:58.116Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:36.077Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has checked to see how many apps are installed, and specifically if Facebook or FB Messenger are installed.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7825f4b1-75ca-4377-b8f6-0dda9311d889", "created": "2023-08-04T18:30:58.116Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:36.312Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can access a device\u2019s location.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--78417fce-5aaa-4ad3-a2f1-279fa18bfe45", "created": "2023-02-06T19:47:26.528Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:36.530Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has been distributed in obfuscated and packed form.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164", "created": "2020-01-27T17:49:05.664Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:36.749Z", "description": "(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd", "target_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7863ef22-130a-4670-80c6-9bdeee58b8c9", "created": "2024-01-26T17:44:59.987Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "checkpoint_flixonline_0421", "description": "Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.", "url": "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:36.957Z", "description": "[FlixOnline](https://attack.mitre.org/software/S1103) may use the `BOOT_COMPLETED` action to trigger further scripts on boot.(Citation: checkpoint_flixonline_0421)", "relationship_type": "uses", "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7885c84c-b832-42d4-b3d3-49b82849262f", "created": "2024-03-26T19:04:53.270Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:37.162Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can collect and exfiltrate WhatsApp media, photos and files with specific extensions, such as .pdf and .doc.(Citation: fb_arid_viper)", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--789699c2-44f1-4280-bf86-ab23e6a13e84", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:37.365Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads calendar events and reminders.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:37.568Z", "description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's phone number, mobile device unique identifier (IMEI).(Citation: Lookout-EnterpriseApps)", "relationship_type": "uses", "source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f", "created": "2019-09-03T19:45:48.492Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:37.773Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-BrainTest", "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:37.974Z", "description": "[BrainTest](https://attack.mitre.org/software/S0293) stores a secondary Android app package (APK) in its assets directory in encrypted form, and decrypts the payload at runtime.(Citation: Lookout-BrainTest)", "relationship_type": "uses", "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf", "created": "2020-09-11T15:43:49.309Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:38.174Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can send SMS messages from a device.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--792ae0c6-8b0c-4adf-9c7f-83ebee84bb57", "created": "2023-12-18T19:04:37.052Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:38.388Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can enumerate files on external storage.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--794c3cb4-1a1f-4d7e-969f-c97dfcd006c7", "created": "2020-11-24T17:55:12.889Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:38.601Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can request device administrator permissions.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7965128c-89d6-411e-b765-c60e0cae96c6", "created": "2023-02-06T19:40:36.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:38.822Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can manipulate clipboard data to replace cryptocurrency addresses.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--797e82a0-0132-4adc-8885-c9e9d88386dd", "created": "2024-03-28T18:26:51.242Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:39.033Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to record phone calls.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--79c3fe5d-585b-401a-8bb4-84bfdc7252a1", "created": "2022-04-06T13:52:46.831Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:39.258Z", "description": "Android 7 changed how the Device Administrator password APIs function.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--79ef0025-3e1c-4914-9873-19808c2a5bec", "created": "2023-02-28T21:44:22.373Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:39.457Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can record the screen and stream the data off the device.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:39.673Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7a50961b-9be4-4042-a6a0-878b612c520e", "created": "2019-07-10T15:25:57.602Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:39.878Z", "description": "[FinFisher](https://attack.mitre.org/software/S0182) uses the device microphone to record phone conversations.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7a860f1b-fd19-48aa-b0b3-fbaa3d045dac", "created": "2023-12-18T18:14:01.632Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:40.080Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can search for specifically installed security applications.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7a8e1611-1a7e-45a0-b518-6efd744fce4f", "created": "2020-12-24T22:04:28.002Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:40.312Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has sent messages to an attacker-controlled number.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7accde36-cb29-43c6-8c66-6486efd867a8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:40.513Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather GPS coordinates.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:40.719Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the victim for status and disables other access to the phone by other jailbreaking software.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7b1477bc-8fd0-45ce-8eaa-b3b307f18024", "created": "2022-04-15T18:11:06.097Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Skycure-Profiles", "description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20150203010257/https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:40.915Z", "description": "Most [KeyRaider](https://attack.mitre.org/software/S0288) samples hook SSLRead and SSLWrite functions in the itunesstored process to intercept device communication with the Apple App Store.(Citation: Skycure-Profiles)", "relationship_type": "uses", "source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7b3fa5cb-bd70-47e0-acfb-7db99e29e70f", "created": "2022-04-01T18:49:19.284Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:41.112Z", "description": "Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them. Android 7 introduced updates that revoke standard device administrators\u2019 ability to reset the device\u2019s passcode.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7b45e72f-5741-4942-aa28-ee7abb6f7046", "created": "2022-04-05T17:14:35.469Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:41.345Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7b611c76-0ea1-49c5-9b9a-2e504a0bbe14", "created": "2020-06-26T15:32:25.043Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:41.556Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) disables Google Play Protect to prevent its discovery and deletion in the future.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb", "created": "2019-08-09T16:19:02.782Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android Capture Sensor 2019", "description": "Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019.", "url": "https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:41.771Z", "description": "Android 9 and above restricts access to microphone, camera, and other sensors from background applications.(Citation: Android Capture Sensor 2019) ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531", "created": "2019-08-07T15:57:13.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:41.970Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7ba30703-c3aa-425a-9482-9e9941fd7038", "created": "2020-12-24T21:45:56.961Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:42.218Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access the camera on the device.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7ba4fb2e-99ff-41ff-8b07-f02e9f74e890", "created": "2023-01-18T19:09:40.955Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:42.427Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can record the screen via the `MediaProjection` library to harvest user credentials, including biometric PINs.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:42.648Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) gathers contacts from the system by dumping the victim's address book.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7bbbd2aa-104f-443a-907e-6e1fbcf0a73e", "created": "2023-07-21T19:34:29.630Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:42.849Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can take and exfiltrate screenshots.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7bc6460d-b36e-41ed-baa0-82d54ec19e57", "created": "2023-08-04T18:58:19.825Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:43.059Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can exfiltrate data back to the C2 server using HTTP.(Citation: lookout_hornbill_sunbird_0221) ", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7bf2e05e-496f-49d1-8a37-48cc3ff8d6cc", "created": "2020-04-08T15:41:19.400Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:43.275Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can modify administrator settings and disable Play Protect.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7c4a4766-cb63-4a3c-85ef-a1dba3be4a47", "created": "2023-06-09T19:19:56.840Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:43.486Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) has monitored for SMS and WhatsApp notifications.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7c6207c7-d738-4a17-8380-595c86574b64", "created": "2020-09-11T16:22:03.298Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:43.708Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can track the device\u2019s location.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7c67e8eb-4967-4858-8bfe-bb68c3f30cfd", "created": "2025-04-15T18:12:30.764Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:43.907Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has collected device information such as IMEI, phone number, MAC address and IP address.(Citation: LinkedIn Dmitry LightSpy 2025) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7cae8c80-c603-4352-a704-f3a2f4aa4a56", "created": "2019-09-03T20:08:00.737Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:44.111Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) abuses accessibility features to intercept all interactions between a user and the device.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7d2f869d-a117-4b1f-a783-c6d3fc002562", "created": "2023-07-21T19:38:52.085Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:44.322Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) uses unencrypted HTTP traffic between the victim and C2 infrastructure.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7d481598-ece7-469c-b231-619a804c25e5", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:44.545Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures SMS messages that the victim sends or receives.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7d6bba99-ea81-42bc-b02a-e5e98b34a688", "created": "2020-05-07T15:33:32.910Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:44.778Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) can hide its icon from the application launcher.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7db33293-6971-4c0d-88e0-18f505ebd943", "created": "2022-04-05T20:11:51.188Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:44.990Z", "description": "Recent OS versions have made it more difficult for applications to register as VPN providers. ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7de1af68-d893-40a0-b27a-c9010f5cdc62", "created": "2023-03-20T18:57:14.194Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:45.216Z", "description": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a", "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f", "created": "2020-12-24T22:04:28.005Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:45.419Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has taken photos with the device camera.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7defdb15-65d1-40ca-a9da-5c0484892484", "created": "2020-04-24T17:46:31.616Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:45.646Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can be controlled via encrypted SMS message.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7e00d3ac-a97a-4db0-9699-7474d81413a8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:45.848Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881", "target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed", "created": "2019-07-10T15:35:43.668Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:46.054Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) accesses the device contact list.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7e8956e3-7d90-412d-a82f-d61e43239923", "created": "2023-03-20T18:44:01.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:46.272Z", "description": "Application vetting services may indicate precisely what content was requested during application execution.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad", "created": "2020-11-20T16:37:28.429Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:46.483Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect images, videos, and attacker-specified files.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7ee49e53-e75d-4e65-a71f-79919ebb08f4", "created": "2020-04-08T15:41:19.340Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:46.713Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can use its ransomware module to encrypt device data and hold it for ransom.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7ef9f4cf-863b-4bc4-bdaf-55055263c030", "created": "2022-03-30T20:42:04.251Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:46.921Z", "description": "Users should be advised to be extra scrutinous of applications that request location, and to deny any permissions requests for applications they do not recognize.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7f3f4abd-f097-4ab5-b9ae-7ffc1a2e015e", "created": "2023-12-18T18:15:38.261Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:47.136Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can check to see if it has been installed in a virtual environment.(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7f4e1ac1-145e-4983-b735-7f70003893aa", "created": "2023-08-04T18:29:35.223Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:47.367Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate call logs.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7fa860d3-fa92-4953-8e79-05238b7dff99", "created": "2024-03-29T15:04:39.189Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:47.580Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002", "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "BankInfoSecurity-BackDoor", "description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.", "url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"}, {"source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:47.788Z", "description": "[Adups](https://attack.mitre.org/software/S0309) was pre-installed on Android devices from some vendors.(Citation: NYTimes-BackDoor)(Citation: BankInfoSecurity-BackDoor)", "relationship_type": "uses", "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--7fe8ab9f-b207-4c39-ab5c-e929a1c949f9", "created": "2019-07-16T14:33:12.113Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Krebs-Triada June 2019", "description": "Krebs, B. (2019, June 25). Tracing the Supply Chain Attack on Android. Retrieved July 16, 2019.", "url": "https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/"}, {"source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:48.008Z", "description": "[Triada](https://attack.mitre.org/software/S0424) was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.(Citation: Google Triada June 2019)(Citation: Krebs-Triada June 2019)", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--806a9338-be20-4eef-aa54-067633ac0e58", "created": "2020-04-08T15:41:19.421Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:48.276Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can retrieve the device\u2019s GPS location.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--80778a1e-715d-477b-87fa-e92181b31659", "created": "2020-12-24T21:45:56.967Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:48.473Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can delete various piece of device data, such as contacts, call logs, applications, SMS messages, email, plugins, and files in external storage.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9", "created": "2021-01-05T20:16:20.502Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:48.712Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can take screenshots.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--80eb5ebc-ae6f-461e-8e78-a18702249343", "created": "2023-12-18T18:14:53.862Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:48.920Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can hide incoming calls by setting ring volume to 0 and showing a blank screen overlay.(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--812490b8-2160-47e9-9e1e-c1749b7ee86d", "created": "2023-09-28T17:40:03.722Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zimperium FlyTrap", "description": "A. Yaswant. (2021, August 9). FlyTrap Android Malware Compromises Thousands of Facebook Accounts. Retrieved September 28, 2023.", "url": "https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/"}, {"source_name": "Trend Micro FlyTrap", "description": "Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts \u2014 Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.", "url": "https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:49.142Z", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can collect Facebook account information, such as Facebook ID, email address, cookies, and login tokens.(Citation: Trend Micro FlyTrap)(Citation: Zimperium FlyTrap)", "relationship_type": "uses", "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--81722aad-f503-4a74-91d5-1843adf8a995", "created": "2023-08-16T16:36:04.747Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:49.378Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can prevent application removal by abusing Accessibility Services.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--818b8c2b-bd23-4a83-9970-d42063608699", "created": "2020-04-24T15:06:33.393Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:49.581Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device contacts.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--81d4d8cf-3785-4847-9c9e-5ea27580f93a", "created": "2024-03-26T19:13:47.350Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "checkpoint_hamas_android_malware", "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"}, {"source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}, {"source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"}, {"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:49.800Z", "description": "(Citation: welivesecurity_apt-c-23)(Citation: fb_arid_viper)(Citation: checkpoint_hamas_android_malware)(Citation: sophos_android_apt_spyware)", "relationship_type": "uses", "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "target_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--81db3270-4cb8-4982-8ff8-c28a874e8421", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-DressCode", "description": "Echo Duan. (2016, September 29). DressCode and its Potential Impact for Enterprises. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:50.011Z", "description": "[DressCode](https://attack.mitre.org/software/S0300) sets up a \"general purpose tunnel\" that can be used by an adversary to compromise enterprise networks that the mobile device is connected to.(Citation: TrendMicro-DressCode)", "relationship_type": "uses", "source_ref": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca", "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--81dbe111-0f02-49a1-9bba-42a31e6bb416", "created": "2023-03-20T18:52:56.247Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:50.263Z", "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f", "created": "2020-06-02T14:32:31.906Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Volexity Insomnia", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:50.467Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) has communicated with the C2 using HTTPS requests over ports 43111, 43223, and 43773.(Citation: Volexity Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CheckPoint-Judy", "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.", "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:50.689Z", "description": "[Judy](https://attack.mitre.org/software/S0325) bypasses Google Play's protections by downloading a malicious payload at runtime after installation.(Citation: CheckPoint-Judy)", "relationship_type": "uses", "source_ref": "malware--172444ab-97fc-4d94-b142-179452bfb760", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--821db003-f7ad-4e28-b07d-2e3fc4f208a7", "created": "2025-03-24T20:13:39.921Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:50.898Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has communicated with the C2 using ports 52202, 51200, 43201, 43202, 43203, and 21202.(Citation: Threatfabric LightSpy 2023) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8244700e-6f96-463a-a9c3-810c489a2c60", "created": "2023-03-20T15:20:24.554Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:51.107Z", "description": "Application vetting services could detect applications trying to modify files in protected parts of the operating system.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--82555171-8b78-40f3-84d9-058359ae808a", "created": "2020-09-24T15:34:51.244Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:51.368Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can send and block SMS messages.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--825ffecc-090f-44c8-87be-f7b72e07f987", "created": "2022-04-01T18:43:15.716Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:51.565Z", "description": "Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--826e3bad-fa02-4fd9-b8f1-1d23f374b43d", "created": "2024-02-20T23:45:08.561Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:51.767Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device network configuration information, such as mobile network operator.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--828417ec-c444-41c8-95b4-c339c5ecf62b", "created": "2022-03-30T20:48:00.360Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:51.965Z", "description": "iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--82a51cc3-7a91-43b0-9147-df5983e52b41", "created": "2020-12-14T15:02:35.208Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:52.168Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) has communicated with the C2 using HTTP POST requests.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--82b58c75-239e-4dac-b848-bc1f3354adc4", "created": "2023-03-20T18:41:18.288Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Samsung Knox Mobile Threat Defense", "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", "url": "https://partner.samsungknox.com/mtd"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:52.408Z", "description": "Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--82e93a9e-6968-497f-8043-a08d0f35bd32", "created": "2023-10-10T15:33:57.378Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro Anubis", "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.", "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html"}, {"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:52.612Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) has requested accessibility service privileges while masquerading as \"Google Play Protect\" and has disguised additional malicious application installs as legitimate system updates.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--82f12052-783e-40e4-8079-d9c030c310fd", "created": "2022-03-30T20:08:40.223Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:52.819Z", "description": "Android and iOS include system partition integrity mechanisms that could detect unauthorized modifications. ", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--82f51cc6-6ce4-459e-b598-7b2b77983469", "created": "2020-04-24T15:06:33.526Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:53.011Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect SMS messages.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--83358774-0857-429c-9f7a-151403e52881", "created": "2023-10-10T15:33:59.912Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:53.221Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) has used names like WhatsApp and Netflix.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "PaloAlto-Xbot", "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:53.428Z", "description": "[Xbot](https://attack.mitre.org/software/S0298) steals all SMS message and contact information as well as intercepts and parses certain SMS messages.(Citation: PaloAlto-Xbot)", "relationship_type": "uses", "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:53.650Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects SMS messages.(Citation: TrendMicro-XLoader)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8375c6f6-4450-4aa5-ae26-672aecf91d1b", "created": "2024-04-02T19:14:02.841Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:53.854Z", "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can retrieve a device\u2019s SMS messages.(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:54.064Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) gathered system information including phone number, OS version, phone model, and SDK version.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--83d95d05-7545-4295-894b-f33a2ba1063b", "created": "2020-12-17T20:15:22.492Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:54.274Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) has registered several broadcast receivers.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--841dcc87-1c22-4775-abe8-606aa6a48bf7", "created": "2025-03-24T17:48:43.834Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "FirshSecureList LightSpy 2020", "description": "Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.", "url": "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:54.487Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has captured environment audio, phone calls and Voice over IP (VoIP) calls.(Citation: FirshSecureList LightSpy 2020)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--848581bc-bf8f-40e2-871e-cd67042b4adf", "created": "2023-01-18T19:14:40.120Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:54.709Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can use overlays to steal user banking credentials entered into legitimate sites.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8499ffce-1045-4a8a-9e09-ec53d535a021", "created": "2023-10-10T15:33:58.887Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:54.944Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) has masqueraded as VPN and Android system apps.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--84dbe7c6-421b-4bfb-b022-6c585c2e50c4", "created": "2023-10-10T15:33:59.401Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:55.230Z", "description": "[Bouncing Golf](https://attack.mitre.org/groups/G0097) distributed malware as repackaged legitimate applications, with the malicious code in the `com.golf` package.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--84ece53a-eb31-4c2e-9257-a055e0a190c0", "created": "2024-03-26T19:05:36.787Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:55.443Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can download additional malware to the victim device.(Citation: fb_arid_viper) ", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--850e249d-c0a1-4608-9a60-bcf9c02b741c", "created": "2024-02-21T20:53:10.203Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:55.649Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8570b7ef-a84d-480e-b1ca-b15f15d12103", "created": "2019-09-23T13:36:08.341Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:55.862Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8578441b-00d2-4416-a011-380647e6ccdd", "created": "2024-02-21T20:44:44.955Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:56.064Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CheckPoint-Charger", "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:56.277Z", "description": "[Charger](https://attack.mitre.org/software/S0323) checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia, or Belarus.(Citation: CheckPoint-Charger)", "relationship_type": "uses", "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--85d9c54e-a434-4533-9755-aff1aeb9cc23", "created": "2025-03-28T15:02:49.204Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:56.484Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used HTTPS POST requests for C2 communication.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--85e0d8c5-b9d6-4a10-963a-aeb54eba4f02", "created": "2020-06-26T15:32:25.144Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CheckPoint Cerberus", "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.", "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:56.712Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 server using HTTP.(Citation: CheckPoint Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8611661c-04b4-4a82-9669-2d0e26b7b3f3", "created": "2020-07-15T20:20:59.287Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:56.912Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can disable Play Protect.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--86170d29-0e41-44d0-94b0-de7d23718302", "created": "2022-04-05T19:42:39.957Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android 12 Features", "description": "Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022.", "url": "https://developer.android.com/about/versions/12/features"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:57.115Z", "description": "The `HIDE_OVERLAY_WINDOWS` permission was introduced in Android 12 allowing apps to hide overlay windows of type `TYPE_APPLICATION_OVERLAY` drawn by other apps with the `SYSTEM_ALERT_WINDOW` permission, preventing other applications from creating overlay windows on top of the current application.(Citation: Android 12 Features)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8634a732-1c5e-4931-a24f-cdcc2f81c788", "created": "2020-05-07T15:33:32.903Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:57.345Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) deletes infected applications\u2019 update packages when they are detected on the system, preventing updates.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8650e2e8-d8bd-472d-8b9b-54befbea05b8", "created": "2022-04-05T19:49:59.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:57.561Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--867b4929-20f2-47cd-9ab3-43a5a6ea98b5", "created": "2023-06-09T19:19:38.523Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:57.767Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) has a list of file extensions that it may use to log certain operations (creation, open, close, modification, movement, deletion) on files of those types.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--86afe8cc-6d6d-4952-8fee-619e95d53a7f", "created": "2022-04-06T13:39:39.883Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:57.975Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3", "created": "2020-05-04T14:04:56.189Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:58.177Z", "description": "[Bread](https://attack.mitre.org/software/S0432) collects the device\u2019s IMEI, carrier, mobile country code, and mobile network code.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8726b157-3575-450f-bb7f-f17bb18e6aef", "created": "2022-03-30T20:41:43.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:58.380Z", "description": "New OS releases frequently contain additional limitations or controls around device location access.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--873b98de-d7cf-471b-9aa2-229eb03c9165", "created": "2020-09-15T15:18:12.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:58.581Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device information, including OS version and device model.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--875dc21d-92c3-45bf-be37-faa44f4449bf", "created": "2020-06-02T14:32:31.891Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:58.808Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s contact list.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--876fc8ee-aeae-4d4b-b4ce-541b432e5298", "created": "2020-12-14T15:02:35.297Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:59.022Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect the device\u2019s contact list.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--886849fc-f83c-4d69-b700-bfad0def765d", "created": "2023-03-16T18:32:30.054Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:59.268Z", "description": "On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8870c211-820a-46a1-96fc-02f4e6eaec03", "created": "2020-11-10T16:50:39.134Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:59.464Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has collected device network information, including 16-bit GSM Cell Identity, 16-bit Location Area Code, Mobile Country Code (MCC), and Mobile Network Code (MNC). [CarbonSteal](https://attack.mitre.org/software/S0529) has also called `netcfg` to get stats.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--88de8869-2b01-4702-8518-e4e78fde44d9", "created": "2023-07-12T20:45:18.766Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:59.671Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--88ded3fb-759e-4e96-946b-e7148c54856e", "created": "2022-04-08T16:29:30.371Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:49:59.882Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--88e33687-e999-42c8-b46b-49d2adfa17d0", "created": "2022-04-01T15:02:04.528Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:00.085Z", "description": "Apple regularly provides security updates for known OS vulnerabilities. ", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--88ea5004-8bdb-4af4-a2dc-a8c56236ff03", "created": "2020-12-17T20:15:22.449Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:00.317Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can access the device\u2019s microphone.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--891edea2-817c-4eeb-9991-b6e095c269a8", "created": "2020-06-02T14:32:31.903Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:00.513Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can retrieve the call history.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0", "created": "2020-04-24T15:12:11.185Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:00.714Z", "description": "[Concipit1248](https://attack.mitre.org/software/S0426) requests permissions to use the device camera.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--89565753-23c4-422d-a9ba-39f4101cd819", "created": "2020-11-20T16:37:28.485Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:00.915Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can track the device\u2019s location.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--89d0de37-87ba-4aa8-832a-a2305e658a7d", "created": "2023-03-20T15:55:09.279Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:01.137Z", "description": "Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--89fcec02-8696-4c41-a7b1-8a75236a4c05", "created": "2024-03-26T19:03:34.834Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:01.388Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can record phone calls.(Citation: fb_arid_viper)", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8a255d63-a770-4b9d-911c-bd906733ceef", "created": "2023-01-18T19:24:36.689Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:01.599Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) has C2 commands that can move the malware in and out of the foreground. (Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8a55c28d-9cdd-4b6f-91e7-bcb3b05f6724", "created": "2022-04-01T15:02:21.344Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:01.813Z", "description": "Device attestation can often detect jailbroken devices. ", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8a89f675-4e43-4fe1-8bbd-8e49e07d11be", "created": "2023-07-21T19:35:34.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:02.027Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can access browser history and bookmarks, and can list all files and folders on the device.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3", "created": "2020-09-11T14:54:16.615Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:02.265Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can record videos.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8b27a786-b4d9-4014-a249-3725442f9f1d", "created": "2021-01-05T20:16:20.499Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:02.471Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can obtain a list of installed applications.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8b2c2716-a62b-4c3a-a211-d72bb5ed29b9", "created": "2020-09-11T14:54:16.649Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:02.696Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect the device\u2019s contact list.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8b3756f1-327a-4625-bde0-26b216ecb07a", "created": "2025-03-28T14:41:27.693Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:02.903Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has obtained a list of files using the `fts` API and has obtained files that match a specified regular expression.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8b3e74ad-7cc4-4ed2-84d2-c745e6997711", "created": "2023-02-06T20:12:17.434Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:03.101Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can request the `READ_CALL_LOG` permission.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8b5baec3-60bf-4663-bc5c-ec9ad821c785", "created": "2024-04-03T20:10:01.390Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CitizenLab Great iPwn", "description": "Marczak, B., et al. (2020, December 20). The Great iPwn. Retrieved April 3, 2024.", "url": "https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:03.316Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) has been distributed via malicious links in SMS messages.(Citation: CitizenLab Great iPwn)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781", "created": "2020-04-24T15:06:33.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:03.518Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can record MP4 files and monitor calls.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8b8a9c44-c8a4-4f30-a3d8-a23310f6c090", "created": "2023-03-20T18:58:30.773Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:03.724Z", "description": "On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8bc0abc2-a413-4c05-b2b8-2a92d9cc5556", "created": "2019-09-04T15:38:56.678Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm"}, {"source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:03.916Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is capable of hiding SuperSU's icon if it is installed and visible.(Citation: FortiGuard-FlexiSpy) [FlexiSpy](https://attack.mitre.org/software/S0408) can also hide its own icon to make detection and the uninstallation process more difficult.(Citation: FlexiSpy-Features)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8bc21e5d-b6bb-4c93-9419-19a12061de52", "created": "2023-01-19T18:07:52.146Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:04.116Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can exfiltrate collected user data, including credentials and authorized cookies, via email.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8bcc9da8-c390-4151-b72d-30604820673e", "created": "2023-08-04T19:05:04.644Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:04.323Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can search for installed applications such as WhatsApp.(Citation: lookout_hornbill_sunbird_0221) ", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8c034c66-18ad-4b30-9f17-ed574c10918f", "created": "2023-03-20T18:56:20.203Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:04.534Z", "description": "The user can view permissions granted to an application in device settings. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8c3296f6-3520-4d1b-8b57-bdd48a5aac91", "created": "2020-12-18T20:14:47.369Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:04.767Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has registered several broadcast receivers.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8c50e9e7-e13c-4814-98d0-088d73b10005", "created": "2023-03-03T16:21:24.531Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:04.996Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has modified Safari\u2019s default search engine, bookmarked websites, opened pages, and accessed contacts and authorization tokens of the IM program \u201cQQ\u201d on infected devices.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8c656539-aa1e-42db-9016-d38f1daaae16", "created": "2023-01-18T19:20:26.156Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:05.220Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can collect user SMS messages.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8c7598a6-6046-491d-99a7-52c31974a9a9", "created": "2023-03-20T18:57:40.504Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:05.426Z", "description": "Application vetting services could look for misuse of dynamic libraries.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e", "created": "2021-01-05T20:16:20.512Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:05.648Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can check the device\u2019s battery status.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8c9dbc53-27d2-420c-b698-98c23a7ead2b", "created": "2020-09-11T14:54:16.638Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:05.862Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can delete copies of itself if additional APKs are downloaded to external storage.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:06.069Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can use SMS for command and control.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8d027310-93a0-4046-b7ad-d1f461f30838", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:06.267Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) has the ability to dynamically download and execute new code at runtime.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8d3ca04e-867f-4274-bc61-f18c0282a0a9", "created": "2023-08-04T18:29:54.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:06.485Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate a device's contacts.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8d71e646-74d1-4d62-8989-2ad4ddf7a67b", "created": "2023-02-06T19:47:08.535Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_sova_1122", "description": "Francesco Lubatti, Federico Valentini. (2022, November 8). SOVA malware is back and is evolving rapidly. Retrieved March 30, 2023.", "url": "https://www.cleafy.com/cleafy-labs/sova-malware-is-back-and-is-evolving-rapidly"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:06.715Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has code to encrypt device data with AES.(Citation: cleafy_sova_1122)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8d72c224-0cf5-4b9b-a98a-76ee3a406803", "created": "2023-02-06T19:05:00.862Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:06.920Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can obtain a list of installed applications.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8dc4b237-e466-4a3d-9d28-896f1389996d", "created": "2025-02-12T15:22:36.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:07.134Z", "description": "The OS may show a notification to the user that the SIM card has been transferred to another device.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8e67f2e0-65da-4d27-9d41-e2f9a174331b", "created": "2023-10-10T15:33:58.186Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:07.387Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) has masqueraded as \u201cAdobe Flash Player\u201d and \u201cGoogle Play Verificator\u201d.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8e6b9c1e-5e28-4519-95c3-6b4a836661de", "created": "2023-01-18T19:16:45.773Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:07.599Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) has used custom encryption to hide strings, potentially to evade antivirus products.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8ea39534-6fe9-404c-94b7-0f320af95404", "created": "2022-04-01T15:17:21.511Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:07.834Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc", "created": "2019-09-23T13:36:08.441Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:08.025Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) retrieves a list of installed applications and sends it to the command and control server.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:08.264Z", "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted location information.(Citation: NYTimes-BackDoor)", "relationship_type": "uses", "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8f142643-0448-4b04-8260-8e4e62ad80bb", "created": "2023-08-04T18:34:42.357Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:08.467Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can download adversary specified content from FTP shares.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8f22a4ce-f075-4343-acb0-1d45c56e91e8", "created": "2022-03-30T18:06:21.355Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Symantec-iOSProfile2", "description": "Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018.", "url": "https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles"}, {"source_name": "Android-TrustedCA", "description": "Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018.", "url": "https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:08.676Z", "description": "Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.(Citation: Symantec-iOSProfile2)(Citation: Android-TrustedCA)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8f2929a9-cd25-4e07-b402-447da68aaa56", "created": "2020-04-24T15:06:33.455Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:08.908Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) communicates with the C2 server using HTTP requests.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc", "created": "2020-07-15T20:20:59.298Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:09.110Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) obfuscates its hardcoded C2 URLs.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8f4c7030-f3e2-4c7d-b5b1-dc6815055c68", "created": "2023-06-09T19:15:30.280Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:09.324Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect voice notes and messages from WhatsApp, if installed.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8f52e1ab-284e-4d0c-bae1-3a8544a22f57", "created": "2020-11-24T17:55:12.826Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:09.522Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can wipe the device.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8f72a070-cfcb-4d75-ace6-b4427f3ba8d3", "created": "2020-04-08T15:41:19.404Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:09.727Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can steal the device\u2019s contact list.(Citation: Cofense Anubis) ", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5", "created": "2019-09-03T19:45:48.501Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:09.937Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can record audio from the compromised device's microphone and can record call audio in 3GP format.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8fd05d96-552d-4ef9-98e3-ea70dc84f6a9", "created": "2022-03-30T14:26:02.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android Changes to System Broadcasts", "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.", "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:10.145Z", "description": "Android 8 introduced additional limitations on the implicit intents that an application can register for.(Citation: Android Changes to System Broadcasts) ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--8ff45341-60d6-40d3-bb38-566814a466f9", "created": "2020-07-20T13:27:33.552Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:10.390Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can perform primitive emulation checks.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--901492b5-b074-4631-ad6e-4178caa4164a", "created": "2020-12-24T22:04:28.017Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:10.590Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has recorded calls and environment audio in .amr format.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--907db911-b39c-4230-b6ad-a0ba5ef6926a", "created": "2023-09-28T17:39:24.890Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro FlyTrap", "description": "Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts \u2014 Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.", "url": "https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:10.815Z", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can collect device geolocation data.(Citation: Trend Micro FlyTrap)", "relationship_type": "uses", "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--90d4d964-efa2-46ac-adc2-759886e07158", "created": "2020-10-29T17:48:27.325Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:11.016Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) has used HTTPS for C2 communication.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--90d58c65-acb9-4d7b-89b9-f4b35593c861", "created": "2021-02-08T16:36:20.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:11.383Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included SMS message exfiltration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--90e76d57-90b2-4d5d-8928-f6e6f5414bd4", "created": "2025-03-24T17:56:46.563Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FirshSecureList LightSpy 2020", "description": "Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.", "url": "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/"}, {"source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:11.602Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has delivered malicious links through Telegram channels and Instagram posts.(Citation: FirshSecureList LightSpy 2020)(Citation: Shoshin_Kaspersky LightSpy 2020) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler-SuperMarioRun", "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.", "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:11.803Z", "description": "[DroidJack](https://attack.mitre.org/software/S0320) captures SMS data.(Citation: Zscaler-SuperMarioRun)", "relationship_type": "uses", "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--91831379-b0da-4019-a7bb-17e53cda9d0b", "created": "2020-12-31T18:25:05.131Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:12.002Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has utilized native code to decrypt its malicious payload.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--919a13bc-74be-4660-af63-454abee92635", "created": "2019-03-11T15:13:40.408Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-Anserver2", "description": "Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.", "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:12.223Z", "description": "\n[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device IMEI and IMSI.(Citation: TrendMicro-Anserver2)", "relationship_type": "uses", "source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--91a4924f-2519-4662-91f2-b7ef715a459f", "created": "2023-03-20T18:59:55.756Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Samsung Knox Mobile Threat Defense", "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", "url": "https://partner.samsungknox.com/mtd"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:12.427Z", "description": "Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--91dd9ddf-185f-496d-a20f-88c66476cfdd", "created": "2025-03-12T22:10:30.974Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Promon FjordPhantom Oct2024", "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.", "url": "https://promon.io/security-news/fjordphantom-android-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:12.618Z", "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) has masqueraded as legitimate banking applications.(Citation: Promon FjordPhantom Oct2024) ", "relationship_type": "uses", "source_ref": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4", "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27", "created": "2020-07-20T13:27:33.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:12.812Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489)\u2019s code is obfuscated.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--91fa8232-f987-415b-8cb4-1ff3302a6c63", "created": "2025-03-27T22:37:35.890Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Europol FluBot Jun2022", "description": "Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.", "url": "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:13.011Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) has been distributed via malicious links in SMS messages.(Citation: Europol FluBot Jun2022) ", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--92129d5b-7822-4e84-8a69-f96b598fba9e", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:13.225Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) accesses databases from WhatsApp, Viber, Skype, and Line.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--922fa6eb-7274-477c-821e-ae6684c08934", "created": "2024-04-02T19:28:17.558Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:13.424Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) has used phishing sites for iCloud and Facebook if either of those were used for authentication during the chat sign up process.(Citation: fb_arid_viper)", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--92879f0e-d1db-4407-9cc6-c1dbcc47caea", "created": "2019-10-18T14:52:53.193Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:13.614Z", "description": "Device attestation could detect devices with unauthorized or unsafe modifications. ", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb", "created": "2020-06-26T14:55:13.261Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:13.803Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--92cc4942-453e-49af-bc04-18cb99493b73", "created": "2025-03-28T15:13:08.761Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:14.000Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have collected and exfiltrated SMS messages.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0", "created": "2019-08-07T15:57:13.453Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:14.228Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can open a fake Google Play screen requesting bank card credentials and mimic the screen of relevant mobile banking apps to request user/bank card details.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--935d2296-2a9d-42dd-af8c-2d8873dd7e8f", "created": "2024-03-28T18:11:37.535Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:14.420Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to modify permissions on a rooted device and tried to disable the SecurityLogAgent application.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:14.651Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) enables remote control of the victim through SMS channels.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c", "created": "2019-07-10T15:35:43.631Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:14.846Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) queries the device for metadata, such as device ID, OS version, and the number of cameras.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9373912a-affa-4a3c-ad97-1b8311e228ee", "created": "2019-09-04T14:28:15.991Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:15.041Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) checks if the device is connected via Wi-Fi or mobile data.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9398bf9d-be77-4ac2-acea-893152cafd16", "created": "2022-03-30T14:43:46.034Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:15.255Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--93b2474b-0ba6-469e-a4e8-d17a41d0d016", "created": "2022-04-15T18:12:53.512Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Xiao-KeyRaider", "description": "Claud Xiao. (2015, August 30). KeyRaider: iOS Malware Steals Over 225,000 Apple Accounts to Create Free App Utopia. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:15.458Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can install attacker-specified certificates to the device's trusted certificate store, enabling an adversary to perform adversary-in-the-middle attacks.(Citation: Xiao-KeyRaider)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--93b6bf37-5614-4317-8ed7-42f098152c40", "created": "2023-02-28T20:39:18.320Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:15.670Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can use a SOCKS proxy to evade C2 IP detection.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--93c16b23-305c-418d-9792-6e44525ed85a", "created": "2024-04-02T19:14:26.097Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:15.862Z", "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can access a device\u2019s location.(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--93c20f43-6684-471c-910f-d9577f289677", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:16.045Z", "description": "In at least one case, [Stealth Mango](https://attack.mitre.org/software/S0328) may have been installed using physical access to the device by a repair shop.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:16.258Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) update and sends the location of the phone.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9424ebbb-d375-4bfa-96f9-a24d00dfbd6a", "created": "2024-03-29T15:05:34.232Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:16.448Z", "description": "Certain enterprise policies can be applied to prevent users from adding certificates to the device and to prevent applications from being able to install their own certificates. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9432fabf-9487-469c-86c9-b9d26b013c85", "created": "2022-04-01T13:13:10.587Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:16.672Z", "description": "Call Log access an uncommonly needed permission, so users should be instructedto use extra scrutiny when granting access to their call logs. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--945db15a-b356-4e05-a6a0-9b24ca9aa348", "created": "2022-04-20T17:42:11.714Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:16.854Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) uses standard HTTP for exfiltration.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--947e2398-4565-4ae0-8cc2-fb0ef5f9c73f", "created": "2019-12-10T16:07:41.083Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:17.054Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) can enable installation of apps from unknown sources.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--94bf07c4-3bf0-4ecc-8043-644e59fb9ec4", "created": "2022-03-28T19:30:27.364Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:17.261Z", "description": "Security updates may contain patches to integrity checking mechanisms that can detect unauthorized hardware modifications.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--94e111fa-81d1-4882-ae73-4d6ad6367b9f", "created": "2022-03-28T19:25:38.355Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:17.452Z", "description": "Security updates may contain patches that inhibit system software compromises.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--950e1476-83ca-4e81-b542-c91a19b206d7", "created": "2020-04-24T17:46:31.466Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:17.671Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device information such as network operator, model, brand, and OS version.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9557dc5c-272d-46ba-bd39-0ac2be35df19", "created": "2024-04-02T19:42:50.418Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:17.876Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) has disabled play protect.(Citation: welivesecurity_apt-c-23)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--95725b00-f40e-4a3a-af2a-92156595cd37", "created": "2024-04-03T20:07:44.446Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CitizenLab Great iPwn", "description": "Marczak, B., et al. (2020, December 20). The Great iPwn. Retrieved April 3, 2024.", "url": "https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hacked-with-suspected-nso-group-imessage-zero-click-exploit/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:18.077Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) has used zero-day iMessage exploits for initial access.(Citation: CitizenLab Great iPwn)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--95bf4e8b-f388-48a0-b236-c2077252e71e", "created": "2019-09-03T20:08:00.757Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:18.330Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) gathers the device IMEI to send to the command and control server.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--95fec5e4-d48a-471f-8223-711cd32659b8", "created": "2022-04-01T18:49:51.050Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:18.519Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--96298aed-9e9f-4836-b29b-04c88e79e53e", "created": "2022-04-01T18:42:37.987Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:18.713Z", "description": "Security updates often contain patches for vulnerabilities that could be exploited for root access. Root access is often a requirement to impairing defenses.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9634001c-575b-47aa-acd2-c3b1e900bd0b", "created": "2020-12-17T20:15:22.397Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:18.907Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can steal data from various sources, including chat, communication, and social media apps.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--96475ee5-39ed-46c5-85f6-f08462875a9e", "created": "2024-03-26T18:43:39.910Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:19.140Z", "description": "", "relationship_type": "uses", "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "target_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306", "created": "2020-05-07T15:33:32.778Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:19.372Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--96569099-db95-4f3c-8ded-6d9cf023e55e", "created": "2019-09-03T20:08:00.717Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:19.557Z", "description": " [Gustuff](https://attack.mitre.org/software/S0406) can use SMS for command and control from a defined admin phone number.(Citation: Talos Gustuff Apr 2019) ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--96ec33c8-78b6-421f-bab3-bd9d0564db31", "created": "2022-09-29T20:11:55.474Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:19.772Z", "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors capable of enumerating specific files on the infected devices.(Citation: Cylance Dust Storm)", "relationship_type": "uses", "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--97158eda-5092-4939-8b5c-1ef5ab918089", "created": "2020-04-24T15:12:11.189Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:19.968Z", "description": "[Concipit1248](https://attack.mitre.org/software/S0426) can collect device photos.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf", "created": "2020-09-11T14:54:16.617Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:20.171Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect account information stored on the device.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--97408547-bacd-4308-a8be-556e9ff04951", "created": "2023-03-20T18:55:23.628Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:20.364Z", "description": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--97417113-1840-4e00-98d3-bb222e1a1f60", "created": "2020-07-27T14:14:56.980Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:20.558Z", "description": "[Zen](https://attack.mitre.org/software/S0494) base64 encodes one of the strings it searches for.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--97738857-d496-4d39-9809-1921e0ad10b7", "created": "2020-12-31T18:25:05.125Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:20.757Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can collect files from the filesystem and account information from Google Chrome.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--980430c1-6173-440e-b75e-c1cdb4c41560", "created": "2023-09-28T17:40:16.985Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zimperium FlyTrap", "description": "A. Yaswant. (2021, August 9). FlyTrap Android Malware Compromises Thousands of Facebook Accounts. Retrieved September 28, 2023.", "url": "https://www.zimperium.com/blog/flytrap-android-malware-compromises-thousands-of-facebook-accounts/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:20.946Z", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can use HTTP to exfiltrate data to the C2 server.(Citation: Zimperium FlyTrap)", "relationship_type": "uses", "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}, {"source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:21.130Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) captures SMS messages.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9814ecd5-911a-4776-9dc0-4a4ae0bf6a39", "created": "2020-04-08T15:41:19.364Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:21.364Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can take screenshots.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9819974c-f093-482b-8b2b-93a05ab7382e", "created": "2023-08-04T18:31:48.507Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:21.571Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate browser history, BlackBerry Messenger files, IMO instant messaging content, and WhatsApp voice notes.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--98360714-5239-442f-9619-d562b4b7ce76", "created": "2024-01-26T17:36:10.275Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "checkpoint_flixonline_0421", "description": "Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.", "url": "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:21.765Z", "description": "[FlixOnline](https://attack.mitre.org/software/S1103) can steal data from a user\u2019s WhatsApp account(s).(Citation: checkpoint_flixonline_0421)", "relationship_type": "uses", "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9858ae0b-140b-4dd2-8ba9-1ef22183dec3", "created": "2021-02-08T16:36:20.788Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:21.988Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included keylogging capabilities as part of Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--98632824-9fe4-4992-aafe-31c5eac66ec1", "created": "2023-12-18T18:18:22.618Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:22.220Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has exfiltrated data to the C2 server using HTTP requests.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--98a4a746-e7bf-494c-9ee3-584403d76d3e", "created": "2023-02-28T20:34:18.504Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:22.408Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can use HTTP POST requests on port 80 for communicating with its C2 server.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--98ae9cb2-1141-48c6-81fd-f16adb430031", "created": "2023-01-18T19:17:07.565Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:22.600Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can request the `READ_EXTERNAL_STORAGE` and `WRITE_EXTERNAL_STORAGE` Android permissions.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--98aee077-156a-4d11-94fe-b5b7c4945ff9", "created": "2023-12-18T18:17:36.795Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}, {"source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:22.823Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has masqueraded as legitimate WhatsApp updates and app security scanners.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--98b14660-79e1-4244-99c2-3dedd84eb68d", "created": "2020-09-11T14:54:16.582Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:23.044Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can track the device\u2019s location.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--98dec4bf-6753-4d7a-8983-d4fd6d1d892a", "created": "2020-11-20T16:37:28.475Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:23.271Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect the device\u2019s contact list.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--98fb2884-c912-42ff-9c87-4fbabfa70115", "created": "2023-08-08T16:14:01.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:23.460Z", "description": "Application vetting services may potentially determine if an application contains suspicious code and/or metadata.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--99011840-f920-44d1-82f9-a6ff0d4f8c07", "created": "2024-03-26T19:05:15.623Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:23.677Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can collect device metadata.(Citation: fb_arid_viper) ", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--991ef2f2-c196-4d5d-bd29-504ea25831f4", "created": "2021-10-01T14:42:48.815Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:23.870Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can record from the device\u2019s camera.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9951d8c0-d210-4776-808b-421b613f244f", "created": "2019-09-23T13:36:08.463Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:24.065Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) hides its icon after first launch.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--99b4be95-74f2-48f7-b4e9-8b4d88ecd31f", "created": "2020-09-11T14:54:16.642Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:24.268Z", "description": "If running on a Huawei device, [Desert Scorpion](https://attack.mitre.org/software/S0505) adds itself to the protected apps list, which allows it to run with the screen off.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--99fabe9d-0202-4d12-aa7c-34e2a15b2648", "created": "2024-04-02T19:45:43.976Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:24.463Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can hide its icon.(Citation: welivesecurity_apt-c-23)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9a575420-cdce-4a9f-9ea9-2ae5c469cad9", "created": "2023-09-25T19:44:41.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "MoustachedBouncer ESET August 2023", "description": "Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.", "url": "https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:24.674Z", "description": "[MoustachedBouncer](https://attack.mitre.org/groups/G1019) has used legitimate looking filenames for malicious executables including MicrosoftUpdate845255.exe.(Citation: MoustachedBouncer ESET August 2023)", "relationship_type": "uses", "source_ref": "intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9a90aacf-3b03-4100-a600-5c455d4e48de", "created": "2025-03-28T15:10:00.440Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:24.860Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used a microphone-recording module.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9b34ae1e-027f-4b52-9a4f-1e58f6efdc25", "created": "2023-06-09T19:16:28.560Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:25.056Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can take screenshots and can abuse accessibility services to scrape WhatsApp messages, contacts, and notifications.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9b56528f-cf04-4d81-80ee-7bacb862383a", "created": "2023-03-20T18:57:33.693Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:25.266Z", "description": "Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9b5ec339-28f3-40b2-b5b2-450e1e303e78", "created": "2024-04-02T19:13:50.668Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:25.461Z", "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can activate a device\u2019s camera.(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9b8b51fb-c380-4516-b109-821f015506d4", "created": "2023-03-20T15:40:26.994Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:25.682Z", "description": "Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9bbfa759-5555-4048-a79d-fed27a1efd93", "created": "2023-06-09T19:14:21.299Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:25.878Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can access images stored on external storage.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9c02b7a3-df00-4191-8249-ed53d9bb954d", "created": "2025-03-14T17:58:40.269Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:26.080Z", "description": "Application vetting services can look for applications that request permissions to Accessibility services or application overlay. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9c284d41-21ef-4009-bb47-3ae09b08f38d", "created": "2022-04-01T17:06:06.950Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:26.276Z", "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to location information. Users should also protect their account credentials and enable multi-factor authentication options when available. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9c302eb1-1810-48a5-b34d-6aae303d2097", "created": "2022-04-01T15:16:26.387Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:26.465Z", "description": "Users should be instructed to not open links in applications they don\u2019t recognize.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9c545cbb-4949-4695-8d6b-b480478d3e20", "created": "2023-12-18T18:08:42.383Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:26.660Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can turn off or fake turning off the screen while performing malicious activities.(Citation: securelist_brata_0819)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9c6b1915-24e2-48ac-909a-0af43053b053", "created": "2025-03-28T14:35:37.765Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:26.868Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has encrypted data using RSA.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:27.065Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole geo-location data.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9c853c22-7607-4cbd-b114-08aaa4625c35", "created": "2020-12-17T20:15:22.405Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:27.280Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can collect device information and can check if the device is running MIUI on a Xiaomi device.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9caeaf97-ca4e-4417-8148-d9a38b141047", "created": "2025-03-28T15:02:22.972Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:27.469Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used RSA to encrypt C2 communication.(Citation: SecureList OpTriangulation 21Jun2023)", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9caf7cd5-fa15-45f0-8e1e-75917ea33af2", "created": "2023-03-20T18:50:32.580Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:27.672Z", "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9cfc30de-3e68-4361-a213-3c37ce27b70e", "created": "2023-03-20T18:52:52.011Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:27.872Z", "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9cfcda7d-bb82-4122-a38b-fec4f5532856", "created": "2020-05-04T14:04:56.211Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:28.073Z", "description": "[Bread](https://attack.mitre.org/software/S0432) communicates with the C2 server using HTTP requests.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9d264e84-27b2-4867-82c8-55486a969d7c", "created": "2020-12-17T20:15:22.489Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:28.277Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can obtain a list of running processes.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9d2a9348-5d0a-43b0-8776-e9bbddc659c7", "created": "2023-03-20T18:48:56.995Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:28.468Z", "description": "Application vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de", "created": "2019-10-14T20:49:24.571Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:28.676Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) collects information about running processes.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9d72c60b-d5d1-4b50-a01f-3882ddb335d9", "created": "2019-09-04T14:28:15.316Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:28.870Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can remount the system partition as read/write to install attacker-specified certificates.(Citation: Lookout-Monokle) ", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c", "created": "2019-09-04T15:38:56.562Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:29.070Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can communicate with the command and control server over ports 12512 and 12514.(Citation: FortiGuard-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:29.266Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can monitor clipboard content.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9e458d77-c856-4b02-82a7-50947b232dc3", "created": "2021-10-01T14:42:49.183Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:29.460Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can download a payload or updates from either its C2 server or email attachments in the adversary\u2019s inbox.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CrowdStrike-Android", "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.", "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:29.656Z", "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) was believed to have been used to obtain locational data of Ukrainian artillery forces.(Citation: CrowdStrike-Android)", "relationship_type": "uses", "source_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9e95ef68-0650-49eb-888f-47c211481be9", "created": "2023-03-20T18:51:40.217Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:29.844Z", "description": "Application vetting may be able to identify applications that perform [Discovery](https://attack.mitre.org/tactics/TA0032) or utilize existing connectivity to remotely access hosts within an internal enterprise network. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9f83d618-a42d-4797-b9fe-030affdbd13f", "created": "2023-01-18T19:46:45.399Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:30.046Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can hide and send SMS messages. [SharkBot](https://attack.mitre.org/software/S1055) can also change which application is the device\u2019s default SMS handler.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9f9a0349-ca95-4bde-8d8d-af524ce19bc7", "created": "2022-04-15T16:00:43.483Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:30.267Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) can turn off `VerifyApps`, and can grant Device Administrator permissions via commands only, rather than using the UI.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9fa03a70-ad00-4148-ae5e-8315f3e618d2", "created": "2020-07-15T20:20:59.375Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:30.464Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9fb0c414-6216-4b42-a080-cb42ef4011c5", "created": "2024-04-17T13:12:54.126Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:30.671Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can communicate with the C2 using HTTPS requests.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--9fdc5fee-2250-4894-8333-466910023533", "created": "2024-02-20T23:42:43.674Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:30.862Z", "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a011bcc6-b5d8-4923-b533-55abec69ff2f", "created": "2022-03-30T20:07:33.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:31.052Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a042d55c-b31e-41c1-9cd0-66070ec9a11d", "created": "2020-10-29T19:21:23.235Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:31.272Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has hidden the C2 server address using base-64 encoding. (Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a0464679-71b6-4ab4-a72d-0428e4d75d5e", "created": "2022-03-30T13:45:39.184Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:31.464Z", "description": "Device attestation can often detect jailbroken or rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a04ae7d7-1500-49c9-bada-1a75a8670f5c", "created": "2019-11-21T19:16:34.820Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CheckPoint SimBad 2019", "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:31.679Z", "description": "[SimBad](https://attack.mitre.org/software/S0419) generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.(Citation: CheckPoint SimBad 2019)", "relationship_type": "uses", "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965", "created": "2020-04-08T15:51:25.106Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:31.872Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can obtain a list of installed applications.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a09f8daa-aa02-45f1-8dac-9bea355c9415", "created": "2020-11-10T17:08:35.819Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:32.058Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can access the device\u2019s location and track the device over time.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6", "created": "2019-11-21T16:42:48.501Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}, {"source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:32.263Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect location information, including GPS coordinates.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a111958f-bb98-48c1-ad44-bf55fad232e9", "created": "2025-03-24T17:50:41.036Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FirshSecureList LightSpy 2020", "description": "Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.", "url": "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:32.461Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has collected a list of cellular networks and connected Wi-Fi history using a LAN scanner based on MMLanScan.(Citation: FirshSecureList LightSpy 2020)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a111ab3c-97f2-4b17-b291-f141e9b7613f", "created": "2022-04-01T12:50:48.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:32.662Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a120ac54-32fa-43ad-a826-8325823b656d", "created": "2023-09-22T19:14:12.741Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:32.861Z", "description": "Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a153f40b-ba34-4419-9189-d61b5cd29802", "created": "2025-01-10T18:39:06.605Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "threatpost AndroidSpyware 2020", "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.", "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:33.059Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can exfiltrate the call log.(Citation: threatpost AndroidSpyware 2020)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9", "created": "2020-07-20T13:27:33.548Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:33.274Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) uses `dumpsys` to determine if certain applications are running.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a186540d-d235-48f1-8757-d0b46f13c6ce", "created": "2023-06-09T19:20:23.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:33.480Z", "description": "(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f", "target_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a1a9db79-4a80-4e65-91bf-72e358d2ce41", "created": "2023-01-18T21:43:36.398Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:33.684Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can download attacker-specified files.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a1c53fcf-a691-4233-a136-0a51d5a3840f", "created": "2019-09-03T19:45:48.518Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:33.882Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can capture SMS messages.(Citation: SWB Exodus March 2019)", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a1fac829-275a-409a-9060-e7bd7c63057e", "created": "2020-12-18T20:14:47.375Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:34.093Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can obtain a list of installed apps.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a1ff77ee-76fd-4dd3-94aa-dbf35d971e58", "created": "2023-12-18T18:11:53.531Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:34.330Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can use both HTTP and WebSockets to communicate with the C2 server.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a20493e1-4699-405d-a291-c28aae8ed737", "created": "2022-04-18T16:53:24.617Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:34.529Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. [RedDrop](https://attack.mitre.org/software/S0326) also downloads additional components (APKs, JAR files) from different C2 servers.(Citation: Wandera-RedDrop) ", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a20581b4-21fa-4ed9-b056-d139998868e8", "created": "2019-09-04T14:28:15.970Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:34.727Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve the device's contact list.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:34.953Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads contact lists for various third-party applications such as Yahoo, AIM, GoogleTalk, Skype, QQ, and others.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a2365c91-60f6-4249-af13-6bc2fdb80d52", "created": "2019-09-23T13:36:08.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:35.136Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can use phishing overlays to capture users' credit card information.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a25a0454-d6da-4448-a3c5-33648ee6675a", "created": "2023-07-21T19:36:50.262Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:35.361Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect system information, such as Android version and device identifiers.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Gooligan Citation", "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:35.549Z", "description": "[Gooligan](https://attack.mitre.org/software/S0290) steals authentication tokens that can be used to access data from multiple Google applications.(Citation: Gooligan Citation)", "relationship_type": "uses", "source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a26a09cd-1718-403f-99f3-fdb127ac3599", "created": "2025-04-15T17:51:41.973Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:35.766Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has used the DeleteSpring plugin to render the device\u2019s user interface inoperable.(Citation: LinkedIn Dmitry LightSpy 2025) [LightSpy](https://attack.mitre.org/software/S1185) has prevented the victim device from booting by modifying the NVRAM parameter `auto-boot` to `false`.(Citation: LinkedIn Dmitry LightSpy 2025) Additionally, [LightSpy](https://attack.mitre.org/software/S1185) has renamed the Wi-Fi daemon to disable wireless connectivity.(Citation: LinkedIn Dmitry LightSpy 2025) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a27b771e-430b-4044-aa04-7e755f74ae2f", "created": "2025-03-27T22:47:30.734Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:35.979Z", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has searched for and has deleted the malicious iMessage attachment used in the initial access phase in various databases.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a2803d73-f5bf-4815-bfbf-662c372e1f5a", "created": "2023-03-20T18:53:52.174Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android-AppLinks", "description": "Android. (n.d.). Handling App Links. Retrieved December 21, 2016.", "url": "https://developer.android.com/training/app-links/index.html"}, {"source_name": "IETF-OAuthNativeApps", "description": "W. Denniss and J. Bradley. (2017, October). IETF RFC 8252: OAuth 2.0 for Native Apps. Retrieved November 30, 2018.", "url": "https://tools.ietf.org/html/rfc8252"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:36.174Z", "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a285f343-09c3-49af-9c18-1dccf89e9009", "created": "2020-11-20T16:37:28.391Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:36.381Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect a directory listing of external storage.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd", "created": "2019-09-04T15:38:56.597Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:36.571Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) encrypts its configuration file using AES.(Citation: FortiGuard-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:36.784Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) accesses sensitive data in files, such as saving Skype calls by reading them out of the Skype database files.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a299e0a6-cada-4629-a6c6-ed73dc4422aa", "created": "2020-11-24T17:55:12.903Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:36.974Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) has base64-encoded the exfiltrated data, replacing some of the base64 characters to further obfuscate the data.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a2ca7663-5ce0-447f-beeb-ad0f66a1a1e7", "created": "2024-03-26T18:39:59.604Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "checkpoint_hamas_android_malware", "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"}, {"source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"}, {"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:37.165Z", "description": "[APT-C-23](https://attack.mitre.org/groups/G1028) has masqueraded malware as legitimate applications.(Citation: welivesecurity_apt-c-23)(Citation: checkpoint_hamas_android_malware)(Citation: sophos_android_apt_spyware)", "relationship_type": "uses", "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1", "created": "2020-06-26T14:55:13.289Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:37.388Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can abuse Android\u2019s accessibility service to capture data from installed applications.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a34f3873-3df7-4e93-915c-fc2b4af3444d", "created": "2020-07-15T20:20:59.380Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:37.581Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) has used Firebase for C2.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a394e5e5-1d98-4e08-ba29-866cf7ff9a62", "created": "2025-04-15T18:08:29.509Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:37.790Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) injects libcynject.dylib into the SpringBoard process to enable audio/video recording.(Citation: LinkedIn Dmitry LightSpy 2025) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a3a8b2f2-f1aa-49ba-be55-a674f371f209", "created": "2020-04-24T15:06:33.449Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:37.983Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device network configuration information, such as Wi-Fi SSID and IMSI.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a3c4b392-2879-4f31-9431-3398e034851b", "created": "2022-04-06T13:52:37.470Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:38.228Z", "description": "Users should be cautioned against granting administrative access to applications.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a3c9d5d6-acc5-46e9-9e4f-b078aeac553c", "created": "2020-12-14T14:52:03.385Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:38.417Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:38.616Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can download executable code from the C2 server after the implant starts or after a specific command.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a427ce33-d1e1-4c38-a024-e44fc00033d3", "created": "2020-12-14T14:52:03.283Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:38.816Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has communicated with the C2 using HTTP requests over port 7878.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a451966b-f826-422b-9505-f564b9988a9c", "created": "2020-12-24T21:55:56.693Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:39.015Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used both FTP and TCP sockets for data exfiltration.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a466f8f0-c9da-46d1-80d0-b8654e727526", "created": "2023-08-04T18:33:37.920Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:39.232Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate a list of installed applications.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a46c3b05-07d5-461c-b1b1-4a81912b79f8", "created": "2023-02-06T18:59:15.881Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:39.435Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device information such as manufacturer, model, version, serial number, and telephone number.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a4e72b4f-7ee4-4ee3-82c9-acc3aedb1f2d", "created": "2023-12-18T18:09:34.167Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}, {"source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:39.632Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can insert a given string of text into a data field. [BRATA](https://attack.mitre.org/software/S1094) can abuse the Accessibility Service to interact with other installed applications and inject screen taps to grant permissions.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a501b700-250f-4e9a-a20f-656ae9bf90f9", "created": "2020-12-24T21:55:56.753Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:39.840Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used exploit tools to gain root, such as TowelRoot.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a503ca06-7f98-4ab4-a8fc-ff55c3da7f0a", "created": "2020-10-29T19:21:23.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "WeLiveSecurity AdDisplayAshas", "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.", "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:40.035Z", "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has registered to receive the `BOOT_COMPLETED` broadcast intent to activate on device startup.(Citation: WeLiveSecurity AdDisplayAshas)", "relationship_type": "uses", "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a54c8c09-c849-4146-a7cc-158887222a6d", "created": "2020-12-24T21:45:56.969Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:40.234Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access SMS messages.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a563fc97-a452-4348-a831-f4fb55c71e35", "created": "2023-03-03T16:22:45.712Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:40.437Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has used fake Verisign and Symantec certificates to bypass malware detection systems. [YiSpecter](https://attack.mitre.org/software/S0311) has also signed malicious apps with iOS enterprise certificates to work on non-jailbroken iOS devices.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a585e2dd-83c9-461c-8631-25d58c6ba74e", "created": "2023-12-05T22:15:36.939Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:40.639Z", "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a5b37f26-7629-4195-9536-12e349e5843b", "created": "2023-03-20T18:51:04.334Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:40.830Z", "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a5b72279-f99e-4f03-8669-04322b40ee6b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:41.018Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) loads an encrypted DEX code payload.(Citation: TrendMicro-XLoader)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a5dac41f-4a16-44ea-b279-b84c927ce62d", "created": "2019-09-03T20:08:00.760Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:41.240Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) communicates with the command and control server using HTTP requests.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a5f64f9e-3ed9-442b-a244-9857b926d93b", "created": "2023-03-20T18:59:46.622Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:41.425Z", "description": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a609b20b-6955-4c59-84d4-a3496d95fba1", "created": "2023-12-18T18:18:05.554Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:41.626Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has compressed data with the `zlib` library before exfiltration.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a617fa0d-0dfc-432a-95f5-94ee4ae63860", "created": "2023-12-18T19:07:14.211Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:41.823Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can record the screen.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a63bafb6-6647-410f-8673-a53ef2dee5e2", "created": "2020-07-27T14:14:57.020Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:42.033Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can modify the SELinux enforcement mode.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072", "created": "2020-09-11T15:14:34.064Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SMS KitKat", "description": "S.Main, D. Braun. (2013, October 14).  Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020.", "url": "https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:42.277Z", "description": "Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.(Citation: SMS KitKat)", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a68b17af-5277-4722-9a2d-0924f07ca421", "created": "2023-12-18T18:12:15.138Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:42.470Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can view a device through VNC.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a6bb6c55-3b33-4cd4-981b-055551edc4c2", "created": "2023-01-18T21:24:28.714Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:42.674Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use a Domain Generation Algorithm to decode the C2 server location.(Citation: nccgroup_sharkbot_0322) ", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:42.860Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) collects and uploads information about changes in SIM card or phone numbers on the device.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a76d731b-484c-442a-b1a3-255d8398aefd", "created": "2019-10-10T15:22:52.545Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:43.048Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a772d1fc-e2d1-4553-b93f-12412cdc8360", "created": "2023-08-08T22:50:32.635Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:43.270Z", "description": "The user can view applications that have registered accessibility services in the accessibility menu within the device settings.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:43.463Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses calendar entries.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:43.676Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:43.860Z", "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted contact lists.(Citation: NYTimes-BackDoor)", "relationship_type": "uses", "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a808c887-b2b8-4b05-9cab-47c918e48d48", "created": "2020-12-14T15:02:35.257Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:44.052Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can send SMS messages from compromised devices.(Citation: Securelist Asacub) ", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a81431c4-ac34-4b63-9647-eb7c8e529e03", "created": "2020-12-24T21:45:56.962Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:44.274Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access call logs.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7", "created": "2019-03-11T15:13:40.425Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-Anserver2", "description": "Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.", "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:44.484Z", "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device OS version, device build version, manufacturer, and model.(Citation: TrendMicro-Anserver2)", "relationship_type": "uses", "source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a8565c17-7054-4d3f-bca5-6e17dc931491", "created": "2023-03-03T16:20:08.033Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:44.683Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has used private APIs to download and install other pieces of itself, as well as other malicious apps. (Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5", "created": "2019-09-03T20:08:00.764Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:44.891Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84", "created": "2019-07-10T15:35:43.708Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:45.098Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) tracks the latitude and longitude coordinates of the infected device.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a8bf6bbd-88f0-4725-ba4f-3b9317dca388", "created": "2022-03-30T20:36:18.656Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:45.328Z", "description": "Attestation can typically detect rooted devices. For MDM-enrolled devices, action can be taken if a device fails an attestation check. ", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a8c21a71-f3e9-43e9-9212-faf9181e70ce", "created": "2022-04-01T18:42:50.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:45.524Z", "description": "Providing user guidance around commonly abused features, such as the modal that requests for administrator permissions, should aid in preventing impairing defenses.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c", "created": "2019-09-23T13:36:08.390Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:45.732Z", "description": "Starting in 2017, the [Rotexy](https://attack.mitre.org/software/S0411) DEX file was packed with garbage strings and/or operations.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a92a805e-d5f5-4e94-8592-c253e03e4476", "created": "2022-03-31T19:51:15.415Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android Package Visibility", "description": "Google. (n.d.). Package visibility filtering on Android. Retrieved April 11, 2022.", "url": "https://developer.android.com/training/package-visibility"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:45.924Z", "description": "Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.(Citation: Android Package Visibility)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a93ee044-bd5d-48f3-972e-0abab780c35c", "created": "2023-02-08T20:05:06.786Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:46.122Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can steal information via malicious JavaScript.(Citation: trendmicro_tianyspy_0122)", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a95fe853-d1d1-47dc-a776-b905daacfe32", "created": "2020-06-26T20:16:32.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ESET DEFENSOR ID", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:46.339Z", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) has used Firebase Cloud Messaging for C2.(Citation: ESET DEFENSOR ID) ", "relationship_type": "uses", "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530", "created": "2020-01-27T17:05:58.213Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:46.525Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain a list of installed applications.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a98c127b-8da9-4ea5-980e-d154ea541ec9", "created": "2022-04-01T17:08:15.158Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CSRIC5-WG10-FinalReport", "description": "Communications Security, Reliability, Interoperability Council (CSRIC). (2017, March). Working Group 10 Legacy Systems Risk Reductions Final Report. Retrieved May 24, 2017.", "url": "https://web.archive.org/web/20200330012714/https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:46.741Z", "description": "Filtering requests by checking request origin information may provide some defense against spurious operators.(Citation: CSRIC5-WG10-FinalReport) ", "relationship_type": "mitigates", "source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--a9e97a14-ea3c-47b1-a865-0a1edea9c81c", "created": "2021-02-17T20:43:52.410Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:46.932Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has searched for pdf, doc, docx, ppt, pptx, xls, and xlsx file types for exfiltration.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0", "created": "2019-09-03T20:08:00.711Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Group IB Gustuff Mar 2019", "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.", "url": "https://www.group-ib.com/blog/gustuff"}, {"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:47.115Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) uses WebView overlays to prompt the user for their device unlock code, as well as banking and cryptocurrency application credentials. [Gustuff](https://attack.mitre.org/software/S0406) can also send push notifications pretending to be from a bank, triggering a phishing overlay.(Citation: Talos Gustuff Apr 2019)(Citation: Group IB Gustuff Mar 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aa40d01f-0741-4bf2-bacd-75e1f3a77af0", "created": "2022-04-01T16:52:03.322Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:47.328Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aa468fe9-e580-41da-a888-100a799e8c6b", "created": "2024-04-02T18:59:32.494Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Meta Adversarial Threat Report 2022", "description": "Agranovich, D., et al. (2022, April). Adversarial Threat Report. Retrieved April 2, 2024.", "url": "https://about.fb.com/wp-content/uploads/2022/04/Meta-Quarterly-Adversarial-Threat-Report_Q1-2022.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:47.512Z", "description": "[UNC788](https://attack.mitre.org/groups/G1029) has used phishing and social engineering to distribute malware.(Citation: Meta Adversarial Threat Report 2022)", "relationship_type": "uses", "source_ref": "intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aa490344-f7e0-4e5a-abb1-af9209f15ce4", "created": "2024-03-26T19:36:18.184Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:47.738Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can receive Command and Control commands from SMS messages.(Citation: welivesecurity_apt-c-23)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aa5877fd-ef7d-435e-86af-c427f086b3c5", "created": "2019-08-08T18:47:57.655Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android 10 Privacy Changes", "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.", "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:47.935Z", "description": "Android 10 introduced changes to prevent applications from accessing clipboard data if they are not in the foreground or set as the device\u2019s default IME.(Citation: Android 10 Privacy Changes) ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aa628e44-ff05-4ac9-bb0b-11c22384a443", "created": "2020-07-20T13:49:03.676Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:48.130Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aa65aa77-ce74-49fd-8295-c5b7395a703c", "created": "2025-03-24T20:12:30.934Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:48.335Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has collected and exfiltrated files from messaging applications, such as Telegram, QQ, WeChat, and Whatsapp, and browser history from Chrome and Safari.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Gooligan Citation", "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.", "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:48.536Z", "description": "[Gooligan](https://attack.mitre.org/software/S0290) executes Android root exploits.(Citation: Gooligan Citation)", "relationship_type": "uses", "source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aad084c4-97ea-4f4b-8d96-d18f57534e01", "created": "2024-03-26T19:38:05.464Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"}, {"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:48.734Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can communicate with the Command and Control server using HTTPS and Firebase Cloud Messaging (FCM).(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware) ", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}, {"source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:48.951Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects contact list information.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ab18ee61-f94a-411c-9893-941714ce713e", "created": "2023-03-20T18:44:26.642Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:49.152Z", "description": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ab67b233-2c3d-4ac2-a3f0-13b6484ea920", "created": "2022-04-05T19:46:22.326Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:49.376Z", "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ab7cd212-7faa-46a8-9666-92a67ae7a6b0", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:49.562Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac", "target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99", "created": "2017-10-25T14:48:53.742Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Elcomsoft-iOSRestricted", "description": "Oleg Afonin. (2018, September 20). iOS 12 Enhances USB Restricted Mode. Retrieved September 21, 2018.", "url": "https://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mode/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:49.765Z", "description": "iOS 11.4.1 and higher introduce USB Restricted Mode, which disables data access through the device's charging port under certain conditions (making the port only usable for power), likely preventing this technique from working.(Citation: Elcomsoft-iOSRestricted)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--abf03652-acd0-4361-8a66-f7e70e8e4376", "created": "2020-06-02T14:32:31.913Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Volexity Insomnia", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:49.959Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) communicates with the C2 server using HTTPS requests.(Citation: Volexity Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--abf3b5c8-9ee5-42ff-ba94-2b3a15317783", "created": "2023-03-20T18:55:51.580Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:50.159Z", "description": "An Android user can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ac31f650-4bd2-4bb6-b450-71e66db4888f", "created": "2022-03-30T19:28:55.980Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:50.372Z", "description": "Security updates typically provide patches for vulnerabilities that could be abused by malicious applications.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ac415e32-e204-4382-b500-2370cec7a608", "created": "2023-08-16T16:45:58.547Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:50.570Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can download new code at runtime.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:50.773Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77", "created": "2020-06-26T15:32:25.035Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}, {"source_name": "CheckPoint Cerberus", "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.", "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:50.963Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect device information, such as the default SMS app and device locale.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c", "created": "2019-09-03T19:45:48.512Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:51.148Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two attempts to connect to port 22011 to provide a remote reverse shell.(Citation: SWB Exodus March 2019)", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ad723fb0-7439-407e-9bf5-1cb3fd7df8aa", "created": "2023-02-06T19:05:28.288Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:51.360Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect files from or inspect the device\u2019s filesystem.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ad76b0ad-fa76-4d56-8a6e-8818bbc6509e", "created": "2022-03-30T18:07:07.306Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:51.557Z", "description": "On iOS, the `allowEnterpriseAppTrust` and `allowEnterpriseAppTrustModification` configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ada67532-039d-4b4f-93ab-82ceba13ec56", "created": "2023-07-21T19:53:12.605Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:51.758Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can access text message history.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--adbacfe1-1d78-4652-b32c-4d31a0c33ef3", "created": "2025-03-27T22:47:47.614Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:51.962Z", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has obtained a list of running processes.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--adc9957c-fa57-4e81-9231-b60f01b69859", "created": "2020-12-24T22:04:28.010Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:52.165Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) can download new code to update itself.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ade5c0c5-8b53-4bc5-9d81-0284be2e5fee", "created": "2023-07-21T19:51:55.111Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:52.376Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can intercept and imitate phone conversations by breaking the connection and displaying a fake call screen. It can also make outgoing calls and spoof incoming calls.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ae5c93a8-fee8-42dc-b3cb-c6864481f025", "created": "2024-03-29T15:07:01.237Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:52.568Z", "description": "Application vetting services can detect certificate pinning by examining an application\u2019s `network_security_config.xml` file, although this behavior can be benign.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa", "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ae8619a9-9142-4f0f-8778-09756341b472", "created": "2024-03-29T15:07:58.597Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:52.779Z", "description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s Android version has used certificate pinning for C2 communication.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aeb2d1a0-2180-4032-a395-7573dbd392f4", "created": "2024-02-20T23:39:08.717Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:52.976Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--aeeadd6b-30d3-4b4f-ac61-fd0bc367b415", "created": "2022-03-30T14:50:07.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:53.166Z", "description": "Device attestation could detect unauthorized operating system modifications.", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--af06eaaa-161e-4913-8668-49bdd25b2eff", "created": "2024-02-21T20:47:45.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:53.366Z", "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f", "created": "2020-07-15T20:20:59.305Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:53.565Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) abuses the accessibility service to prevent removing administrator permissions, accessibility permissions, and to set itself as the default SMS handler.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--afba6b19-7486-4e5a-8fda-e91852b0b354", "created": "2021-09-20T13:42:21.104Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:53.782Z", "description": "Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--afc0e8b2-2e85-4640-8517-fb2e16831082", "created": "2023-01-18T19:45:27.807Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:53.980Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use a WebView with a fake log in site to capture banking credentials.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:54.184Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to record calls as well as the victim device's environment.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--afe9e326-01f7-4296-a11b-09cfffd80120", "created": "2020-07-27T14:14:56.962Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:54.380Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can simulate user clicks on ads and system prompts to create new Google accounts.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b018fe06-740b-4864-b30a-f047598506b3", "created": "2020-04-24T15:06:33.510Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:54.570Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect various pieces of device information, including OS version, phone model, and manufacturer.(Citation: TrendMicro Coronavirus Updates) ", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b01f11f2-064b-4210-a8f2-f5c6360f64e4", "created": "2024-03-28T18:30:23.877Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:54.776Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect the device\u2019s information, such as SIM serial number, SIM serial number, etc.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b05668b9-aa06-4191-a4fa-f7e5a7804694", "created": "2021-01-05T20:16:20.514Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:54.959Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can list all hidden files in the `/DCIM/.dat/` directory.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b0625604-e4c4-402b-b191-f43137d38d99", "created": "2020-11-20T15:44:57.481Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:55.148Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect sent and received SMS messages.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b0bade50-bcca-4924-9746-c4ed0c3be76c", "created": "2023-07-21T19:41:31.114Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:55.373Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) has been installed using the package name `com.android.callservice`, pretending to be an Android system service.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b0d0541d-caeb-43c0-906c-2e1e2ec25f69", "created": "2019-10-14T19:14:18.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Group IB Gustuff Mar 2019", "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.", "url": "https://www.group-ib.com/blog/gustuff"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:55.566Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) hides its icon after installation.(Citation: Group IB Gustuff Mar 2019) ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b0f009b5-cf5e-4333-a969-03adbe4de3ee", "created": "2025-03-28T15:10:18.297Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}, {"source_name": "SecureList OpTriangulation Dec2023", "description": "Larin, B. (2023, December 27). Operation Triangulation: The last (hardware) mystery. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:55.802Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors use the Audio Queue API to record audio.(Citation: SecureList OpTriangulation 23Oct2023)(Citation: SecureList OpTriangulation Dec2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b0fe69e0-d08f-488d-b1cf-3f0dbb28accc", "created": "2023-02-28T20:37:01.639Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:56.003Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can use `locale.getLanguage()` to choose the language for notifications and avoid user detection.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b110d919-acd4-4fe0-a46a-ac4819508667", "created": "2020-07-20T13:58:53.589Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:56.234Z", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) has been installed via a malicious configuration profile.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b162dc6b-6b4e-4bba-928a-00a423b112b3", "created": "2023-12-18T18:16:45.155Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:56.429Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has abused WhatsApp vulnerability CVE-2019-3568 to achieve initial access.(Citation: securelist_brata_0819)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b19082d2-c151-45dd-8844-82335fbe3ed9", "created": "2023-02-28T21:43:54.880Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:56.621Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can send text messages.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b1e5bd2f-01e4-402d-a9b6-255110510a83", "created": "2020-12-24T21:45:56.986Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:56.819Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can install new applications which are obtained from the C2 server.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b2277deb-0ddb-45a7-9690-4a2168e1026b", "created": "2023-10-10T15:33:59.058Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:57.014Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has masqueraded as fake updates to chat applications such as Facebook, WhatsApp, Messenger, LINE, and LoveChat, as well as apps targeting Middle Eastern demographics.(Citation: Lookout FrozenCell) ", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b22addc1-6a23-4657-8164-3705e12bb95b", "created": "2023-07-21T19:40:41.725Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:57.232Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can use SMS to send C2 commands.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b23e1e5d-3acc-456a-b63e-31c0bd5fe4a5", "created": "2024-02-21T20:46:00.252Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TelephonyManager", "description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.", "url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:57.432Z", "description": "Android 10 introduced changes that prevent normal applications from accessing sensitive device identifiers.(Citation: TelephonyManager) ", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2", "created": "2020-06-26T15:32:25.062Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:57.625Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can obtain a list of installed applications.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b247a4f6-3629-4123-84b0-c7c5b3e7e37e", "created": "2022-03-30T20:45:34.433Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android Package Visibility", "description": "Google. (n.d.). Package visibility filtering on Android. Retrieved April 11, 2022.", "url": "https://developer.android.com/training/package-visibility"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:57.824Z", "description": "Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.(Citation: Android Package Visibility)", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ArsTechnica-HummingWhale", "description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.", "url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:58.016Z", "description": "[HummingWhale](https://attack.mitre.org/software/S0321) generates revenue by displaying fraudulent ads and automatically installing apps. When victims try to close the ads, [HummingWhale](https://attack.mitre.org/software/S0321) runs in a virtual machine, creating a fake ID that allows the perpetrators to generate revenue.(Citation: ArsTechnica-HummingWhale)", "relationship_type": "uses", "source_ref": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b2896068-4d54-41e1-b0f2-db9385615112", "created": "2021-01-05T20:16:20.426Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:58.233Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has shown a persistent notification to maintain access to device sensors.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b309c25a-6baf-4874-829d-63712a38652c", "created": "2023-02-06T19:02:16.194Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:58.427Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself camera permissions.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b30fa851-75cf-46ac-aa1b-cfa8b7f36545", "created": "2019-09-23T13:36:08.429Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:58.665Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) processes incoming SMS messages by filtering based on phone numbers, keywords, and regular expressions, focusing primarily on banks, payment systems, and mobile network operators. [Rotexy](https://attack.mitre.org/software/S0411) can also send a list of all SMS messages on the device to the command and control server.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b336b44d-1810-4672-8e51-a63e91681907", "created": "2025-03-24T17:56:25.848Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:58.859Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) uses the `landevices` module to enumerate devices on the same WiFi network through active scanning.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Shoshin_Kaspersky LightSpy 2020) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b356d405-f6b1-485b-bd35-236b9da766d2", "created": "2020-04-24T17:46:31.586Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:59.057Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can use the `MediaRecorder` class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b360a1c8-8939-428e-bc6e-3f4755bd9ee0", "created": "2020-10-29T17:48:27.394Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:59.282Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can intercept SMS messages.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b37ebb4e-0536-4de0-8e00-7b3d942a02b7", "created": "2023-03-20T15:33:34.181Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:59.476Z", "description": "System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b3866c07-e143-4d0d-9176-c2845f85c5ab", "created": "2023-01-18T19:58:21.223Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:59.679Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) has used RSA to encrypt the symmetric encryption key used for C2 messages.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b3a14001-e0c0-4f13-ac03-04e56dc0e312", "created": "2023-10-10T15:33:59.311Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:50:59.886Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has been incorporated into trojanized applications, including Uyghur/Arabic focused keyboards, alphabets, and plugins, as well as official-looking Google applications.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "PaloAlto-WireLurker", "description": "Claud Xiao. (2014, November 5). WireLurker: A New Era in OS X and iOS Malware. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:00.093Z", "description": "[WireLurker](https://attack.mitre.org/software/S0312) obfuscates its payload through complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing.(Citation: PaloAlto-WireLurker)", "relationship_type": "uses", "source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b402664b-a5b4-45e4-832f-02638e6c67a7", "created": "2022-04-01T14:59:17.991Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:00.299Z", "description": "Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary\u2019s access to password stores. ", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b40e34ad-b699-4196-aa07-5bd71fe8f213", "created": "2022-04-20T17:31:58.697Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:00.493Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) has exfiltrated data using FTP.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}, {"source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:00.731Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) gathers audio from the microphone.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b43c87a7-de40-4673-9808-57c7ffca7b98", "created": "2023-07-21T19:54:21.877Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:00.936Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) has masqueraded as popular Korean banking apps.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b43f4cef-138e-4b5d-8e68-e8eeae3591be", "created": "2021-02-17T20:43:52.337Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:01.128Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has read SMS messages for exfiltration.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b45cf5e0-7427-4d5c-be2c-22f5231493d1", "created": "2021-10-01T14:42:49.184Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:01.354Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect the device\u2019s location information based on cellular network or GPS coordinates.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b4735277-516a-4cd2-9607-a3e415945d93", "created": "2020-11-10T17:08:35.800Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:01.547Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can remotely capture device audio.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b477afcb-7449-4fae-b4aa-c512c22d7500", "created": "2020-09-15T15:18:12.394Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:01.753Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can send SMS messages.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b49ecb71-92b3-4813-be4d-9f8c2aa67ccd", "created": "2021-02-08T16:36:20.707Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:01.953Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has installed malicious MDM profiles on iOS devices as part of Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b4ef35e9-3dba-49c7-8842-a7dff403241f", "created": "2020-12-17T20:15:22.445Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:02.160Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can access the device\u2019s camera.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b536f233-8c43-4671-b8e8-d72a4806946d", "created": "2022-04-05T17:14:23.789Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:02.375Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b53d1c92-b71f-434e-aa4f-08b8db765248", "created": "2019-07-10T15:25:57.604Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:02.568Z", "description": "[FinFisher](https://attack.mitre.org/software/S0182) tracks the latitude and longitude coordinates of the infected device.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b5590b50-0aaa-4f43-9b29-f17ee717b551", "created": "2021-02-08T16:36:20.698Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:02.772Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included location tracking capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b5e8cef4-e8a1-484f-baae-cf12b26e6070", "created": "2020-12-18T20:14:47.302Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:02.974Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has used Firebase for C2 communication.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b5f3b110-fc66-4369-89f3-621c945d655f", "created": "2020-04-27T16:52:49.444Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:03.170Z", "description": "[Triada](https://attack.mitre.org/software/S0424) encrypts data prior to exfiltration.(Citation: Google Triada June 2019) ", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b610c587-576a-40cc-9f76-6362455c8ff4", "created": "2023-03-20T18:43:01.334Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:03.373Z", "description": "Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b6323cf4-8141-4910-8743-e42cd15b49e9", "created": "2023-07-21T19:53:59.148Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:03.569Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can send exfiltrated data back to the C2 server.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b641e5b8-5981-452a-99f0-3598c783e5ee", "created": "2019-08-07T15:57:13.443Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:03.786Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) can intercept incoming SMS messages.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b6726136-3c20-4921-a0cb-75a66f59107c", "created": "2020-09-11T16:22:03.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:03.983Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect network configuration data from the device, including phone number, SIM operator, and network operator.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-Obad", "description": "Veo Zhang. (2013, June 13). Cybercriminals Improve Android Malware Stealth Routines with OBAD. Retrieved December 9, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:04.181Z", "description": "[OBAD](https://attack.mitre.org/software/S0286) contains encrypted code along with an obfuscated decryption routine to make it difficult to analyze.(Citation: TrendMicro-Obad)", "relationship_type": "uses", "source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b697a198-8949-43e0-b2b8-23498373c920", "created": "2023-03-20T18:37:13.628Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:04.385Z", "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b6feb018-65e3-46ff-b872-e4385b6f3b34", "created": "2023-08-23T22:48:11.931Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:04.576Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) may prevent application removal by abusing Android\u2019s ` performGlobalAction(int)` API call. ", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "PaloAlto-DualToy", "description": "Claud Xiao. (2016, September 13). DualToy: New Windows Trojan Sideloads Risky Apps to Android and iOS Devices. Retrieved January 24, 2017.", "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:04.777Z", "description": "[DualToy](https://attack.mitre.org/software/S0315) side loads malicious or risky apps to both Android and iOS devices via a USB connection.(Citation: PaloAlto-DualToy)", "relationship_type": "uses", "source_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Pegasus", "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:04.975Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) has the ability to record audio.(Citation: Lookout-Pegasus)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b7a31a11-6c84-4c28-a548-4751e4d71134", "created": "2020-05-04T14:04:56.158Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:05.165Z", "description": "[Bread](https://attack.mitre.org/software/S0432) can perform SMS fraud on older versions of the malware, and toll fraud on newer versions.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b7c8abf7-d4e4-40a4-aa2a-ee995a6f4f10", "created": "2023-03-03T15:36:15.840Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:05.382Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can access device call logs.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b7cf1c31-8722-4eeb-ae59-66936c15fa87", "created": "2021-01-05T20:16:20.495Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:05.577Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect device photos and credentials from other applications.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b81a284d-34ec-4e61-a073-bf6cd85e4c3f", "created": "2020-10-29T19:01:13.839Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:05.786Z", "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) can prevent the user from interacting with the UI by using a carefully crafted \"call\" notification screen. This is coupled with overriding the `onUserLeaveHint()` callback method to spawn a new notification instance when the current one is dismissed. (Citation: Microsoft MalLockerB)", "relationship_type": "uses", "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "HackerNews-Allwinner", "description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.", "url": "https://thehackernews.com/2016/05/android-kernal-exploit.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:05.987Z", "description": "A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) reportedly contained an simple backdoor that could be used to obtain root access. It was believed to have been left in the kernel by mistake by the authors.(Citation: HackerNews-Allwinner)", "relationship_type": "uses", "source_ref": "malware--08784a9d-09e9-4dce-a839-9612398214e8", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b81f9698-b9d1-4a6a-b836-f7e29232693a", "created": "2023-09-28T17:26:10.893Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "kaspersky_fakecalls_0422", "description": "Igor Golovin. (2022, April 11). Fakecalls: a talking Trojan. Retrieved July 21, 2023.", "url": "https://www.kaspersky.com/blog/fakecalls-banking-trojan/44072/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:06.180Z", "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can manipulate a device\u2019s call log, including deleting incoming calls.(Citation: kaspersky_fakecalls_0422)", "relationship_type": "uses", "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b8606318-8c12-4381-ba33-5b2321772ea0", "created": "2022-03-30T20:31:57.183Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:06.393Z", "description": "Users should be advised to be extra scrutinous of applications that request location or sensitive phone information permissions, and to deny any permissions requests for applications they do not recognize.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b8879a8a-84ff-4625-b487-7922d8a1b6a6", "created": "2025-03-28T15:12:41.595Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:06.578Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have collected and exfiltrated data from WhatsApp and Telegram.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b8afc5b9-3ffc-4b3c-b2d8-ee2888a7b6ad", "created": "2021-09-24T13:59:11.505Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:06.780Z", "description": "The user should become familiar with social engineering tactics that ask for Personally Identifiable Information (PII). Additionally, the user should include the use of hardware tokens, biometrics, and other non-SMS based authentication mechanisms where possible. Finally, the user should enable SIM swapping protections offered by the mobile carrier, such as setting up a PIN or password to authorize any changes to the account.  ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b96e8699-4bd2-4793-8f9c-88d6e4c50e98", "created": "2023-09-28T17:39:35.622Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro FlyTrap", "description": "Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts \u2014 Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.", "url": "https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:06.992Z", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) has used infected applications with Facebook login prompts to steal credentials.(Citation: Trend Micro FlyTrap)", "relationship_type": "uses", "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b98fa6ef-a5f2-4867-8108-8daf8534cc3c", "created": "2022-04-01T16:51:20.688Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:07.185Z", "description": "Users should scrutinize every device administration permission request. If the request is not expected or the user does not recognize the application, the application should be uninstalled immediately.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc", "created": "2020-06-02T14:32:31.871Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:07.389Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--b9b9ce86-89f6-41ea-8ba1-9520985acb49", "created": "2020-12-24T22:04:28.004Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:07.590Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has checked for system root.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ba02a1dc-d5b9-41cb-9adf-883119e1aa51", "created": "2020-12-14T14:52:03.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:07.816Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has communicated with the C2 using HTTP.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ba116807-ef1c-4621-84c8-9921fa7b735e", "created": "2023-09-28T17:19:21.499Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:08.004Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can request the `GET_ACCOUNTS` permission to get the list of accounts on the device, and can collect media files.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6", "created": "2020-07-15T20:20:59.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:08.223Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can collect the device\u2019s location.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae", "created": "2020-11-10T17:08:35.746Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:08.425Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has searched device storage for various files, including .amr files (audio recordings) and superuser binaries.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d", "created": "2020-07-15T20:20:59.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:08.626Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can obtain a list of installed applications.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--baad8ab8-f05f-4e31-9671-44c009ae3ecf", "created": "2023-08-09T14:38:34.721Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:08.819Z", "description": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bb006be2-7d2c-4bb3-ab48-7c95e0ab8106", "created": "2020-12-14T14:52:03.255Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:09.012Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has stored data embedded in the strings.xml resource file.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bb11b7d1-e661-49af-9746-9fa4c56324bf", "created": "2023-03-20T18:59:14.759Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:09.234Z", "description": "Application vetting services can detect unnecessary and potentially abused API calls.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630", "created": "2020-07-15T20:20:59.300Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:09.436Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can manipulate visual components to trick the user into granting dangerous permissions, and can use phishing overlays and JavaScript injection to capture credentials.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bb3bd38c-0b82-4c58-8e25-2fbab235a551", "created": "2025-03-28T14:50:49.769Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:09.664Z", "description": "(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "FireEye-RuMMS", "description": "Wu Zhou, Deyu Hu, Jimmy Su, Yong Kang. (2016, April 26). RUMMS: THE LATEST FAMILY OF ANDROID MALWARE ATTACKING USERS IN RUSSIA VIA SMS PHISHING. Retrieved February 6, 2017.", "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:09.872Z", "description": "[RuMMS](https://attack.mitre.org/software/S0313) gathers device model and operating system version information and transmits it to a command and control server.(Citation: FireEye-RuMMS)", "relationship_type": "uses", "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bb77cfbe-ac95-4cc2-acbc-8cefa15b9387", "created": "2023-06-09T19:09:30.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:10.067Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can gather device call logs.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bb83ee25-8875-4806-9f69-ac39bf7cb402", "created": "2021-10-01T14:42:49.178Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:10.271Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect SMS messages.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bba8b056-acbe-4fed-b890-965a446d7a3c", "created": "2022-04-01T18:45:00.923Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:10.474Z", "description": "Users should be warned against granting access to accessibility features and device administration services, and to carefully scrutinize applications that request these dangerous permissions. Users should be taught how to boot into safe mode to uninstall malicious applications that may be interfering with the uninstallation process.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bbc6308e-f7f6-40c7-80cb-f760d623c8af", "created": "2023-01-18T21:20:01.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:10.680Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use HTTP to send C2 messages to infected devices.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bbd619c8-bd9a-4107-a60f-7a3a9f953735", "created": "2024-03-28T18:32:33.555Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "trendmicro_strongpity", "description": "Dong, Z. et al. (2021, July 21). StrongPity APT Group Deploys Android Malware for the First Time. Retrieved March 19, 2023.", "url": "https://www.trendmicro.com/en_za/research/21/g/strongpity-apt-group-deploys-android-malware-for-the-first-time.html"}, {"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:10.879Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to exfiltrate to the C2 server using HTTPS.(Citation: welivesec_strongpity)(Citation: trendmicro_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bbe1af69-7303-4205-82d8-5b03c43e39c1", "created": "2020-11-24T17:55:12.887Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:11.089Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect the device\u2019s model, country, and Android version.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:11.287Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via binary SMS.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bc0d86de-0642-4cbf-a785-7ff70507a9a2", "created": "2023-03-20T18:51:44.864Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:11.511Z", "description": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application\u2019s icon, they should inspect the application to ensure it is genuine.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:11.718Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can copy files from the device to the C2 server.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bc59883f-672e-4dc8-a7de-f713a26f88e1", "created": "2023-08-14T16:31:37.179Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:11.920Z", "description": "Many properly configured firewalls may naturally block command and control traffic.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bc79a212-139f-4dce-be72-e90585f38f03", "created": "2023-03-16T18:31:37.091Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:12.115Z", "description": "The user can view their default phone app in device settings.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bc79d59b-1828-4133-9f8f-df8cad9543a8", "created": "2019-11-21T16:42:48.459Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:12.331Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can delete arbitrary files from the device.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bc870a55-5499-4146-91ef-ea74647c3e10", "created": "2023-07-12T20:50:03.159Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:12.520Z", "description": "Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bcc8eb7a-d2a8-41d2-832e-f435e51c685a", "created": "2022-03-30T19:54:43.835Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:12.725Z", "description": "Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. ", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bce64ec2-43d5-4501-a0aa-0abe65551a19", "created": "2021-02-17T20:43:52.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:12.921Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has retrieved account information for other applications.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bd1e016a-1ebb-4f30-9342-998f656dd8b8", "created": "2022-04-15T15:57:32.958Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:13.123Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can enable app installation from unknown sources.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bd29ce15-1771-470c-a74b-5ea90832ce23", "created": "2020-12-24T22:04:27.911Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:13.331Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected SMS messages.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bd351b17-e995-4528-bbea-e1138c51476a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:13.563Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bd6829ee-dc51-477b-9739-1cd1cd304b6c", "created": "2020-09-11T14:54:16.646Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:13.775Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can hide its icon.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bd889077-d4bd-4475-8e1f-6f507a7bedb9", "created": "2022-04-01T13:19:41.207Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:13.962Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bd952153-4902-4fc4-8e2e-b7c7b8bad7f1", "created": "2023-01-18T19:13:15.991Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:14.166Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) has code to use Firebase Cloud Messaging for receiving C2 instructions.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f", "created": "2019-09-04T15:38:56.799Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:14.364Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record video.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bdb29822-63c5-4dd0-961b-cdf3f2482adf", "created": "2023-03-16T18:28:28.144Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:14.552Z", "description": "On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bdc59dcf-0e0a-4d47-b289-0c298115215f", "created": "2023-08-23T22:17:13.986Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:14.751Z", "description": "Security updates frequently contain patches to vulnerabilities. ", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--be07d829-9a12-4d90-ad8c-9e56782af120", "created": "2023-12-18T19:05:57.050Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:14.942Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can record audio using a device\u2019s microphone.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--be136fd1-6949-4de6-be37-6d76f8def41a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:15.138Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests location data from victims.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--be17dc63-5b0a-491a-be5f-132058444c3a", "created": "2019-08-09T17:52:13.352Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:15.374Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) has the ability to take pictures using the device camera.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce", "created": "2019-09-04T14:28:15.975Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:15.576Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) queries the device for metadata such as make, model, and power levels.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--be27a303-5748-4b72-ba69-a328e2f6cc08", "created": "2020-12-31T18:25:05.177Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:15.773Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can download new modules while running.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--be39c012-7201-4757-8cd6-c855bc945a9e", "created": "2019-07-10T15:25:57.623Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:15.972Z", "description": "[FinFisher](https://attack.mitre.org/software/S0182) comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--be526f3a-480f-4ede-b772-2b29b8a3ca2b", "created": "2024-03-28T18:33:20.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:16.169Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to exfiltrate encrypted data to the C2 server.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--be7c3f83-b164-4d53-bfac-65f7437dabec", "created": "2023-03-20T18:54:36.266Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:16.372Z", "description": "The user can view a list of device administrators and applications that have registered accessibility services in device settings. The user can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--be8d0cd6-be77-456e-bcfb-6325cb8ba137", "created": "2023-09-28T17:20:15.010Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:16.576Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can access external storage.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c", "created": "2020-06-26T14:55:13.380Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:16.780Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. [EventBot](https://attack.mitre.org/software/S0478) also utilizes ProGuard to obfuscate the generated APK file.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CheckPoint-Charger", "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:16.977Z", "description": "[Charger](https://attack.mitre.org/software/S0323) encodes strings into binary arrays to make it difficult to inspect them. It also loads code from encrypted resources dynamically and includes meaningless commands that mask the actual commands passing through.(Citation: CheckPoint-Charger)", "relationship_type": "uses", "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bee919a6-c488-49a0-9848-fff19aa2c276", "created": "2021-09-24T14:47:34.449Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:17.175Z", "description": "Mobile security products can often detect rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bef936d5-736e-491a-9c30-37b8362a5d96", "created": "2023-07-21T19:33:48.439Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:17.382Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can access device call logs.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--befa3b5a-e4f4-4ed3-ada1-860a034284d2", "created": "2023-09-28T17:19:51.110Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:17.578Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can access the device\u2019s call log.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bf02dea9-17cb-41f8-b362-c3081da81199", "created": "2025-03-28T14:58:01.536Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 01Jun2023", "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.", "url": "https://securelist.com/operation-triangulation/109842/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:17.780Z", "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors collected device and user information.(Citation: SecureList OpTriangulation 01Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bf19207a-ac71-436d-8ef4-4ab059b533c8", "created": "2019-09-04T15:38:56.721Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:17.976Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) uses root access to establish reboot hooks to re-install the application from `/data/misc/adn`.(Citation: FortiGuard-FlexiSpy) At boot, [FlexiSpy](https://attack.mitre.org/software/S0408) spawns daemons for process monitoring, call monitoring, call managing, and system.(Citation: FortiGuard-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:18.172Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can activate the victim's microphone.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bf33711d-a4d2-4957-9b1f-49c5b83958db", "created": "2023-09-21T22:51:40.666Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Scott-Railton_TheCitizenLab Pegasus Apr2022", "description": "Scott-Railton, J., et al. (2022, April 18). Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru. Retrieved April 18, 2024.", "url": "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:18.376Z", "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) can compromise iPhones running iOS 16.6 without any user interaction.(Citation: Scott-Railton_TheCitizenLab Pegasus Apr2022)", "relationship_type": "uses", "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a", "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bf901bab-3caa-4d05-a859-d9fb4d838304", "created": "2019-10-10T15:27:22.091Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:18.570Z", "description": "[Tangelo](https://attack.mitre.org/software/S0329) accesses browser history, pictures, and videos.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bfad064a-0a49-44e3-b283-94653edc12af", "created": "2023-08-07T17:13:04.270Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:18.776Z", "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bfd0d9cb-27e2-42a2-9207-764bb1491962", "created": "2022-03-30T19:54:07.548Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:18.981Z", "description": "Device attestation could detect devices with unauthorized or unsafe modifications. ", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--bff3f22c-660d-4ceb-b1bb-dbd064d363c0", "created": "2023-03-15T16:39:32.117Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:19.170Z", "description": "Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c00031dd-0466-4fd2-9724-ab1c04232bad", "created": "2023-03-20T18:44:40.722Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:19.380Z", "description": "Application vetting services can detect unnecessary and potentially abused API calls.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95", "created": "2019-10-18T15:51:48.525Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:19.570Z", "description": "Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c052da1e-4a1e-48bb-9b8d-b68839d4347e", "created": "2025-03-24T20:10:08.651Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Shoshin_Kaspersky LightSpy 2020", "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.", "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:19.775Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s GPS location.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c056b1d4-c70b-403e-b396-18840865ca7d", "created": "2024-02-20T23:50:47.088Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:19.978Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain the device\u2019s IMEI, phone number, and IP address.(Citation: Threat Fabric Exobot) ", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c0f03d23-03d6-4457-b783-792d1b8f2994", "created": "2024-08-20T19:09:27.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mandiant_apt44_unearthing_sandworm", "description": "Roncone, G. et al. (n.d.). APT44: Unearthing Sandworm. Retrieved July 11, 2024.", "url": "https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:20.172Z", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) can collect encrypted Telegram and Signal communications.(Citation: mandiant_apt44_unearthing_sandworm)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c1453cd9-44bb-4dd2-bdbd-eb06a239d38c", "created": "2022-04-06T15:52:07.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:20.380Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c14efc74-8a5c-4a2d-b9ba-a231738c90dd", "created": "2020-12-24T21:41:37.047Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:20.582Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has used HTTPS for C2 communication.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c1512591-7440-4a69-93b9-fe439a4c197e", "created": "2022-03-28T19:40:40.860Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:20.781Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c16c7904-3c85-49de-a0f4-872f4227d775", "created": "2023-10-10T15:33:59.143Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:20.976Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) was embedded into legitimate applications using Smali injection.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c186864b-0af9-42eb-92ba-b8a6952e89b6", "created": "2023-07-21T19:36:09.214Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:21.171Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can take photos using the device cameras.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c1abb6fd-04b4-4b0e-89f4-fd3f160ea3a6", "created": "2024-03-01T18:54:39.815Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Leonard TAG 2023", "description": "Billy Leonard. (2023, April 19). Ukraine remains Russia\u2019s biggest cyber focus in 2023. Retrieved March 1, 2024.", "url": "https://blog.google/threat-analysis-group/ukraine-remains-russias-biggest-cyber-focus-in-2023/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:21.383Z", "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used SMS-based phishing to target victims with malicious links.(Citation: Leonard TAG 2023)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c1cafa91-9891-4e65-b75d-d83ef6838653", "created": "2023-12-18T18:13:02.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cleafy_brata_0122", "description": "Federico Valentini, Francesco Lubatti. (2022, January 24). How BRATA is monitoring your bank account. Retrieved December 18, 2023.", "url": "https://www.cleafy.com/cleafy-labs/how-brata-is-monitoring-your-bank-account"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:21.578Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) can use tailored overlay pages to steal PINs for banking applications.(Citation: cleafy_brata_0122)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c1d78c3d-9ed6-4e3f-9cad-b98b5dfb8ebd", "created": "2023-03-20T15:40:11.819Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:21.785Z", "description": "On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c23d9eff-1d4e-479f-a114-acc535540a23", "created": "2023-03-20T18:46:51.895Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:21.973Z", "description": "Application vetting services can detect unnecessary and potentially abused permissions.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c2536a3c-bb84-42b7-8ac6-05f26205a4ad", "created": "2021-10-01T14:42:49.159Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:22.158Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can utilize the device\u2019s sensors to determine when the device is in use and subsequently hide malicious activity. When active, it attempts to hide its malicious activity by turning the screen\u2019s brightness as low as possible and muting the device.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c264d954-8b5f-4be1-acf0-6387b7f04fae", "created": "2021-02-17T20:43:52.407Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:22.382Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has gathered the device manufacturer, model, and serial number.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c32cbb0c-b5d7-44ad-94aa-43e2fbade91d", "created": "2023-12-18T19:05:04.764Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:22.570Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can obtain device info such as manufacturer, device ID, OS version, and country.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c33b7dfb-82ad-4a7c-a84c-6e7e9849253b", "created": "2023-08-14T16:35:55.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:22.781Z", "description": "Many properly configured firewalls may naturally block one-way command and control traffic.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c340b30d-0ad5-4e90-94ce-b6a6b229a7c4", "created": "2020-09-15T15:18:12.362Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:22.981Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect SMS messages.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c3439bdd-a0db-401b-97fd-5e2ec135a396", "created": "2023-03-20T18:40:12.814Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:23.178Z", "description": "The user can view a list of active device administrators in the device settings.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6", "created": "2020-10-29T17:48:27.332Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:23.391Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain the device\u2019s IMEI, phone number, and IP address.(Citation: Threat Fabric Exobot) ", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c374c9ce-ff30-4daa-bdec-8015a507746a", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:23.585Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) has a capability to obtain files from other installed applications.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c393fe8f-5708-40eb-ada9-6ca0d9b16c7d", "created": "2023-03-15T16:34:51.794Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:23.783Z", "description": "Application vetting services could closely scrutinize applications that request Device Administrator permissions.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c3c0ff44-71bb-4774-a850-7b7c9dccb619", "created": "2023-03-20T18:44:04.803Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:23.978Z", "description": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:24.171Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2", "target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c40cba48-7714-4d03-b748-cadd03360e7a", "created": "2024-02-20T23:55:33.981Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:24.377Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c41d817e-913e-4574-b8d4-370de9f0034b", "created": "2019-11-18T14:47:25.327Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"}, {"source_name": "Kaspersky Triada March 2016", "description": "Snow, J. (2016, March 3). Triada: organized crime on Android. Retrieved July 16, 2019.", "url": "https://www.kaspersky.com/blog/triada-trojan/11481/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:24.599Z", "description": "[Triada](https://attack.mitre.org/software/S0424) injects code into the Zygote process to effectively include itself in all forked processes. Additionally, code is injected into the Android Play Store App, web browser applications, and the system UI application.(Citation: Google Triada June 2019)(Citation: Kaspersky Triada March 2016)", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c43341e3-6fb9-46f1-8ea3-8daede1a4c77", "created": "2022-04-06T15:52:41.579Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:24.804Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c438b973-c2f3-43fc-8312-2a5bbde4facb", "created": "2023-03-20T18:43:03.537Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:24.999Z", "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c49bae52-63b4-4e5e-adfd-65a0e852ed76", "created": "2023-03-20T18:42:18.058Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:25.234Z", "description": "The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd", "created": "2020-05-04T14:04:56.214Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Google Bread", "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.", "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:25.432Z", "description": "[Bread](https://attack.mitre.org/software/S0432) has used native code in an attempt to disguise malicious functionality.(Citation: Google Bread)", "relationship_type": "uses", "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c4d71eb8-2099-44b9-be45-758f9e6a771a", "created": "2023-10-10T15:33:57.823Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:25.634Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) has masqueraded as a client of popular free ads services.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4", "created": "2020-09-11T15:57:37.770Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:25.825Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can delete SMS messages.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c50b4da7-f0e1-4f6d-969c-dbc739d49d7c", "created": "2021-01-05T20:16:20.508Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:26.022Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect the device\u2019s call logs.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c53170a0-ca7f-4827-9c3c-1803ecd131f9", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:26.240Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16", "target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c546dd04-2060-44bf-ba1e-d1c1edc54687", "created": "2023-10-10T15:33:58.973Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CheckPoint SimBad 2019", "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:26.466Z", "description": "[SimBad](https://attack.mitre.org/software/S0419) was embedded into legitimate applications.(Citation: CheckPoint SimBad 2019)", "relationship_type": "uses", "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c574251b-93ad-4f55-8b84-2700dfab4622", "created": "2020-07-15T20:20:59.280Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:26.681Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can hide its icon on older Android versions.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c", "created": "2019-09-04T15:38:56.946Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:26.873Z", "description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can retrieve a list of installed applications.(Citation: FlexiSpy-Features) ", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c5cb9fb4-2593-412f-82f8-a04a125bd429", "created": "2022-04-01T18:51:28.859Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:27.079Z", "description": "Security updates frequently contain patches to vulnerabilities that can be exploited for root access.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2", "created": "2019-11-21T16:42:48.497Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:27.280Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can take photos from both the front and back cameras.(Citation: SecureList - ViceLeaker 2019)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c61c16a9-8d1a-4329-b784-ba71f8421b33", "created": "2023-03-20T19:00:09.608Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:27.482Z", "description": "Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081", "created": "2019-09-04T14:28:16.000Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:27.682Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can track the device's location.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c6464a84-e23b-412f-b435-5b23853d3643", "created": "2020-09-14T13:35:45.909Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ESET-Twitoor", "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:27.879Z", "description": "[Twitoor](https://attack.mitre.org/software/S0302) encrypts its C2 communication.(Citation: ESET-Twitoor)", "relationship_type": "uses", "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler-SuperMarioRun", "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.", "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:28.078Z", "description": "[DroidJack](https://attack.mitre.org/software/S0320) captures call data.(Citation: Zscaler-SuperMarioRun)", "relationship_type": "uses", "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695", "created": "2020-09-11T16:23:16.363Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Desert Scorpion", "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/desert-scorpion-google-play"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:28.296Z", "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can send SMS messages.(Citation: Lookout Desert Scorpion)", "relationship_type": "uses", "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c6759fbe-ae7c-438e-9b30-dff3cc0b8e6c", "created": "2025-03-24T14:57:15.065Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:28.497Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) can execute an automated phone call.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c6770405-985b-4e24-8b09-01bce16426da", "created": "2024-03-26T16:17:26.152Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:28.709Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects the device\u2019s location through GPS or through network settings.(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c6a32f64-3105-4a94-8172-28ac0e10dd93", "created": "2023-03-20T18:21:59.396Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:28.899Z", "description": "Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c6adc765-20b4-48ef-ad5a-27fbd26c63c8", "created": "2024-03-26T18:42:43.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "checkpoint_hamas_android_malware", "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"}, {"source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:29.098Z", "description": "[APT-C-23](https://attack.mitre.org/groups/G1028) sends malicious links to victims to download the masqueraded application.(Citation: sophos_android_apt_spyware)(Citation: checkpoint_hamas_android_malware) ", "relationship_type": "uses", "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c720fd30-5694-42b7-bf77-d948f7ba2b6f", "created": "2020-06-24T18:24:35.707Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Project Zero Insomnia", "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.", "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:29.338Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can extract the device\u2019s keychain.(Citation: Google Project Zero Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c75f3a08-b58f-4681-8ef0-75fa634503b9", "created": "2023-12-18T19:04:11.534Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:29.540Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can register with the `CONNECTIVITY_CHANGE` and `WIFI_STATE_CHANGED` broadcast events to trigger further functionality.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c773998e-a140-4498-827a-573df96e4331", "created": "2024-03-26T19:29:40.690Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "checkpoint_hamas_android_malware", "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"}, {"source_name": "Cyware APT-C-23 2020", "description": "Cyware. (2020, October 2). APT\u2011C\u201123 is Still Active and Enhancing its Mobile Spying Capabilities. Retrieved December 2, 2024.", "url": "https://social.cyware.com/news/aptc23-is-still-active-and-enhancing-its-mobile-spying-capabilities-82e0cea4"}, {"source_name": "SentinelLabs AridViper 2023", "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.", "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/"}, {"source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"}, {"source_name": "threatpost AndroidSpyware 2020", "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.", "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/"}, {"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:29.761Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) has masqueraded as legitimate messaging applications.(Citation: welivesecurity_apt-c-23)(Citation: checkpoint_hamas_android_malware)(Citation: sophos_android_apt_spyware)(Citation: SentinelLabs AridViper 2023)(Citation: Cyware APT-C-23 2020)(Citation: threatpost AndroidSpyware 2020)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c778593c-1583-48cc-a99d-0ac1b5b537e2", "created": "2023-03-20T18:48:39.857Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:29.959Z", "description": "On Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c78a3e66-b7aa-4feb-bc18-b8af77f27a47", "created": "2023-03-20T15:20:11.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:30.160Z", "description": "Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c7d382f1-6fa7-4d6b-bd18-9a0e9d9ee17c", "created": "2024-02-21T22:05:29.733Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:30.367Z", "description": "Ensure that traffic is encrypted to reduce adversaries\u2019 ability to intercept, decrypt and manipulate traffic. ", "relationship_type": "mitigates", "source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c7f876d4-99f2-41ac-993c-57a3f2b4e0eb", "created": "2023-02-06T19:00:42.449Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:30.578Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can access a device's location.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c81757a7-16b1-4b48-ae52-3d375f533dfd", "created": "2022-04-01T15:03:02.553Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:30.780Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:30.992Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) used SMS to receive command and control messages.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c8559423-10b0-4d5e-9057-65cbfd7ee1c0", "created": "2021-10-01T14:42:48.728Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:31.181Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can send an SMS message after the device boots, messages containing logs, messages to adversary-specified numbers with custom content, and can delete all SMS messages on the device.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c86918a3-6e41-4dfb-8b18-650fff596801", "created": "2020-09-11T16:22:03.207Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:31.408Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect device photos, PDF documents, Office documents, browser history, and browser bookmarks.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c877df57-0b8b-4286-aebb-6cca709638f3", "created": "2025-03-24T15:00:09.464Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:31.611Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has used the Tencent Push Notification Service to receive commands from the C2 server.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c89d6493-3f33-4568-ac77-ba13b206ae69", "created": "2023-03-20T18:52:24.667Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:31.823Z", "description": "The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c89f8f8d-222b-4b83-9fa4-47fd716a271f", "created": "2020-06-26T15:12:40.100Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ESET DEFENSOR ID", "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.", "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:32.029Z", "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) abuses the accessibility service to auto-start the malware on device boot. This is accomplished by receiving the `android.accessibilityservice.AccessibilityService` intent.(Citation: ESET DEFENSOR ID)", "relationship_type": "uses", "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c8bfe893-49d8-4d6c-8f7d-5cd9fc932dee", "created": "2023-12-18T18:16:16.811Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:32.242Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has been distributed using phishing techniques, such as push notifications from compromised websites.(Citation: securelist_brata_0819)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c8d0d360-eb9e-4fb4-97a2-efaf6d4f1059", "created": "2023-03-20T18:51:23.032Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:32.433Z", "description": "", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9", "created": "2022-03-28T19:32:05.234Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:32.631Z", "description": "Application developers should be cautious when selecting third-party libraries to integrate into their application.", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c943d462-fea7-4c01-88b2-de134153095b", "created": "2023-03-20T18:56:37.473Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:32.821Z", "description": "Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c96c3405-1d9b-46e4-8f57-a6c49eb68a31", "created": "2022-04-06T13:41:17.517Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:33.030Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb", "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c9769c36-d89b-40eb-92cb-8faa7d37a140", "created": "2023-09-25T19:54:37.211Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:33.285Z", "description": "When devices are enrolled in an EMM/MDM using device owner (iOS) or fully managed (Android) mode, the EMM/MDM can collect a list of installed applications on the device. An administrator can then act on, for example blocking, specific remote access applications from being installed on managed devices. ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:33.541Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--c9c22e0d-c427-42ef-ae76-beb8ae9f6bf2", "created": "2020-09-15T15:18:12.460Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:33.732Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect the device\u2019s network information.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ca06c79e-8cbd-480a-92a4-cd7cdaaf81c1", "created": "2024-02-21T21:05:12.760Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:33.923Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ca0d9894-0c37-4a34-9b24-1887b7cd1106", "created": "2023-03-15T16:26:38.465Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:34.113Z", "description": "Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ca486783-9413-4f39-8d2f-3adcb3e79127", "created": "2020-12-24T21:55:56.657Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:34.329Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used an AES encrypted file in the assets folder with an unsuspecting name (e.g. \u2018GoogleMusic.png\u2019) for holding configuration and C2 information.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e", "created": "2019-09-23T13:36:08.386Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:34.529Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) collects the device's IMEI and sends it to the command and control server.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ca568149-9971-4d15-b3db-ff7dabd49695", "created": "2023-07-21T19:37:16.030Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:34.721Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can capture keystrokes.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ca8c38e6-8343-4f5e-929d-2759a0d49d59", "created": "2020-11-24T18:18:33.743Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:34.918Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) has used web injects to capture users\u2019 credentials.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ca9e5e50-49e9-44cc-a0a4-4ec8633a9506", "created": "2020-11-20T16:37:28.567Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:35.106Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) has encrypted exfiltrated data using AES in ECB mode.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cacc0b72-9d73-4381-90e9-545ba908722c", "created": "2019-09-15T15:35:33.215Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos Gustuff Apr 2019", "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.", "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:35.344Z", "description": "[Gustuff](https://attack.mitre.org/software/S0406) injects the global action `GLOBAL_ACTION_BACK` to mimic pressing the back button to close the application if a call to an open antivirus application is detected.(Citation: Talos Gustuff Apr 2019)", "relationship_type": "uses", "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cb5465c0-a577-45b1-becf-305e0bd47497", "created": "2023-08-23T22:49:18.075Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:35.558Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) may prevent malware's uninstallation by abusing Android\u2019s ` performGlobalAction(int)` API call.", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cb5a81bb-a3c6-4d7c-836c-c0bd6227b48f", "created": "2023-07-21T19:42:12.649Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:35.771Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can inject malicious packages into applications already existing on an infected device.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cb80178a-5f9c-41bd-95a2-a7c5fe23c12c", "created": "2022-04-01T18:48:03.156Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:35.965Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cbb07bef-f1da-41f6-b786-4a255e8bf985", "created": "2023-08-04T18:34:07.176Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:36.156Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate compressed ZIP files containing gathered info to C2 infrastructure.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cbb48fa1-0677-4a07-bdbf-eda1827e52f1", "created": "2020-10-29T17:48:27.175Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:36.379Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can lock the device with a password and permanently disable the screen.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cbf17fea-141e-44b8-831c-b3cc41066420", "created": "2021-01-20T16:01:19.409Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Trend Micro Anubis", "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.", "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:36.582Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can download attacker-specified APK files.(Citation: Trend Micro Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cc0b8984-f561-4453-a2be-9be8bd62561e", "created": "2023-09-28T17:21:45.855Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:36.811Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can monitor a device\u2019s notifications.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cc345ae4-0d60-4f21-98b3-596c15118745", "created": "2023-02-06T19:42:46.814Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:37.008Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can send SMS messages.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cc3cf438-7206-46df-a4a4-999472ea6a9a", "created": "2019-11-21T19:16:34.796Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CheckPoint SimBad 2019", "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.", "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:37.234Z", "description": "[SimBad](https://attack.mitre.org/software/S0419) hides its icon from the application launcher.(Citation: CheckPoint SimBad 2019)", "relationship_type": "uses", "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cc3e1864-0b7b-4ca1-b123-d9c7553f3398", "created": "2024-02-20T23:48:31.513Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:37.446Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device network configuration information, such as Wi-Fi SSID and IMSI.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cc49561f-8364-4908-9111-ad3a6dcd922c", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:37.639Z", "relationship_type": "revoked-by", "source_ref": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799", "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cc4ae06f-0258-4fe9-b63a-334d283e766d", "created": "2021-02-08T16:36:20.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:37.853Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has encrypted application strings using AES in ECB mode and Blowfish, and stored strings encoded in hex during Operation BULL. Further, in Operation BULL, encryption keys were stored within the application\u2019s launcher icon file.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cc81b56c-cf73-4307-b950-e80246985195", "created": "2019-10-18T14:50:57.473Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:38.068Z", "description": "OS security updates typically contain exploit patches when disclosed.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ccb6f906-a785-4695-91a5-f1bc210892dc", "created": "2023-08-04T18:35:55.269Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:38.273Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate collected data as a ZIP file.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cce1848e-5f32-429a-8c9d-e32367052675", "created": "2024-03-26T16:15:44.920Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "blackberry_mobile_malware_apt_esp", "description": "BlackBerry Research and Insights Team. (n.d.). Mobile Malware and APT Espionage. Retrieved March 1, 2024.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf"}, {"source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:38.472Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) masquerades as legitimate applications.(Citation: forcepoint_bitter)(Citation: blackberry_mobile_malware_apt_esp) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cce49043-52b0-407c-b4f0-0f4727351d4b", "created": "2024-01-26T17:36:52.812Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "checkpoint_flixonline_0421", "description": "Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.", "url": "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:38.687Z", "description": "[FlixOnline](https://attack.mitre.org/software/S1103) requests overlay permissions, which can allow it to create fake Login screens for other apps.(Citation: checkpoint_flixonline_0421)", "relationship_type": "uses", "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c", "created": "2019-12-10T16:07:41.078Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:38.888Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) attempts to gain root access by using local exploits.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cce82a76-5390-473d-9e7c-9450d1509d1d", "created": "2020-07-15T20:20:59.314Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:39.084Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can download its second (Loader) and third (Core) stages after the dropper is installed.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac", "created": "2020-01-27T17:05:58.237Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:39.286Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device\u2019s battery level, network operator, connection information, sensor information, and information about the device\u2019s storage and memory.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cd0f76da-ea06-4710-ab1d-53a7e29a6328", "created": "2022-03-30T19:34:09.377Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:39.485Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cd1ad516-d953-40cb-b0d5-b384ceb410f2", "created": "2025-03-24T20:28:22.440Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:39.725Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has a plugin that can take screenshots.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cd440baa-9989-486e-b34b-d9469ffc79a5", "created": "2024-03-26T19:35:37.865Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"}, {"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:39.923Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can take record and take screenshots of the victim device.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware) ", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:40.119Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests contact lists from victims.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3", "created": "2020-01-27T17:05:58.215Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:40.333Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain a list of running processes.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cd7a2294-1e14-42e8-b870-d99d73443b88", "created": "2022-04-01T12:37:42.068Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:40.532Z", "description": "Users should be taught the danger behind granting unnecessary permissions to an application and should be advised to use extra scrutiny when an application requests them. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cd7f9e74-e134-408d-aeb2-1ce19d4dd4e3", "created": "2025-03-28T14:52:26.566Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:40.734Z", "description": "(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3", "target_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cd8c383a-2a62-45e5-917f-a26efe5ba03c", "created": "2023-03-20T18:51:29.814Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:40.921Z", "description": "Application vetting services could potentially detect the usage of APIs intended for suppressing the application\u2019s icon.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cd9e8334-2ff6-4f64-993f-4e11a68ef7ca", "created": "2023-03-20T18:58:19.895Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:41.112Z", "description": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cda58372-ae70-4716-8baf-cc06cb884ad6", "created": "2020-12-24T22:04:28.015Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:41.340Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected a list of installed application names.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cdb9788e-7d16-482e-92b6-cbde0b3de357", "created": "2020-12-17T20:15:22.408Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:41.568Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can track the device\u2019s location.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cde60121-3d7c-47c8-abeb-582854425599", "created": "2020-07-20T13:27:33.512Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:41.775Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can update the running malware.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cdf06664-903e-499b-86b4-b7bcce3c0740", "created": "2023-09-28T17:20:27.451Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:41.963Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can modify, send, and delete SMS messages.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ce26f077-c47a-4185-8ed7-ec0d9ae2b625", "created": "2022-03-31T16:33:55.074Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:42.158Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef", "created": "2020-07-27T14:14:56.993Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Security Zen", "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.", "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:42.382Z", "description": "[Zen](https://attack.mitre.org/software/S0494) can simulate user clicks on ads.(Citation: Google Security Zen)", "relationship_type": "uses", "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ce5f506a-8fc9-40a2-a78e-96796c896f1b", "created": "2023-03-20T15:56:47.307Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:42.577Z", "description": "The user can see which applications are registered as device administrators in the device settings.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ce645a25-160f-443d-b288-fdd108b78a06", "created": "2020-09-11T16:22:03.269Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:42.797Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device\u2019s call log.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe", "created": "2017-10-25T14:48:53.746Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:43.003Z", "description": "A locked bootloader could prevent unauthorized modifications to protected operating system files. ", "relationship_type": "mitigates", "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd", "created": "2019-07-10T15:35:43.699Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:43.234Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) captures audio from the device microphone.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cea30219-a255-43ae-b731-9512c5044523", "created": "2022-04-18T19:46:02.547Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:43.428Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c", "created": "2020-01-27T17:05:58.273Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:43.626Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can record audio and phone calls.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a", "created": "2019-08-09T17:53:48.716Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:43.821Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can capture photos using the front and back cameras.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cf2cfc6e-896a-4c99-b286-41f8dbd6fa4c", "created": "2023-09-28T17:21:26.448Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:44.026Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can use VNC to remotely control an infected device.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cf4243f5-562a-457f-bb15-d45a2047f7ca", "created": "2019-09-03T19:45:48.510Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:44.290Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two collects a list of nearby base stations.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cf4fe189-58cf-42aa-89c7-75bd0a83a263", "created": "2023-03-15T16:23:59.107Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:44.484Z", "description": "When an application requests administrator permission, the user is presented with a popup and the option to grant or deny the request. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cf696296-751a-41e5-a9b0-907c7b991b2a", "created": "2023-09-22T19:14:54.719Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:44.688Z", "description": "Application vetting services may detect API calls for deleting files.  ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cf80894a-07e5-4c45-83a6-ed1eed81d2d8", "created": "2024-02-20T23:57:43.867Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:44.893Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cf879fe8-9c31-48de-9e49-668d6cda67c5", "created": "2023-07-12T20:35:36.527Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:45.090Z", "description": "Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky-WUC", "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.", "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:45.286Z", "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole contact list data stored both on the the phone and the SIM card.(Citation: Kaspersky-WUC)", "relationship_type": "uses", "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d01b311d-8741-4b58-b127-88fecb2b0544", "created": "2020-04-08T15:41:19.448Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:45.493Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) has a keylogger that works in every application installed on the device.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d056308f-dca7-493e-b152-6f77fa13155d", "created": "2023-12-18T18:17:05.285Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist_brata_0819", "description": "Securelist. (2019, August 29). Fully equipped Spying Android RAT from Brazil: BRATA. Retrieved December 18, 2023.", "url": "https://securelist.com/spying-android-rat-from-brazil-brata/92775/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:45.718Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has collected account information from compromised devices.(Citation: securelist_brata_0819)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d0669f8d-0aa2-416f-9ec4-a991a2000d3e", "created": "2023-09-21T19:37:30.610Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:45.915Z", "description": "Some mobile security products offer a loopback VPN used for inspecting traffic. This could proactively block traffic to websites that are known for phishing or appear to be conducting a phishing attack.", "relationship_type": "mitigates", "source_ref": "course-of-action--78671282-26aa-486c-a7a5-5921e1616b58", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d09a4d42-45bd-4b2a-aef4-3aa3982115ad", "created": "2022-04-05T19:45:03.117Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:46.102Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2", "created": "2020-09-11T15:53:38.453Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:46.323Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can automatically reply to SMS messages, and optionally delete them.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d0c039cb-c815-4d9c-a100-a45f923bc65b", "created": "2020-12-24T21:45:56.981Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:46.512Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) has access to the device\u2019s location.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d", "created": "2020-01-21T15:30:39.335Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:46.718Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can download attacker-specified files.(Citation: Lookout-Monokle) ", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d1318f71-7f70-4820-a3fc-0d05af038733", "created": "2021-10-01T14:42:49.154Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:46.914Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can perform actions when one of two hardcoded magic SMS strings is received.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d13724d0-a5e2-433b-86bf-ead04359edec", "created": "2022-04-01T15:13:10.022Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "iOS Universal Links", "description": "Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020.", "url": "https://developer.apple.com/ios/universal-links/"}, {"source_name": "Android App Links", "description": "Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020.", "url": "https://developer.android.com/training/app-links/verify-site-associations"}, {"source_name": "IETF-PKCE", "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.", "url": "https://tools.ietf.org/html/rfc7636"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:47.125Z", "description": "Developers should use Android App Links(Citation: Android App Links) and iOS Universal Links(Citation: iOS Universal Links) to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE(Citation: IETF-PKCE) should be used to prevent use of stolen authorization codes. ", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d170a088-b115-4a86-b093-8aa32666a470", "created": "2023-03-15T16:39:55.148Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:47.377Z", "description": "On both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d1e11627-23e4-40f3-bcbc-2b832b0bbaa3", "created": "2023-02-28T20:31:31.983Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:47.583Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can intercept SMS messages and USSD messages from Telcom operators.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d22be48b-90fa-4dba-ab6f-f3ad5e08c03e", "created": "2023-09-22T19:15:22.670Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:47.781Z", "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e", "created": "2019-09-03T19:45:48.489Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:47.971Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can extract the GPS coordinates of the device.(Citation: SWB Exodus March 2019)", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d22f2c45-d6fa-419a-8f25-65ea37529ccc", "created": "2019-09-04T14:28:15.412Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:48.170Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve calendar event information including the event name, when and where it is taking place, and the description.(Citation: Lookout-Monokle) ", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d2304825-cd71-4d74-ab9c-0f4ad510cad3", "created": "2025-03-27T22:48:46.526Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:48.377Z", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has collected the device\u2019s phone number and IMEI.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d2749285-47d9-44a4-962f-9215e6fb580e", "created": "2020-10-29T17:48:27.380Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:48.567Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can access the device\u2019s contact list.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d2d7476e-66a4-4d46-877c-6e80678bbb38", "created": "2022-04-01T18:43:25.764Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:48.785Z", "description": "System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d300eb82-5ca0-48aa-a45f-d34242545e27", "created": "2022-03-30T15:08:28.814Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:48.983Z", "description": "Device attestation could detect unauthorized operating system modifications. ", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d32003ba-959b-4377-aa04-f75275c32abf", "created": "2019-07-16T14:33:12.144Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:49.173Z", "description": "[Triada](https://attack.mitre.org/software/S0424) utilized HTTP to exfiltrate data through POST requests to the command and control server.(Citation: Google Triada June 2019) ", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d358ac0b-4c67-44e3-939b-24cd36d3c3fb", "created": "2020-09-11T16:22:03.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:49.370Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device\u2019s cell tower information.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d39ceb9c-ef0c-4820-b363-dc8ce0f0d00c", "created": "2023-10-10T15:33:58.621Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:49.571Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) masquerades as local postal service applications.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d3b4f74a-5183-405b-b64b-b79e1c4bd6fc", "created": "2024-02-21T20:50:38.266Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro Coronavirus Updates", "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:49.776Z", "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device network configuration information, such as Wi-Fi SSID and IMSI.(Citation: TrendMicro Coronavirus Updates)", "relationship_type": "uses", "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d3d901d7-1ddd-476c-af65-15a1affc422f", "created": "2024-03-26T19:03:58.841Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:49.981Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can capture pictures and videos.(Citation: fb_arid_viper)", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d3e06522-2a30-4d56-801e-9461178b80ce", "created": "2021-01-05T20:16:20.412Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:50.180Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can hide its icon after launch.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d3e52467-d090-4ebd-b9b1-3022cc6d5df0", "created": "2023-02-06T19:42:34.537Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:50.375Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can resist removal by going to the home screen during uninstall.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d3e6bc20-1f9c-41b6-89f0-ef95689add86", "created": "2023-03-20T15:16:43.275Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Samsung Knox Mobile Threat Defense", "description": "Samsung Knox Partner Program. (n.d.). Knox for Mobile Threat Defense. Retrieved March 30, 2022.", "url": "https://partner.samsungknox.com/mtd"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:50.562Z", "description": "Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d4154247-90ce-43b9-8c17-5c28f67617f5", "created": "2020-12-24T21:55:56.747Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:50.781Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed browser history, as well as the files for 15 other apps.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d447a927-c8a1-4123-bdac-ff9ab36f49be", "created": "2024-02-21T00:01:21.483Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:50.978Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect network configuration data from the device, including phone number, SIM operator, and network operator.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d44b097a-1bba-40bd-8ec8-d717a3f3df0c", "created": "2023-03-03T16:24:30.564Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:51.173Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has hijacked normal application\u2019s launch routines to display ads.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d499cfc8-d5f8-4e05-ad82-a18d2823c558", "created": "2025-03-12T22:10:11.013Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Promon FjordPhantom Oct2024", "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.", "url": "https://promon.io/security-news/fjordphantom-android-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:51.392Z", "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) has been distributed via email, SMS and other messaging applications.(Citation: Promon FjordPhantom Oct2024) ", "relationship_type": "uses", "source_ref": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4", "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d4a5a902-231e-4878-ad5b-39620498b018", "created": "2019-09-04T14:28:15.941Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:51.581Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can record audio from the device's microphone and can record phone calls, specifying the output audio quality.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c", "created": "2020-12-18T20:14:47.381Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:51.771Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has collected the device\u2019s phone number and can check if the active network connection is metered.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Xiao-ZergHelper", "description": "Claud Xiao. (2016, February 21). Pirated iOS App Store\u2019s Client Successfully Evaded Apple iOS Code Review. Retrieved December 12, 2016.", "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:51.964Z", "description": "[ZergHelper](https://attack.mitre.org/software/S0287) attempts to extend its capabilities via dynamic updating of its code.(Citation: Xiao-ZergHelper)", "relationship_type": "uses", "source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d54d3475-19ee-4ac5-98b0-ec1ae9336dfb", "created": "2023-03-20T18:58:14.140Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:52.157Z", "description": "The user can review which applications have location permissions in the operating system\u2019s settings menu.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d5533ca1-d57e-4bbf-bf0c-d114e4b79078", "created": "2023-08-04T18:32:39.763Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:52.374Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can access a device\u2019s camera and take photos.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d562ed4d-ac4d-476b-872e-9e228c580889", "created": "2020-11-20T16:37:28.506Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Symantec GoldenCup", "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.", "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:52.596Z", "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can obtain a list of installed applications.(Citation: Symantec GoldenCup)", "relationship_type": "uses", "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a", "created": "2020-11-10T17:08:35.713Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:52.804Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can collect notes and data from the MiCode app.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d59da983-c521-47b6-83ab-435f7d58611d", "created": "2019-11-21T16:42:48.493Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}, {"source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:53.002Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) uses HTTP requests for C2 communication.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d621eba9-676f-47a4-8358-d68eeff2fb9a", "created": "2023-03-03T16:25:09.978Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:53.324Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) is believed to have initially infected devices using internet traffic hijacking to generate abnormal popups.(Citation: paloalto_yispecter_1015) ", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5", "created": "2020-11-24T17:55:12.897Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:53.517Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect the user\u2019s browser cookies.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d63de13b-0253-42f4-b13d-34bccf76ad94", "created": "2023-03-20T18:54:50.323Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:53.720Z", "description": "Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d63f27cf-95a3-42bb-86dd-dc18e22cb898", "created": "2019-09-04T14:28:16.414Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:53.910Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve call history.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d64c4924-76f0-4b2e-858d-b0df733334d0", "created": "2023-02-06T19:03:11.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:54.100Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can modify system settings to give itself device administrator privileges.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d663cb6f-9fc8-48a0-827f-29757b12ae71", "created": "2022-03-30T20:53:54.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:54.322Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d66a3e5f-700e-40d0-b16a-bbb3306256c7", "created": "2023-03-20T15:16:28.177Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:54.530Z", "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d6be8665-afbb-4be5-a56a-493af01b120a", "created": "2022-03-30T15:52:29.935Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:54.724Z", "description": "Mobile security products can potentially detect jailbroken or rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4", "created": "2021-02-17T20:43:52.413Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:54.933Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has compressed and encrypted data before exfiltration using password protected .7z archives.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55", "created": "2020-04-24T17:46:31.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:55.133Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can steal pictures from the device.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d7007bf2-fcd6-4327-9ffb-bdee5bdeb383", "created": "2022-04-05T20:17:46.149Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:55.370Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d700c625-d0b6-4570-a538-0ba57bd7bda5", "created": "2023-03-20T18:50:21.296Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:55.563Z", "description": "Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0", "created": "2020-12-24T21:55:56.692Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:55.786Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d716163d-2492-4088-9235-b2310312ba27", "created": "2022-04-06T15:44:48.422Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:55.980Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d71fab20-a56c-4404-a65d-aaa37056f16e", "created": "2022-04-01T15:16:16.027Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro iOS URL Hijacking", "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12).  iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:56.181Z", "description": "iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d724bcf3-25d2-406a-b612-333fea5e2385", "created": "2020-10-29T17:48:27.440Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:56.381Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can show phishing popups when a targeted application is running.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d76d838b-bbc7-459a-884a-2da8c36a2ba2", "created": "2022-04-08T16:29:55.322Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:56.575Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6", "target_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d7aa436a-e66d-4217-be66-4414703dec07", "created": "2020-11-10T17:08:35.634Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:56.779Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has used incorrect file extensions and encryption to hide most of its assets, including secondary APKs, configuration files, and JAR or DEX files.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:56.975Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to modify the device's system partition.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d7ca70d4-2006-4252-b243-e52be760e24d", "created": "2022-04-01T13:26:39.773Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:57.175Z", "description": "Access to SMS messages is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their SMS messages. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d7d78682-c9ad-4880-ae6e-3fc79f3737f1", "created": "2019-09-04T15:38:56.809Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:57.367Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can delete data from a compromised device.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d8001cd5-3e71-44af-ae85-26f5f56e5cb8", "created": "2025-03-24T14:51:50.965Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:57.566Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has collected device network information, such as the IMEI and the phone number.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37", "created": "2020-05-07T15:24:49.583Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:57.773Z", "description": "Many vulnerabilities related to injecting code into existing applications have been patched in previous Android releases.", "relationship_type": "mitigates", "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564", "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "ArsTechnica-HummingBad", "description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.", "url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:57.960Z", "description": "[HummingBad](https://attack.mitre.org/software/S0322) can exploit unfixed vulnerabilities in older Android versions to root victim phones.(Citation: ArsTechnica-HummingBad)", "relationship_type": "uses", "source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d87b9e3a-9e6b-404d-8fc1-22262ff31157", "created": "2023-08-23T22:18:21.774Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:58.150Z", "description": "Network traffic analysis may reveal processes communicating with malicious domains.  ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d886f368-a38b-4cb3-906f-9b284f58b369", "created": "2019-12-10T16:07:41.066Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList DVMap June 2017", "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.", "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:58.371Z", "description": "[Dvmap](https://attack.mitre.org/software/S0420) decrypts executables from archive files stored in the `assets` directory of the installation binary.(Citation: SecureList DVMap June 2017)", "relationship_type": "uses", "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab", "created": "2020-09-11T16:22:03.229Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:58.575Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect and record audio content.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:58.778Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7", "created": "2020-12-14T15:02:35.230Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:58.972Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) has encrypted C2 communications using Base64-encoded RC4.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d956ffe6-9847-45f6-8ebe-479e93aa68d9", "created": "2024-01-26T17:37:34.983Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "checkpoint_flixonline_0421", "description": "Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.", "url": "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:59.158Z", "description": "[FlixOnline](https://attack.mitre.org/software/S1103) can hide its application icon.(Citation: checkpoint_flixonline_0421)", "relationship_type": "uses", "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d995dfff-e4b2-4e07-8e76-b064354f591a", "created": "2022-04-01T12:49:32.365Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:59.378Z", "description": "Calendar access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their device calendar. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d9aab2e1-31e0-45b2-a40b-0cbe60677b4b", "created": "2020-11-24T18:18:33.772Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:59.567Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can request device administrator permissions.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--d9c63320-5855-42dc-8cd5-595755495259", "created": "2025-03-12T22:10:57.369Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Promon FjordPhantom Oct2024", "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.", "url": "https://promon.io/security-news/fjordphantom-android-malware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:59.785Z", "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) has used the hooking framework in a variety of ways, including returning false information to detection mechanisms, pretending that GooglePlayServices are unavailable, and manipulating UI functionality.(Citation: Promon FjordPhantom Oct2024) ", "relationship_type": "uses", "source_ref": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4", "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--da424f3f-8a93-4a66-858c-b33f587108e6", "created": "2020-10-29T17:48:27.225Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:51:59.991Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain the device\u2019s country and carrier name.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--da4296d7-5fdb-45b6-9791-b023d634c08d", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-RCSAndroid", "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.", "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:00.181Z", "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can record location.(Citation: TrendMicro-RCSAndroid)", "relationship_type": "uses", "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--da55ec01-daf2-4fac-ba0b-243f759b73aa", "created": "2023-08-14T16:19:34.080Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "unit42_strat_aged_domain_det", "description": "Chen, Z. et al. (2021, December 29). Strategically Aged Domain Detection: Capture APT Attacks With DNS Traffic Trends. Retrieved July 31, 2023.", "url": "https://unit42.paloaltonetworks.com/strategically-aged-domain-detection/"}, {"source_name": "Data Driven Security DGA", "description": "Jacobs, J. (2014, October 2). Building a DGA Classifier: Part 2, Feature Engineering. Retrieved February 18, 2019.", "url": "https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:00.380Z", "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dae02ffb-1db5-4b7d-80a9-2a8cbf1bc852", "created": "2023-09-28T17:22:13.691Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:00.579Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can collect sensitive information, such as Google Authenticator codes.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--db1201f0-f925-4c3c-8673-7524a8c20886", "created": "2021-02-17T20:43:52.274Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout FrozenCell", "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.", "url": "https://blog.lookout.com/frozencell-mobile-threat"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:00.772Z", "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has recorded calls.(Citation: Lookout FrozenCell)", "relationship_type": "uses", "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a", "created": "2020-01-27T17:05:58.265Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:00.969Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device\u2019s call log.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:01.156Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dba7bd66-5f8e-41a8-ad67-ae04cfd1c8ff", "created": "2023-09-21T22:31:55.337Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:01.375Z", "description": "Application vetting services may be able to list domains and/or IP addresses that applications communicate with.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dbdaa604-b94c-43d1-b8cc-e8e2bbc3fdce", "created": "2023-12-18T19:08:25.585Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesecurity_ahrat_0523", "description": "Lukas Stefanko. (2023, May 23). Android app breaking bad: From legitimate screen recording to file exfiltration within a year. Retrieved December 18, 2023.", "url": "https://www.welivesecurity.com/2023/05/23/android-app-breaking-bad-legitimate-screen-recording-file-exfiltration/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:01.562Z", "description": "[AhRat](https://attack.mitre.org/software/S1095) can send SMS messages.(Citation: welivesecurity_ahrat_0523)", "relationship_type": "uses", "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dbef53a9-f9c4-4582-8e93-349ad488de12", "created": "2023-02-28T21:42:06.525Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cloudmark_tanglebot_0921", "description": "Felipe Naves, Andrew Conway, W. Stuart Jones, Adam McNeil . (2021, September 23). TangleBot: New Advanced SMS Malware Targets Mobile Users Across U.S. and Canada with COVID-19 Lures. Retrieved February 28, 2023.", "url": "https://www.cloudmark.com/en/blog/malware/tanglebot-new-advanced-sms-malware-targets-mobile-users-across-us-and-canada-covid-19"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:01.800Z", "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view call logs.(Citation: cloudmark_tanglebot_0921)", "relationship_type": "uses", "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dbeff88d-441f-47f9-8afc-60400ee3ab97", "created": "2023-02-06T19:06:37.359Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:02.004Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can receive files from the C2 at runtime.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dc354395-cccf-471a-9335-8538ce20f1ec", "created": "2023-07-21T19:33:28.471Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:02.237Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can exfiltrate SMS logs.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357", "created": "2019-07-10T15:25:57.572Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:02.447Z", "description": "[FinFisher](https://attack.mitre.org/software/S0182) captures and exfiltrates SMS messages.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dc70704a-54b3-4000-8c55-4919044de5c0", "created": "2024-03-26T19:03:10.647Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:02.636Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) can exfiltrate the victim device\u2019s contact list.(Citation: fb_arid_viper) ", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dc7ef843-a073-4e23-b717-c505d4863b02", "created": "2023-03-20T18:53:58.856Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:02.835Z", "description": "If the user sees a notification with text they do not recognize, they should review their list of installed applications.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dcae3b7c-27d2-4377-9dc6-59dae15ac962", "created": "2019-09-23T13:36:08.456Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:03.022Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, [Rotexy](https://attack.mitre.org/software/S0411) periodically switches off the phone screen to inhibit permission removal.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dcf01e96-1498-4ebf-b46f-d4f4eb796f23", "created": "2023-07-21T19:37:42.022Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:03.239Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can retrieve the list of installed applications.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dd54e35c-d68b-4aa8-ad2a-acd4c76243c8", "created": "2023-01-18T19:58:00.503Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:03.431Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use RC4 to encrypt C2 payloads.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ddb5ba6d-0549-44bd-a669-972bd48e927b", "created": "2020-07-15T20:20:59.307Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:03.629Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) has used domain generation algorithms.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ddca1254-b404-4850-9566-0be35c6d7564", "created": "2020-11-10T17:08:35.771Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:03.843Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can access the device\u2019s SMS and MMS messages.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e", "created": "2022-03-30T19:29:07.379Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:04.037Z", "description": "Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--de45db46-2251-4a29-b4d7-3fcf679e9484", "created": "2019-09-04T15:38:56.877Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"}, {"source_name": "FlexiSpy-Features", "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.", "url": "https://www.flexispy.com/en/features-overview.htm"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:04.281Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can intercept SMS and MMS messages as well as monitor messages for keywords.(Citation: CyberMerchants-FlexiSpy)(Citation: FlexiSpy-Features)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--de4ecfa3-fa91-4377-810c-5c567de9688b", "created": "2021-01-05T20:16:20.490Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:04.482Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can delete attacker-specified files.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--de69fd86-aaef-4a1e-99e9-ee32c71997d6", "created": "2022-04-05T19:54:12.660Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:04.703Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5", "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--de7e3a71-1152-481c-8e5c-88f53852cab6", "created": "2022-04-01T15:16:53.239Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:04.911Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dea15947-3a93-4ef6-94c4-ddd8b5bf4db5", "created": "2025-03-24T17:49:37.281Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "FirshSecureList LightSpy 2020", "description": "Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.", "url": "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:05.119Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has the ability to take one picture, continuous pictures or event-related pictures using the device\u2019s camera.(Citation: FirshSecureList LightSpy 2020)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) For iOS devices, the default file type for pictures is in High Efficiency Image Format (HEIC); for Android devices, the default file type for pictures is in JPEG format. ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--def81edd-4410-47b2-a80f-d47b3f353f54", "created": "2023-03-16T18:27:42.656Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:05.390Z", "description": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--df036f55-f749-4dad-9473-d69535e0f98d", "created": "2020-06-26T14:55:13.385Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:05.587Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can abuse Android\u2019s accessibility service to record the screen PIN.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--df07166f-917e-4bc4-899e-d689d1d3f785", "created": "2023-10-10T15:33:58.104Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:05.831Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) can impersonate any popular application on an infected device, and the core malware disguises itself as a legitimate Google application. [Agent Smith](https://attack.mitre.org/software/S0440)'s dropper is a weaponized legitimate Feng Shui Bundle.(Citation: CheckPoint Agent Smith) ", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--df337ad4-c88e-425f-b869-ecac29674bf4", "created": "2021-03-25T16:39:40.200Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:06.031Z", "description": "(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192", "target_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dfdf329f-8fc3-4dcb-89b4-c3f1095cd77a", "created": "2023-12-18T18:14:41.248Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "mcafee_brata_0421", "description": "Fernando Ruiz. (2021, April 12). BRATA Keeps Sneaking into Google Play, Now Targeting USA and Spain. Retrieved December 18, 2023.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/brata-keeps-sneaking-into-google-play-now-targeting-usa-and-spain/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:06.270Z", "description": "[BRATA](https://attack.mitre.org/software/S1094) has utilized commercial software packers.(Citation: mcafee_brata_0421)", "relationship_type": "uses", "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:06.465Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) has the capability to exploit several known vulnerabilities and escalate privileges.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dff2d0a7-7579-4091-9bf8-df682bc6506b", "created": "2023-12-05T22:17:58.874Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:06.681Z", "description": "Mobile security products can potentially detect if a device is vulnerable to a known exploit and can alert the user to update their device. ", "relationship_type": "mitigates", "source_ref": "course-of-action--78671282-26aa-486c-a7a5-5921e1616b58", "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--dff37d8a-b7ca-409b-b4eb-581ca3a74bb5", "created": "2020-04-08T15:41:19.445Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro Anubis", "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.", "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html"}, {"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:06.882Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can retrieve the C2 address from Twitter and Telegram.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea", "created": "2023-02-06T19:45:58.793Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:07.077Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use the open-source project RetroFit for C2 communication.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e012da15-7669-4764-ad9d-8a1d817bcca9", "created": "2023-03-20T18:23:04.068Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:07.279Z", "description": "Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities).", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e03b0eb5-32c6-4867-9235-77fe32192983", "created": "2019-09-04T15:38:56.916Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:07.473Z", "description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can track the device's location.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e03b25b0-0779-48da-b5d7-28f1f6106363", "created": "2020-12-24T22:04:27.992Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:07.688Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has taken screenshots.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8", "created": "2020-09-24T15:34:51.433Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:07.881Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can record audio and outgoing calls.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e0c3afc8-4b23-45fc-89cf-2cafbb51291e", "created": "2023-03-03T16:25:52.931Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:08.073Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected information about installed applications.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler-SpyNote", "description": "Shivang Desai. (2017, January 23). SpyNote RAT posing as Netflix app. Retrieved January 26, 2017.", "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:08.270Z", "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can read SMS messages.(Citation: Zscaler-SpyNote)", "relationship_type": "uses", "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e0f58ab7-b246-4c41-9afc-89b582590809", "created": "2020-12-18T20:14:47.374Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:08.469Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can download additional modules at runtime via JavaScript `eval` statements.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e135cefa-f019-479d-86eb-438972df73e0", "created": "2019-09-04T15:38:56.702Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "FortiGuard-FlexiSpy", "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.", "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:08.681Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) installs boot hooks into `/system/su.d`.(Citation: FortiGuard-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e14db7d0-4053-4e0a-8b43-b950133e6e36", "created": "2023-03-20T18:41:31.300Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:08.872Z", "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e1fc106e-1671-4103-b767-47b52c9b0742", "created": "2024-03-28T18:29:52.969Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:09.077Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to access the device\u2019s location.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e245ad04-3fe9-4132-8bb4-77cdc4c3a1eb", "created": "2023-10-10T15:33:58.272Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:09.281Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) has masqueraded as an Android security application.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e245e45a-71a8-408d-8f32-7b7337bffc26", "created": "2023-01-18T19:19:58.007Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_drinik_1022", "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:09.474Z", "description": "[Drinik](https://attack.mitre.org/software/S1054) can hide its application icon.(Citation: cyble_drinik_1022)", "relationship_type": "uses", "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e269e6a2-a709-4aa1-a260-f3f0d0284056", "created": "2020-12-24T22:04:27.919Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:09.704Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has extracted messages from chat programs, such as WeChat.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e29d91f0-ebee-481d-9344-702c90775109", "created": "2020-05-07T15:33:32.928Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:09.894Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440) can inject fraudulent ad modules into existing applications on a device.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e2ee6825-43c2-441f-ba96-404a330a9059", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CheckPoint-Charger", "description": "Oren Koriat and Andrey Polkovnichenko. (2017, January 24). Charger Malware Calls and Raises the Risk on Google Play. Retrieved January 24, 2017.", "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:10.104Z", "description": "[Charger](https://attack.mitre.org/software/S0323) steals contacts from the victim user's device.(Citation: CheckPoint-Charger)", "relationship_type": "uses", "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e3009db5-d1d8-4869-b1ca-d408a052bb4e", "created": "2024-01-26T17:34:10.524Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "checkpoint_flixonline_0421", "description": "Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.", "url": "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:10.328Z", "description": "[FlixOnline](https://attack.mitre.org/software/S1103) can automatically send replies to a user\u2019s incoming WhatsApp messages.(Citation: checkpoint_flixonline_0421)", "relationship_type": "uses", "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e33106e1-16ef-41b8-8d47-78c9f2b4dceb", "created": "2020-11-10T17:08:35.846Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:10.527Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has used specially crafted SMS messages to control the target device.(Citation: Lookout Uyghur Campaign) ", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e34c8c23-be8f-4da9-b051-5246e5f16ba8", "created": "2023-03-01T22:18:19.004Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:10.724Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can send contact lists to its C2 server.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e35b013b-89e8-41b3-a518-7737234ab71b", "created": "2020-01-27T17:05:58.312Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:10.920Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can take screenshots.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e39ee008-74d1-4669-b515-4d2bb97968c1", "created": "2024-02-20T23:49:23.124Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:11.125Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) can gather device network information.(Citation: Cybereason EventBot) ", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e3a961ec-8184-4143-b8c2-c33ea0503678", "created": "2020-09-24T15:34:51.315Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Dendroid", "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:11.340Z", "description": "[Dendroid](https://attack.mitre.org/software/S0301) can take photos and record videos.(Citation: Lookout-Dendroid)", "relationship_type": "uses", "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e3beb58a-2603-451e-a907-1a3823a90197", "created": "2025-03-27T22:47:12.701Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:11.537Z", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has deleted crash logs which may have been created during the initial exploitation phase stored in `/private/var/mobile/Library/Logs/CrashReporter`.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e3d04885-95a5-47cb-a038-b58542cf787d", "created": "2019-09-03T19:45:48.487Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:11.734Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate the call log.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e4019493-bd52-4011-9355-8902be6ff3f3", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:11.954Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) registers the broadcast receiver to listen for events related to device boot-up.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e419e0c3-8c16-4e7b-99f5-ecd30c93493a", "created": "2024-02-20T22:05:26.922Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:12.152Z", "description": "[Conceal Multimedia Files](https://attack.mitre.org/techniques/T1628/003) likely should not be mitigated with preventative controls because the `.nomedia` file may be used legitimately.  ", "relationship_type": "mitigates", "source_ref": "course-of-action--76a32151-5233-465f-a607-7e576c62c932", "target_ref": "attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e4451543-136b-4fe2-a8e2-d005db705aa2", "created": "2025-04-14T18:09:08.678Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:12.378Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) collects device information, including the phone number, IMEI, CPU details, screen specifications, and memory information.(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: MelikovBlackBerry LightSpy 2024)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e457921c-4a0b-4d6e-92e7-553929ddf943", "created": "2023-02-06T18:51:14.919Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:12.586Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can download and install additional malware after initial infection.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e47ea9b6-8e05-4a54-ac6e-ba621dc3b717", "created": "2024-02-21T20:54:12.536Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:12.779Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) checks if the device is connected via Wi-Fi or mobile data.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e4beccfa-a9a5-447d-8164-d39a1b2c5532", "created": "2023-02-06T19:46:43.041Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "threatfabric_sova_0921", "description": "ThreatFabric. (2021, September 9). S.O.V.A. - A new Android Banking trojan with fowl intentions. Retrieved February 6, 2023.", "url": "https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:12.975Z", "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has included adversary-in-the-middle capabilities.(Citation: threatfabric_sova_0921)", "relationship_type": "uses", "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36", "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e4f90a20-f1c6-4820-8c3e-751c79cc82e8", "created": "2023-03-20T18:56:24.246Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:13.171Z", "description": "Application vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e50c605a-0cdf-4316-bb49-2deccc69143f", "created": "2024-03-26T16:19:01.439Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "forcepoint_bitter", "description": "Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved March 1, 2024.", "url": "https://web.archive.org/web/20220706125432/https://www.forcepoint.com/blog/x-labs/bitter-targeted-attack-against-pakistan"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:13.377Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) can make phone calls.(Citation: forcepoint_bitter) ", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e5113d45-05bd-499f-a2e0-9edc6d7c03b6", "created": "2020-09-14T13:35:45.911Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ESET-Twitoor", "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.", "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:13.572Z", "description": "[Twitoor](https://attack.mitre.org/software/S0302) can be controlled via Twitter.(Citation: ESET-Twitoor)", "relationship_type": "uses", "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c", "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e515259a-63b1-4ac8-bbec-4b0103d0a79a", "created": "2025-04-14T16:50:39.750Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:13.769Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) uses the embedded `time_waste` function to bypass standard iOS API restrictions and enable unauthorized audio/video recording. This exploit injects a `.dylib` into the `SpringBoard` process, allowing persistent access to audio and video capture.(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e524f30e-11b5-4bd9-83f1-9694e6d8f030", "created": "2024-03-26T19:34:37.304Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "sophos_android_apt_spyware", "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"}, {"source_name": "threatpost AndroidSpyware 2020", "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.", "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/"}, {"source_name": "welivesecurity_apt-c-23", "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.", "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:13.968Z", "description": "[SpyC23](https://attack.mitre.org/software/S1195) can read and exfiltrate SMS messages.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: threatpost AndroidSpyware 2020)", "relationship_type": "uses", "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e5922453-d9b1-472b-b947-b1eaa426a32e", "created": "2024-02-20T23:46:46.698Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:14.159Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e5ccc5c7-11ee-4357-8dd4-bf23ce2111bb", "created": "2020-12-24T22:04:28.024Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:14.397Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected call logs.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e5e4567e-05a3-4d79-beab-191efc336473", "created": "2020-01-27T17:05:58.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:14.593Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e682fd05-a55e-447c-9de1-788cf061ba70", "created": "2025-03-24T20:08:36.103Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:14.802Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has sent and deleted SMS messages.(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e723d78f-b6c3-4ba5-8946-b44e651834e3", "created": "2023-03-16T13:32:02.290Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:15.008Z", "description": "Android applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized.\n\nIn both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e767fc9e-5211-4e7c-b628-5dd03a24af39", "created": "2020-12-14T15:02:35.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:15.255Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect SMS messages as they are received.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208", "created": "2020-07-20T13:27:33.546Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos-WolfRAT", "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:15.445Z", "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can receive system notifications.(Citation: Talos-WolfRAT)", "relationship_type": "uses", "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e7af5be1-721f-40c5-b647-659243a0a14b", "created": "2020-04-08T15:41:19.321Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cofense Anubis", "description": "M. Feller. (2020, February 5). Infostealer, Keylogger, and Ransomware in One: Anubis Targets More than 250 Android Applications. Retrieved September 25, 2024.", "url": "https://web.archive.org/web/20231222134431/https://cofense.com/blog/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:15.666Z", "description": "[Anubis](https://attack.mitre.org/software/S0422) can record phone calls and audio.(Citation: Cofense Anubis)", "relationship_type": "uses", "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e7b33eb5-6c2e-4743-ac8d-c27d5e7121ac", "created": "2020-06-26T15:32:25.060Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:15.864Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can uninstall itself from a device on command.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e7b7e813-4867-46fe-bf86-6f367553d765", "created": "2019-11-21T16:42:48.456Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}, {"source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:16.052Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:16.270Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses contact list information.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e8768455-4d0c-4e3c-a901-1fc871227745", "created": "2022-03-30T17:54:56.603Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:16.476Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "NYTimes-BackDoor", "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.", "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:16.688Z", "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted call logs.(Citation: NYTimes-BackDoor)", "relationship_type": "uses", "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e889782a-f66b-448e-a466-e55b1bce7b64", "created": "2023-02-28T20:38:25.598Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:16.873Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) has encrypted C2 message bodies with RSA and encoded them in base64.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e8c77126-5279-4c39-ad84-87e4ab8ce37f", "created": "2024-02-20T23:46:03.419Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:17.073Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect network information, such as IP address, SIM card information, and Wi-Fi information.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e8c833ee-4c7d-45a2-b29b-187fe3661c0d", "created": "2020-12-17T20:15:22.496Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:17.283Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can access the device\u2019s contact list.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e928c0ce-2b98-4af5-a990-f690f4306681", "created": "2023-03-20T18:43:46.070Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:17.470Z", "description": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e95ac47c-8822-4ce5-bd65-f61ca873854b", "created": "2023-09-28T17:21:15.893Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:17.682Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can collect application keylogs.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7", "created": "2019-08-07T15:57:13.388Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Kaspersky Riltok June 2019", "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.", "url": "https://securelist.com/mobile-banker-riltok/91374/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:17.876Z", "description": "[Riltok](https://attack.mitre.org/software/S0403) injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen.(Citation: Kaspersky Riltok June 2019)", "relationship_type": "uses", "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb", "created": "2020-12-17T20:15:22.444Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Palo Alto HenBox", "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.", "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:18.071Z", "description": "[HenBox](https://attack.mitre.org/software/S0544) can load additional Dalvik code while running.(Citation: Palo Alto HenBox)", "relationship_type": "uses", "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e9b262ba-1c32-40b3-8622-121b30d6df50", "created": "2019-10-10T15:14:57.378Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:18.275Z", "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.(Citation: SWB Exodus March 2019)", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e", "created": "2020-12-24T21:55:56.745Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:18.502Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the list of installed apps.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:18.719Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) exfiltrates details of the victim device operating system and manufacturer.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--e9d5992e-04ef-4835-87df-cf6434dcabbc", "created": "2023-03-20T18:49:38.917Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:18.914Z", "description": "Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7", "created": "2020-11-24T17:55:12.822Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:19.114Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can request the device\u2019s location.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eb052029-e1c9-4f24-8594-299aaec7f1df", "created": "2020-12-14T14:52:03.351Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:19.328Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect the device\u2019s call log.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93", "created": "2020-09-11T15:50:18.937Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:19.530Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can send SMS messages.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro-XLoader", "description": "Lorin Wu. (2018, April 19). XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing. Retrieved July 6, 2018.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:19.725Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) requests Android Device Administrator access.(Citation: TrendMicro-XLoader)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eb58117c-5803-4f72-a499-5fa888a9a7a5", "created": "2022-04-06T15:47:06.163Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:19.918Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee", "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eb69d3c1-aa16-429e-9b72-c1a993e584fa", "created": "2023-07-14T19:11:45.176Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:20.122Z", "description": "Unexpected behavior from an application could be an indicator of masquerading.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041", "created": "2017-10-25T14:48:53.742Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:20.326Z", "description": "Enterprise policies should prevent enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development).", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eb784dcf-4188-47e2-9217-837b262acfb9", "created": "2022-04-01T18:43:01.860Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:20.523Z", "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eba4b561-84c9-4d49-a8b8-1842c3ed94f3", "created": "2023-02-06T19:01:39.599Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_abstractemu_1021", "description": "P Shunk, K Balaam. (2021, October 28). Rooting Malware Makes a Comeback: Lookout Discovers Global Campaign. Retrieved February 6, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-global-rooting-malware-campaign"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:20.729Z", "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself contact list access.(Citation: lookout_abstractemu_1021)", "relationship_type": "uses", "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ec30f169-9cf3-45c3-9a02-cda318107ba9", "created": "2025-03-24T20:12:48.858Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:20.920Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed a list of installed applications.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ec6ec329-a758-4259-a5f8-789cfef78a53", "created": "2025-03-28T14:35:59.141Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:21.112Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has collected and sent information on the device\u2019s IMEI, MEID, serial number and other device information.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ec734b52-a823-495c-9684-c4649269723e", "created": "2023-09-28T17:22:03.028Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:21.341Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can uninstall itself and other applications.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ec74ab89-4a60-4ab2-a92f-4c5c3b7552a4", "created": "2025-03-14T17:57:47.876Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:21.545Z", "description": "Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious applications.  ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ec819008-396a-4ca3-b8d3-fda7f28128d0", "created": "2023-08-14T16:33:56.635Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:21.762Z", "description": "Many properly configured firewalls may naturally block command and control traffic.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42", "created": "2021-10-01T14:42:48.913Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:21.955Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can use its keylogger module to take screenshots of the area of the screen that the user tapped.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d", "created": "2019-08-09T18:06:11.672Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:22.161Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) can take pictures with both the front and rear-facing cameras.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ece70dca-803c-4209-8792-7e56e9901288", "created": "2020-07-15T20:20:59.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:22.374Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can delete all data from an infected device.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a", "created": "2020-07-15T20:20:59.186Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:22.572Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ed3293cf-de4f-4a73-98af-24325e8187c9", "created": "2020-04-24T17:46:31.598Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:22.777Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) can detect if it is running on a rooted device or an emulator.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ed48a86f-e55f-4abf-8f18-98591b756399", "created": "2023-03-03T16:19:30.443Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:22.973Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has hidden the app icon from iOS springboard.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ed6ebdd2-0095-4241-b3fc-7fc22366ec0d", "created": "2024-04-02T19:24:58.885Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "fb_arid_viper", "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:23.164Z", "description": "[Phenakite](https://attack.mitre.org/software/S1126) has included exploits for jailbreaking infected devices.(Citation: fb_arid_viper)", "relationship_type": "uses", "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ed7e9368-004c-484f-9eed-03b158325564", "created": "2023-03-20T18:54:40.401Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:23.379Z", "description": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ed9bf71f-4367-4106-9b80-07b126edd3f6", "created": "2025-03-14T17:58:15.093Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:23.576Z", "description": "Monitor for API calls that are related to GooglePlayServices. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e", "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6", "created": "2023-02-28T20:31:55.191Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "proofpoint_flubot_0421", "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.", "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:23.780Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can access app notifications.(Citation: proofpoint_flubot_0421)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ede5c314-5988-4151-bb30-b6a6983d02c0", "created": "2020-12-31T18:25:05.164Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CYBERWARCON CHEMISTGAMES", "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.", "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:23.974Z", "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.(Citation: CYBERWARCON CHEMISTGAMES)", "relationship_type": "uses", "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341", "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--edfb68d0-5efd-4fb5-93f9-c432535686cb", "created": "2019-09-04T15:38:56.881Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CyberMerchants-FlexiSpy", "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.", "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:24.172Z", "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect device contacts.(Citation: CyberMerchants-FlexiSpy)", "relationship_type": "uses", "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ee095f20-eef5-4dcc-a537-70b387592c2c", "created": "2023-02-28T20:38:46.702Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "bitdefender_flubot_0524", "description": "Filip TRU\u021a\u0102, R\u0103zvan GOSA, Adrian Mihai GOZOB. (2022, May 24). New FluBot Campaign Sweeps through Europe Targeting Android and iOS Users Alike. Retrieved February 28, 2023.", "url": "https://www.bitdefender.com/blog/labs/new-flubot-campaign-sweeps-through-europe-targeting-android-and-ios-users-alike/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:24.379Z", "description": "[FluBot](https://attack.mitre.org/software/S1067) can use Accessibility Services to make removal of the malicious app difficult.(Citation: bitdefender_flubot_0524)", "relationship_type": "uses", "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ee92911e-e2a2-4b40-916d-ce01b6e897f9", "created": "2020-09-15T15:18:12.419Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:24.580Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect the device\u2019s contact list.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f", "created": "2019-09-23T13:36:08.448Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:24.778Z", "description": "[Rotexy](https://attack.mitre.org/software/S0411) collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.(Citation: securelist rotexy 2018)", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eee008fa-a46f-4542-93e3-8fe5f949130f", "created": "2023-01-19T18:06:57.242Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:24.983Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can check to see if Wi-Fi is enabled.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eef4ffb7-892d-4d3f-826c-0b78d1f22671", "created": "2021-02-08T16:36:20.709Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:25.183Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f", "created": "2019-07-16T14:33:12.107Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky Triada June 2016", "description": "Kivva, A. (2016, June 6). Everyone sees not what they want to see. Retrieved July 16, 2019.", "url": "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/"}, {"source_name": "Google Triada June 2019", "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.", "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:25.404Z", "description": "[Triada](https://attack.mitre.org/software/S0424) can redirect ad banner URLs on websites visited by the user to specific ad URLs.(Citation: Google Triada June 2019)(Citation: Kaspersky Triada June 2016) ", "relationship_type": "uses", "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ef792cb5-cb1f-4871-a2ef-20e6150d4005", "created": "2023-10-10T15:33:57.735Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:25.602Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has been embedded into trojanized versions of applications such as Voxer, TalkBox, and Amaq News.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--efd35b6f-7a61-4998-97ff-608547e40f66", "created": "2019-10-01T14:23:44.054Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "securelist rotexy 2018", "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.", "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:25.810Z", "description": " [Rotexy](https://attack.mitre.org/software/S0411) encrypts JSON HTTP payloads with AES.(Citation: securelist rotexy 2018) ", "relationship_type": "uses", "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063", "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f012feab-5612-429f-81bd-ff75d6ffd04e", "created": "2022-04-05T17:03:34.941Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:26.007Z", "description": "", "relationship_type": "subtechnique-of", "source_ref": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f051c943-998c-4db2-9dbc-d4755057bcf0", "created": "2022-04-05T19:49:06.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:26.231Z", "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f062ebc5-bad0-4b19-8c97-bf3915d687bd", "created": "2023-03-20T18:51:58.152Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:26.424Z", "description": "Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f0851531-e554-4658-920c-f2342632c19a", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Adware", "description": "Michael Bentley. (2015, November 4). Lookout discovers new trojanized adware; 20K popular apps caught in the crossfire. Retrieved December 21, 2016.", "url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:26.625Z", "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is packed with at least eight publicly available exploits that can perform rooting.(Citation: Lookout-Adware)", "relationship_type": "uses", "source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898", "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1", "created": "2020-07-15T20:20:59.284Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:26.827Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can install attacker-specified components or applications.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f0e39856-4d2d-45c5-bf16-f683ee993010", "created": "2022-03-30T18:18:15.915Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:27.026Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2", "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f1130c77-3d20-4c41-9e75-1953bf9b8abc", "created": "2020-09-14T14:13:45.286Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:27.237Z", "description": "[eSurv](https://attack.mitre.org/software/S0507) has exfiltrated data using HTTP PUT requests.(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f1208f2a-f2e2-48bd-8fdc-d56b9442f185", "created": "2025-03-24T20:08:17.941Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:27.430Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed SMS messages.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f157970b-4782-46d0-abdd-000ae6eea14b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:27.624Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b", "target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f1c06c38-0f58-4789-9758-1e321394e03f", "created": "2025-03-24T17:49:09.480Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "MelikovBlackBerry LightSpy 2024", "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.", "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"}, {"source_name": "Threatfabric LightSpy 2023", "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:27.810Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185)'s main executable and modules use native libraries to execute targeted functionality.(Citation: Threatfabric LightSpy 2023)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150", "created": "2020-05-11T16:37:36.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:28.014Z", "description": " [Ginp](https://attack.mitre.org/software/S0423) can download device logs.(Citation: ThreatFabric Ginp) ", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f259b5a8-bf2f-48c9-ae1b-b20d53daf665", "created": "2023-07-21T19:39:51.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:28.237Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can exfiltrate data when the user boots the app, or on device boot.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f28a2873-281f-405b-bad0-4a93dac8a5ee", "created": "2020-11-24T17:55:12.895Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos GPlayed", "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.", "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:28.453Z", "description": "[GPlayed](https://attack.mitre.org/software/S0536) can show a phishing WebView pretending to be a Google service that collects credit card information.(Citation: Talos GPlayed)", "relationship_type": "uses", "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f2d05b16-3565-453e-9fbb-1c02146e17e1", "created": "2020-06-26T15:32:25.002Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:28.639Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can record keystrokes.(Citation: Threat Fabric Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f2e75022-ff16-44a8-8fcc-18c785406fb5", "created": "2025-03-27T22:49:20.862Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 23Oct2023", "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.", "url": "https://securelist.com/triangulation-validators-modules/110847/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:28.828Z", "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has exfiltrated collected data to the C2 server.(Citation: SecureList OpTriangulation 23Oct2023) ", "relationship_type": "uses", "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6", "created": "2020-01-21T14:20:50.409Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:29.038Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f3599919-c4d1-4f2e-92d4-b34a04e33132", "created": "2022-03-30T14:06:26.530Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:29.254Z", "description": "Mobile security products can typically detect jailbroken or rooted devices. ", "relationship_type": "mitigates", "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433", "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f372697e-b661-4995-9920-4ec0a9060ebb", "created": "2024-03-28T18:01:08.468Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Talos Promethium June 2020", "description": "Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.", "url": "https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html"}, {"source_name": "Bitdefender StrongPity June 2020", "description": "Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:29.456Z", "description": "(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)", "relationship_type": "attributed-to", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f390ee16-a7c8-4ef2-b6f4-28940a8f0d81", "created": "2023-03-20T15:45:44.000Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:29.665Z", "description": "Mobile security products can potentially detect jailbroken devices.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f3ddf0be-ca7d-4984-b8e2-4e5958a2c83a", "created": "2024-01-26T17:35:37.668Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "checkpoint_flixonline_0421", "description": "Aviran Hazum, Bodgan Melnykov, Israel Wenik. (2021, April 7). New Wormable Android Malware Spreads by Creating Auto-Replies to Messages in WhatsApp. Retrieved January 26, 2024.", "url": "https://research.checkpoint.com/2021/new-wormable-android-malware-spreads-by-creating-auto-replies-to-messages-in-whatsapp/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:29.857Z", "description": "[FlixOnline](https://attack.mitre.org/software/S1103) requests access to the `NotificationListenerService`, which can allow it to manipulate a device's notifications.(Citation: checkpoint_flixonline_0421)", "relationship_type": "uses", "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f3e902fe-7eea-4b85-9067-25d29fd01dc5", "created": "2023-03-20T15:21:12.492Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:30.051Z", "description": "Integrity checking mechanisms can potentially detect unauthorized hardware modifications.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f458166e-7cf8-42ed-afe3-38cbd30d5607", "created": "2024-02-21T21:05:56.876Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:30.276Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f4aeacef-035c-4308-9e85-997703e27809", "created": "2020-01-27T17:05:58.305Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro Bouncing Golf 2019", "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:30.473Z", "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can delete arbitrary files on the device.(Citation: Trend Micro Bouncing Golf 2019)", "relationship_type": "uses", "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012", "created": "2020-12-14T14:52:03.218Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Sophos Red Alert 2.0", "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.", "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:30.695Z", "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can obtain the running application.(Citation: Sophos Red Alert 2.0)", "relationship_type": "uses", "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1", "created": "2019-07-10T15:35:43.661Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:30.888Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) captures and exfiltrates all SMS messages, including future messages as they are received.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:31.090Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests SMS and MMS messages from victims.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f4f4660c-6324-4da4-be2f-ac87fda85a45", "created": "2019-09-15T15:32:17.580Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android Notification Listeners", "description": "Android. (n.d.).  DevicePolicyManager. Retrieved September 15, 2019.", "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setPermittedCrossProfileNotificationListeners(android.content.ComponentName,%20java.util.List%3Cjava.lang.String%3E)"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:31.312Z", "description": "On Android devices with a work profile, the `DevicePolicyManager.setPermittedCrossProfileNotificationListeners` method can be used to manage the list of applications running within the personal profile that can access notifications generated within the work profile. This policy would not affect notifications generated by the rest of the device. The `DevicePolicyManager.setApplicationHidden` method can be used to disable notification access for unwanted applications, but this method would also block that entire application from running.(Citation: Android Notification Listeners) ", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f517a7ce-dfdc-4f42-84c1-fef136e2ea19", "created": "2020-09-24T15:26:15.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:31.510Z", "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) has exfiltrated data using HTTP requests.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f5196775-2c99-4dc5-b173-6a10af503c6e", "created": "2023-09-25T19:55:13.827Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:31.725Z", "description": "Users should be encouraged to be very careful with granting dangerous permissions, such as device administrator or access to device accessibility.", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f524f2d9-cdf7-403b-af0f-96c1c60b32a8", "created": "2025-03-24T14:52:59.139Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "McAfee MoqHao 2019", "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.", "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:31.922Z", "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has used the Tencent packer to hide its malicious payload.(Citation: McAfee MoqHao 2019) ", "relationship_type": "uses", "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:32.113Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads information about installed packages.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f56b8307-80e3-4d73-869f-1e8b9538dbc4", "created": "2022-09-29T21:22:06.716Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cylance Dust Storm", "description": "Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.", "url": "https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:32.332Z", "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors to continually forward all SMS messages and call information back to their C2 servers.(Citation: Cylance Dust Storm)", "relationship_type": "uses", "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f58d3fc4-e0a2-4924-884d-85d7c8f00b8a", "created": "2023-03-20T18:39:10.113Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:32.521Z", "description": "The user can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6", "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f5acd046-2943-48bf-836a-2109c4f1a5c4", "created": "2023-09-28T17:20:50.748Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:32.721Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can record audio from the device\u2019s microphone.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f5d24a31-53d2-4e84-9110-2da0582132cb", "created": "2020-05-07T15:33:32.936Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "CheckPoint Agent Smith", "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.", "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:32.925Z", "description": "[Agent Smith](https://attack.mitre.org/software/S0440)\u2019s core malware is disguised as a JPG file, and encrypted with an XOR cipher.(Citation: CheckPoint Agent Smith)", "relationship_type": "uses", "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637", "target_ref": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f5e9afdc-1aeb-472f-b267-46e7978f9d78", "created": "2023-03-20T18:54:09.674Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:33.150Z", "description": "On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4", "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:33.369Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses the list of installed applications.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f6098dca-3a9e-4991-8d51-1310b12161b6", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-PegasusAndroid", "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.", "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:33.564Z", "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) uses SMS for command and control.(Citation: Lookout-PegasusAndroid)", "relationship_type": "uses", "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c", "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f622a267-7a58-4082-a3f5-10e9bb549a5e", "created": "2022-03-30T20:43:31.249Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:33.782Z", "description": "", "relationship_type": "revoked-by", "source_ref": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f62e0aaf-e52f-40b9-a059-001f298a0660", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Kaspersky-Skygofree", "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.", "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:33.975Z", "description": "[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions.(Citation: Kaspersky-Skygofree)", "relationship_type": "uses", "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794", "created": "2019-11-21T16:42:48.488Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList - ViceLeaker 2019", "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.", "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"}, {"source_name": "Bitdefender - Triout 2018", "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.", "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:34.180Z", "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can record audio from the device\u2019s microphone and can record phone calls together with the caller ID.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)", "relationship_type": "uses", "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f6417788-0c6e-4172-9010-f20870ec2278", "created": "2023-06-09T19:16:07.193Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:34.383Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can request device administrator privileges.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f65087b4-adf2-4292-a711-7ae829e91397", "created": "2019-09-04T14:28:16.385Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-Monokle", "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.", "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:34.570Z", "description": "[Monokle](https://attack.mitre.org/software/S0407) can list applications installed on the device.(Citation: Lookout-Monokle)", "relationship_type": "uses", "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:34.782Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) can record phone calls and surrounding audio.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f69ff81e-22e4-450c-b3dd-7f3f66610663", "created": "2023-08-16T16:39:10.564Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "cyble_chameleon_0423", "description": "Cyble Research & Intelligence Labs. (2023, April 13). Banking Trojan targeting mobile users in Australia and Poland. Retrieved August 16, 2023.", "url": "https://cyble.com/blog/chameleon-a-new-android-malware-spotted-in-the-wild/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:34.977Z", "description": "[Chameleon](https://attack.mitre.org/software/S1083) can disable Google Play Protect.(Citation: cyble_chameleon_0423)", "relationship_type": "uses", "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f", "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f6a451e8-2125-4bbe-be52-e682523cd169", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:35.165Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests the device phone number, IMEI, and IMSI.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f6f21954-c592-40d8-b7a0-75f332c42eaa", "created": "2020-11-10T17:08:35.761Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:35.366Z", "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has deleted call log entries coming from known C2 sources.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320", "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1", "created": "2020-07-20T13:49:03.693Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "TrendMicro-XLoader-FakeSpy", "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:35.569Z", "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects the device\u2019s IMSI and ICCID.(Citation: TrendMicro-XLoader-FakeSpy)", "relationship_type": "uses", "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f709a4a5-2d7f-4fa8-bad8-a536fd3cc7fc", "created": "2022-04-01T13:18:40.460Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:35.778Z", "description": "Contact list access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their contact list. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f747ccb7-32c0-45fc-9842-bfb160a9db22", "created": "2023-07-21T19:39:20.054Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:35.978Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) uses a background service that can restart itself when the parent activity is stopped.(Citation: lookout_bouldspy_0423)     ", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f776a4da-0fa6-414c-a705-e9e8b419e056", "created": "2020-06-26T15:32:25.058Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Threat Fabric Cerberus", "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.", "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"}, {"source_name": "CheckPoint Cerberus", "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.", "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:36.171Z", "description": "[Cerberus](https://attack.mitre.org/software/S0480) can inject input to grant itself additional permissions without user interaction and to prevent application removal.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)", "relationship_type": "uses", "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9", "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f781fd2c-209f-43f1-b55a-fb175187415f", "created": "2024-03-28T18:28:48.230Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "welivesec_strongpity", "description": "Stefanko, L. (2023, January 10). StrongPity espionage campaign targeting Android users. Retrieved January 31, 2023.", "url": "https://www.welivesecurity.com/2023/01/10/strongpity-espionage-campaign-targeting-android-users/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:36.378Z", "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect the device\u2019s contact list.(Citation: welivesec_strongpity) ", "relationship_type": "uses", "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f78e0c04-1946-4a0f-9ecb-324373f97e8a", "created": "2025-03-24T20:14:35.755Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:36.575Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has masqueraded a Mach-O executable as a png file.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f7bebe78-2e21-466d-878b-f70be6c0e94a", "created": "2021-01-07T17:02:31.805Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:36.778Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can access the device's contact list.(Citation: Zscaler TikTok Spyware) ", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:36.978Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can perform GPS location tracking as well as capturing coordinates as when an SMS message or call is received.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f7c95641-a685-4d0b-8516-9f0c7498efc9", "created": "2025-02-12T15:21:45.954Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Krebs LAPUSS Mar2022", "description": "Krebs, B. (2022, March 23). A Closer Look at the LAPSUS$ Data Extortion Group. Retrieved January 27, 2025.", "url": "https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/"}, {"source_name": "Microsoft DEV-0537 Mar2022", "description": "Microsoft Incident Response, Microsoft Threat Intelligence . (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved January 27, 2025.", "url": "https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:37.182Z", "description": "[LAPSUS$](https://attack.mitre.org/groups/G1004) has used SIM swapping to gain access to victims\u2019 mobile devices.(Citation: Krebs LAPUSS Mar2022)(Citation: Microsoft DEV-0537 Mar2022) ", "relationship_type": "uses", "source_ref": "intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7", "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f8151852-5a56-4c91-a691-1e50387a291d", "created": "2023-09-28T17:39:14.900Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Trend Micro FlyTrap", "description": "Trend Micro. (2021, August 17). FlyTrap Android Malware Is Taking Over Facebook Accounts \u2014 Protect Yourself With a Malware Scanner. Retrieved September 28, 2023.", "url": "https://news.trendmicro.com/2021/08/17/flytrap-android-malware-is-taking-over-facebook-accounts-protect-yourself-with-a-malware-scanner/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:37.376Z", "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can collect IP address and network configuration information.(Citation: Trend Micro FlyTrap)", "relationship_type": "uses", "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785", "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f84355c2-b829-4324-821a-b5148734bb6b", "created": "2022-04-01T15:21:35.655Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:37.592Z", "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to microphone or audio output. ", "relationship_type": "mitigates", "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f857935b-653a-4b9a-a2dc-59c042059a39", "created": "2023-03-20T15:56:04.673Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:37.798Z", "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ", "relationship_type": "detects", "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0", "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c", "created": "2020-12-18T20:14:47.371Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "WhiteOps TERRACOTTA", "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.", "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:37.991Z", "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can send SMS messages.(Citation: WhiteOps TERRACOTTA)", "relationship_type": "uses", "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c", "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57", "created": "2020-04-08T15:51:25.120Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:38.192Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) obfuscates its payload, code, and strings.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f92fe9dd-7296-42f6-904e-e245c438376e", "created": "2020-12-14T15:02:35.291Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Securelist Asacub", "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.", "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:38.397Z", "description": "[Asacub](https://attack.mitre.org/software/S0540) can request device administrator permissions.(Citation: Securelist Asacub)", "relationship_type": "uses", "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4", "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f9456868-aa4c-4aa3-9465-c5a18cbcfd23", "created": "2024-02-21T20:51:32.634Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:38.590Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect a device's phone number and IMEI, and can check to see if Wi-Fi is enabled.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ArsTechnica-HummingBad", "description": "Dan Goodin. (2016, July 7). 10 million Android phones infected by all-powerful auto-rooting apps. Retrieved January 24, 2017.", "url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:38.824Z", "description": "[HummingBad](https://attack.mitre.org/software/S0322) can create fraudulent statistics inside the official Google Play Store, and has generated revenue from installing fraudulent apps and displaying malicious advertisements.(Citation: ArsTechnica-HummingBad)", "relationship_type": "uses", "source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4", "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f", "created": "2019-10-18T14:50:57.494Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:39.023Z", "description": "Security updates often contain patches for vulnerabilities.", "relationship_type": "mitigates", "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d", "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f989562f-41a8-46d3-94ba-fca7269ae592", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:39.239Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f9b3a640-fd24-45f0-845b-22a7bf3e0d2b", "created": "2024-02-21T21:09:05.676Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "trendmicro_tianyspy_0122", "description": "Trend Micro. (2022, January 25). TianySpy Malware Uses Smishing Disguised as Message From Telco. Retrieved January 11, 2023.", "url": "https://www.trendmicro.com/en_us/research/22/a/tianyspy-malware-uses-smishing-disguised-as-message-from-telco.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:39.433Z", "description": "[TianySpy](https://attack.mitre.org/software/S1056) can check to see if Wi-Fi is enabled.(Citation: trendmicro_tianyspy_0122) ", "relationship_type": "uses", "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6", "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f9d0cfb5-aeda-4de4-9c72-7098297555ae", "created": "2019-09-04T20:01:42.753Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Nightwatch screencap April 2016", "description": "Nightwatch Cybersecurity. (2016, April 13). Research: Securing Android Applications from Screen Capture (FLAG_SECURE). Retrieved November 5, 2019.", "url": "https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:39.628Z", "description": "Application developers can apply the `FLAG_SECURE` property to sensitive screens within their apps to make it more difficult for the screen contents to be captured.(Citation: Nightwatch screencap April 2016) ", "relationship_type": "mitigates", "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--f9de9819-b131-459e-948b-bdf3fe6f1ef0", "created": "2020-12-24T21:55:56.686Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:39.842Z", "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed common system information.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fa13936f-9b9d-4b48-a33f-81044f6cdedb", "created": "2020-09-15T15:18:12.466Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason FakeSpy", "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.", "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:40.037Z", "description": "[FakeSpy](https://attack.mitre.org/software/S0509) exfiltrates data using HTTP requests.(Citation: Cybereason FakeSpy)", "relationship_type": "uses", "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb", "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fa1da6db-da32-45d2-98a8-6bbe153166da", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-EnterpriseApps", "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.", "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:40.294Z", "description": "[AndroRAT](https://attack.mitre.org/software/S0292) tracks the device location.(Citation: Lookout-EnterpriseApps)", "relationship_type": "uses", "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fa222de8-ba3a-45c1-a7eb-d7502843cc2d", "created": "2021-01-05T20:16:20.417Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Zscaler TikTok Spyware", "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.", "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:40.494Z", "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can capture photos and videos from the device\u2019s camera.(Citation: Zscaler TikTok Spyware)", "relationship_type": "uses", "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fa5f3aea-2131-4690-8833-dc428fae2b22", "created": "2023-01-18T21:38:34.350Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "nccgroup_sharkbot_0322", "description": "RIFT: Research and Intelligence Fusion Team. (2022, March 3). SharkBot: a \u201cnew\u201d generation Android banking Trojan being distributed on Google Play Store. Retrieved January 18, 2023.", "url": "https://research.nccgroup.com/2022/03/03/sharkbot-a-new-generation-android-banking-trojan-being-distributed-on-google-play-store/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:40.713Z", "description": "[SharkBot](https://attack.mitre.org/software/S1055) can intercept notifications to send to the C2 server and take advantage of the Direct Reply feature.(Citation: nccgroup_sharkbot_0322)", "relationship_type": "uses", "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291", "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fada5ba5-7449-4878-b555-82f225473c8b", "created": "2022-03-30T19:28:42.179Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:40.906Z", "description": "Attestation can detect unauthorized modifications to devices. Mobile security software can then use this information and take appropriate mitigation action. ", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fadd27ec-56ac-4834-af40-76c9e8764eb9", "created": "2023-07-21T19:34:53.934Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_bouldspy_0423", "description": "Kyle Schmittle, Alemdar Islamoglu, Paul Shunk, Justin Albrecht. (2023, April 27). Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy. Retrieved July 21, 2023.", "url": "https://www.lookout.com/blog/iranian-spyware-bouldspy"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:41.096Z", "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can get a device\u2019s location using GPS or network.(Citation: lookout_bouldspy_0423)", "relationship_type": "uses", "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1", "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--faf3396c-3a53-478c-b15c-7ff44ef4a5f5", "created": "2023-06-09T19:16:53.458Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:41.323Z", "description": "[Hornbill](https://attack.mitre.org/software/S1077) can access a device\u2019s camera and take photos.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--faff9f9c-9064-4b3a-bdf9-bbeced2447a6", "created": "2020-09-11T16:22:03.266Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout ViperRAT", "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/viperrat-mobile-apt"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:41.524Z", "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect SMS messages.(Citation: Lookout ViperRAT)", "relationship_type": "uses", "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fb2a14c1-bed9-4c3f-a60b-8df384c18b68", "created": "2020-12-24T21:45:56.979Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:41.736Z", "description": "[SilkBean](https://attack.mitre.org/software/S0549) can retrieve files from external storage and can collect browser data.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fb3b32a8-6422-4d44-91e3-27a58e569963", "created": "2019-09-03T19:45:48.494Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:41.928Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can take screenshots of any application in the foreground.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fb51161a-ef2e-41a4-b5f9-bd1f64f95674", "created": "2020-12-24T22:04:28.025Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout Uyghur Campaign", "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.", "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:42.131Z", "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has retrieved .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files from external storage.(Citation: Lookout Uyghur Campaign)", "relationship_type": "uses", "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fb587f81-1300-438d-a33b-f8d08530788b", "created": "2019-07-10T15:35:43.704Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout Dark Caracal Jan 2018", "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:42.373Z", "description": "[Pallas](https://attack.mitre.org/software/S0399) exfiltrates data using HTTP.(Citation: Lookout Dark Caracal Jan 2018)", "relationship_type": "uses", "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878", "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:42.590Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) collected and exfiltrated data from the device, including sensitive letters/documents, stored photos, and stored audio files.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fb62afa9-d593-44f8-840d-bd5c595a1228", "created": "2022-04-01T18:44:46.780Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:42.822Z", "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "relationship_type": "mitigates", "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee", "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Lookout-StealthMango", "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.", "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:43.028Z", "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads SMS messages.(Citation: Lookout-StealthMango)", "relationship_type": "uses", "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fbdbddd7-4980-4061-9192-24a887bc6bad", "created": "2020-12-07T14:28:32.141Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Threat Fabric Exobot", "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.", "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:43.233Z", "description": "[Exobot](https://attack.mitre.org/software/S0522) can open a SOCKS proxy connection through the compromised device.(Citation: Threat Fabric Exobot)", "relationship_type": "uses", "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98", "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fbeef07b-7aa1-461c-884a-d3c4f730d5f7", "created": "2023-09-28T17:22:27.968Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bleeipng Computer Escobar", "description": "B. Toulas. (2022, March 12). Android malware Escobar steals your Google Authenticator MFA codes. Retrieved September 28, 2023.", "url": "https://www.bleepingcomputer.com/news/security/android-malware-escobar-steals-your-google-authenticator-mfa-codes/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:43.417Z", "description": "[Escobar](https://attack.mitre.org/software/S1092) can collect credentials using phishing overlays.(Citation: Bleeipng Computer Escobar)", "relationship_type": "uses", "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a", "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4", "created": "2019-09-03T19:45:48.485Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SWB Exodus March 2019", "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:43.623Z", "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can obtain a list of installed applications.(Citation: SWB Exodus March 2019) ", "relationship_type": "uses", "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb", "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fc742401-a8cd-4a97-8c50-045807c47581", "created": "2025-03-28T14:38:55.297Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "SecureList OpTriangulation 21Jun2023", "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.", "url": "https://securelist.com/triangledb-triangulation-implant/110050/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:43.812Z", "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has collected and exfiltrated files.(Citation: SecureList OpTriangulation 21Jun2023) ", "relationship_type": "uses", "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f", "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55", "created": "2023-03-03T16:23:56.031Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "paloalto_yispecter_1015", "description": "Claud Xiao. (2015, October 4). YiSpecter: First iOS Malware That Attacks Non-jailbroken Apple iOS Devices by Abusing Private APIs. Retrieved March 3, 2023.", "url": "https://unit42.paloaltonetworks.com/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:44.005Z", "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected the device UUID.(Citation: paloalto_yispecter_1015)", "relationship_type": "uses", "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9", "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fc816ddc-199d-47b0-93af-c81305d0919f", "created": "2020-06-02T14:32:31.767Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Volexity Insomnia", "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.", "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:44.225Z", "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.(Citation: Volexity Insomnia)", "relationship_type": "uses", "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fcb3a139-f644-45c9-8123-dfea0455143a", "created": "2019-08-09T17:56:05.588Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "PaloAlto-SpyDealer", "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.", "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:44.436Z", "description": "[SpyDealer](https://attack.mitre.org/software/S0324) can record video and take photos via front and rear cameras.(Citation: PaloAlto-SpyDealer)", "relationship_type": "uses", "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b", "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fcc42341-ec3a-4e24-a374-46bed72d061f", "created": "2021-10-01T14:42:49.191Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecureList BusyGasper", "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.", "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:44.632Z", "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect data from messaging applications, including WhatsApp, Viber, and Facebook.(Citation: SecureList BusyGasper)", "relationship_type": "uses", "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4", "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd", "created": "2020-06-26T14:55:13.333Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Cybereason EventBot", "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.", "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:44.827Z", "description": "[EventBot](https://attack.mitre.org/software/S0478) registers for the `BOOT_COMPLETED` intent to auto-start after the device boots.(Citation: Cybereason EventBot)", "relationship_type": "uses", "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54", "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576", "created": "2020-09-14T14:13:45.294Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout eSurv", "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.", "url": "https://blog.lookout.com/esurv-research"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:45.034Z", "description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is [Exodus](https://attack.mitre.org/software/S0405).(Citation: Lookout eSurv)", "relationship_type": "uses", "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fd50cda0-66d4-4ae1-864e-9345d8124ce2", "created": "2023-08-08T16:14:27.679Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:45.246Z", "description": "Application vetting services may potentially determine if an application contains suspicious code and/or metadata.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901", "created": "2020-04-24T17:46:31.607Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "SecurityIntelligence TrickMo", "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.", "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:45.440Z", "description": "[TrickMo](https://attack.mitre.org/software/S0427) contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java\u2019s `PBEWithMD5AndDES` algorithm.(Citation: SecurityIntelligence TrickMo)", "relationship_type": "uses", "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a", "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549", "created": "2023-03-20T18:24:56.396Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:45.628Z", "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6", "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394", "created": "2021-02-08T16:36:20.639Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:45.837Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has region-locked their malicious applications during their Operation BULL campaign.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1", "created": "2020-07-15T20:20:59.227Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Bitdefender Mandrake", "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.", "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:46.021Z", "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access SMS messages.(Citation: Bitdefender Mandrake)", "relationship_type": "uses", "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307", "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea", "created": "2022-03-30T19:32:43.015Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:46.240Z", "description": "Attestation can detect rooted devices. Mobile security software can then use this information and take appropriate mitigation action. Attestation can detect rooted devices.", "relationship_type": "mitigates", "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c", "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fe1e9775-0923-4b8f-87d9-976fd1d3910a", "created": "2025-03-24T20:25:51.549Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "LinkedIn Dmitry LightSpy 2025", "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.", "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"}, {"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:46.438Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has deleted media files and messenger-related files on the device.(Citation: Threatfabric LightSpy 2024) Additionally, [LightSpy](https://attack.mitre.org/software/S1185) has used the AppDelete plugin to remove multiple messaging applications, such as WeChat, QQ, Telegram, Line and Whatsapp.(Citation: LinkedIn Dmitry LightSpy 2025) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fe794ba6-42be-4d42-a16f-a41473874331", "created": "2022-03-30T15:08:13.679Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Android-VerifiedBoot", "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.", "url": "https://source.android.com/security/verifiedboot/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:46.633Z", "description": "Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.(Citation: Android-VerifiedBoot) ", "relationship_type": "mitigates", "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321", "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fed0de7b-509f-445d-90b9-4b507214298b", "created": "2025-03-24T20:21:48.189Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Threatfabric LightSpy 2024", "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.", "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:46.830Z", "description": "[LightSpy](https://attack.mitre.org/software/S1185) has established auto-start execution during the system boot process.(Citation: Threatfabric LightSpy 2024) ", "relationship_type": "uses", "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927", "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ff3aa49b-c054-44ec-89da-6c67d4995193", "created": "2023-03-20T18:44:44.257Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:47.028Z", "description": "Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.", "relationship_type": "detects", "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43", "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ff410bea-7b23-4b0c-9979-b7ae3050d938", "created": "2023-08-04T18:34:26.118Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "lookout_hornbill_sunbird_0221", "description": "Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.", "url": "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:47.235Z", "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate calendar information.(Citation: lookout_hornbill_sunbird_0221)", "relationship_type": "uses", "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41", "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ff55feec-669d-4199-a05c-e8dfaebaaf8f", "created": "2023-10-10T15:33:57.463Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Microsoft MalLockerB", "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.", "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:47.436Z", "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has masqueraded as popular apps, cracked games, and video players. (Citation: Microsoft MalLockerB)", "relationship_type": "uses", "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce", "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ffc24804-42db-4be1-a418-7f5ab9de453c", "created": "2017-12-14T16:46:06.044Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "Lookout-NotCompatible", "description": "Tim Strazzere. (2014, November 19). The new NotCompatible: Sophisticated and evasive threat harbors the potential to compromise enterprise networks. Retrieved December 22, 2016.", "url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:47.666Z", "description": "[NotCompatible](https://attack.mitre.org/software/S0299) has the capability to exploit systems on an enterprise network.(Citation: Lookout-NotCompatible)", "relationship_type": "uses", "source_ref": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe", "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ffc82546-f4da-4f47-88ec-b215edb1d695", "created": "2021-02-08T16:36:20.799Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "external_references": [{"source_name": "BlackBerry Bahamut", "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.", "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:47.869Z", "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included malware functionality capable of downloading new DEX files at runtime during Operation BULL.(Citation: BlackBerry Bahamut)", "relationship_type": "uses", "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1", "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055", "created": "2018-10-17T00:14:20.652Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "Wandera-RedDrop", "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.", "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:48.076Z", "description": "[RedDrop](https://attack.mitre.org/software/S0326) captures live recordings of the device's surroundings.(Citation: Wandera-RedDrop)", "relationship_type": "uses", "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381", "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"type": "relationship", "id": "relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9", "created": "2020-04-08T15:51:25.149Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "revoked": false, "external_references": [{"source_name": "ThreatFabric Ginp", "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.", "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"}], "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "modified": "2025-04-16T21:52:48.285Z", "description": "[Ginp](https://attack.mitre.org/software/S0423) can download the device\u2019s contact list.(Citation: ThreatFabric Ginp)", "relationship_type": "uses", "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b", "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86", "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "x_mitre_deprecated": false, "x_mitre_attack_spec_version": "3.2.0"}, {"modified": "2025-03-19T15:00:40.855Z", "name": "The MITRE Corporation", "description": "", "identity_class": "organization", "type": "identity", "id": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "created": "2017-06-01T00:00:00.000Z", "object_marking_refs": ["marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"], "x_mitre_attack_spec_version": "3.2.0"}, {"definition": {"statement": "Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation."}, "id": "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168", "type": "marking-definition", "created": "2017-06-01T00:00:00.000Z", "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5", "definition_type": "statement"}], "spec_version": "2.0"}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0008005f-ca51-47c3-8369-55ee5de1c65a.json b/mobile-attack/relationship/relationship--0008005f-ca51-47c3-8369-55ee5de1c65a.json
index a670e73fb7..54bd20b7df 100644
--- a/mobile-attack/relationship/relationship--0008005f-ca51-47c3-8369-55ee5de1c65a.json
+++ b/mobile-attack/relationship/relationship--0008005f-ca51-47c3-8369-55ee5de1c65a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c1ab789b-969e-4035-8b26-12e05634fb29",
+    "id": "bundle--daa9c09d-2f1c-45c9-88ef-7da8c70460c5",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:43:54.975Z",
+            "modified": "2025-04-16T21:46:36.787Z",
             "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) uses an Android broadcast receiver to automatically start when the device boots.(Citation: Zscaler-SpyNote)",
             "relationship_type": "uses",
             "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308.json b/mobile-attack/relationship/relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308.json
index d7815c8a47..2d27c4bb06 100644
--- a/mobile-attack/relationship/relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308.json
+++ b/mobile-attack/relationship/relationship--006b3910-e9c3-4de8-ba49-dff36b1a3308.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--84415854-e267-42fe-8ea2-7290c9a3ea5a",
+    "id": "bundle--9a1c89db-8917-4292-8e6e-51eba628ed95",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:06:11.934Z",
+            "modified": "2025-04-16T21:46:37.022Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can monitor notifications.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341.json b/mobile-attack/relationship/relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341.json
index 287240a168..1e61c63c96 100644
--- a/mobile-attack/relationship/relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341.json
+++ b/mobile-attack/relationship/relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ad983f83-d9b2-4e82-8088-4929fb8aa36b",
+    "id": "bundle--671f6f44-498b-461b-a949-52c2935be2c2",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341",
             "type": "relationship",
+            "id": "relationship--00dc2b34-1b74-4dae-b6e4-b676528d6341",
             "created": "2019-07-16T14:33:12.085Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Google Triada June 2019",
-                    "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
-                    "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."
+                    "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.",
+                    "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"
                 }
             ],
-            "modified": "2020-04-27T16:52:49.480Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:37.265Z",
             "description": "[Triada](https://attack.mitre.org/software/S0424) utilizes a backdoor in a Play Store app to install additional trojanized apps from the Command and Control server.(Citation: Google Triada June 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0100020b-97d4-4657-bc71-c6a1774055a6.json b/mobile-attack/relationship/relationship--0100020b-97d4-4657-bc71-c6a1774055a6.json
index fbf5a1f4b5..3884fd3c30 100644
--- a/mobile-attack/relationship/relationship--0100020b-97d4-4657-bc71-c6a1774055a6.json
+++ b/mobile-attack/relationship/relationship--0100020b-97d4-4657-bc71-c6a1774055a6.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--24877984-edb3-47da-9933-dd13df92b2de",
+    "id": "bundle--0917a320-2212-43c9-ad34-e5bb3a55bfef",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:39:23.114Z",
+            "modified": "2025-04-16T21:46:37.487Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has exfiltrated data via both SMTP and HTTP.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--01563962-2ccb-4bbc-8ef7-512a950ea47c.json b/mobile-attack/relationship/relationship--01563962-2ccb-4bbc-8ef7-512a950ea47c.json
new file mode 100644
index 0000000000..3cdfc11e39
--- /dev/null
+++ b/mobile-attack/relationship/relationship--01563962-2ccb-4bbc-8ef7-512a950ea47c.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--47d47c78-0799-4b69-a761-137bc3c257a9",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--01563962-2ccb-4bbc-8ef7-512a950ea47c",
+            "created": "2025-03-28T15:09:39.238Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:37.713Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have obtained a list of installed applications.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--01965668-d033-4aca-a8e5-71a07070e266.json b/mobile-attack/relationship/relationship--01965668-d033-4aca-a8e5-71a07070e266.json
index 2a87ff67b0..de778964fa 100644
--- a/mobile-attack/relationship/relationship--01965668-d033-4aca-a8e5-71a07070e266.json
+++ b/mobile-attack/relationship/relationship--01965668-d033-4aca-a8e5-71a07070e266.json
@@ -1,22 +1,22 @@
 {
     "type": "bundle",
-    "id": "bundle--dbbc628c-2c0f-4c3f-856f-29e5753365ed",
+    "id": "bundle--acc59de6-f7dc-433c-9efe-5cb8be591f39",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--01965668-d033-4aca-a8e5-71a07070e266",
+            "created": "2018-10-17T00:14:20.652Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--01965668-d033-4aca-a8e5-71a07070e266",
-            "type": "relationship",
-            "created": "2018-10-17T00:14:20.652Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2018-10-17T00:14:20.652Z",
+            "modified": "2025-04-16T21:46:37.912Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--45dcbc83-4abc-4de1-b643-e528d1e9df09",
             "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--01fd0686-d67f-4396-8812-3533063dd6b4.json b/mobile-attack/relationship/relationship--01fd0686-d67f-4396-8812-3533063dd6b4.json
index b9e5bd8acb..ebaac0d42c 100644
--- a/mobile-attack/relationship/relationship--01fd0686-d67f-4396-8812-3533063dd6b4.json
+++ b/mobile-attack/relationship/relationship--01fd0686-d67f-4396-8812-3533063dd6b4.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--32f3b995-0544-4a5a-a90a-f9f1faa335a0",
+    "id": "bundle--bec64b12-32b1-4927-9743-60e64b046e52",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--01fd0686-d67f-4396-8812-3533063dd6b4",
             "created": "2023-08-16T16:38:47.766Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:38:47.766Z",
+            "modified": "2025-04-16T21:46:38.112Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can remove artifacts of its presence and uninstall itself.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2.json b/mobile-attack/relationship/relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2.json
index b303c8015c..45a8981686 100644
--- a/mobile-attack/relationship/relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2.json
+++ b/mobile-attack/relationship/relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--d206c63c-8d51-4176-b776-6f548e8d8a1e",
+    "id": "bundle--610eb5c5-5051-4f05-af3f-b9e47ae55bc9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2",
             "type": "relationship",
+            "id": "relationship--020a1aaa-a444-4f3c-a08b-f1369be276f2",
             "created": "2020-09-15T15:18:12.398Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Cybereason FakeSpy",
-                    "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
-                    "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
+                    "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.",
+                    "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"
                 }
             ],
-            "modified": "2020-09-15T15:18:12.398Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:38.324Z",
             "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device networking information, including phone number, IMEI, and IMSI.(Citation: Cybereason FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80.json b/mobile-attack/relationship/relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80.json
index 40e807f3dc..a2f830b1e3 100644
--- a/mobile-attack/relationship/relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80.json
+++ b/mobile-attack/relationship/relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--7ad41e5b-2f56-4f61-8b95-434bdca5d7e6",
+    "id": "bundle--6ab9f762-f371-477a-871c-258868947d4d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80",
             "type": "relationship",
+            "id": "relationship--020f79c6-d5f8-49eb-beee-e716e1fa4e80",
             "created": "2020-07-20T13:49:03.692Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "TrendMicro-XLoader-FakeSpy",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
-                    "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
+                    "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"
                 }
             ],
-            "modified": "2020-09-24T15:12:24.191Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:38.545Z",
             "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects the device\u2019s Android ID and serial number.(Citation: TrendMicro-XLoader-FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3.json b/mobile-attack/relationship/relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3.json
index b6ec92435b..fb03b4380d 100644
--- a/mobile-attack/relationship/relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3.json
+++ b/mobile-attack/relationship/relationship--021ca5c4-7e8a-439b-8c2e-38f817db63e3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--31c409e2-a931-4c89-801f-1102fadef2d3",
+    "id": "bundle--21788993-ce88-47b5-b500-a60d543da6bd",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-14T14:40:57.100Z",
+            "modified": "2025-04-16T21:46:38.768Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can check device system properties to potentially avoid running while under analysis.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--022e941f-30c3-45a9-9f6f-36e704b80060.json b/mobile-attack/relationship/relationship--022e941f-30c3-45a9-9f6f-36e704b80060.json
index 3d503ae38c..998835d6bc 100644
--- a/mobile-attack/relationship/relationship--022e941f-30c3-45a9-9f6f-36e704b80060.json
+++ b/mobile-attack/relationship/relationship--022e941f-30c3-45a9-9f6f-36e704b80060.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--aecc1e7e-5a35-488b-a2bd-6297265801d5",
+    "id": "bundle--d7ddb094-949d-40fd-bd3e-4eca85b36fa2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:44:13.361Z",
+            "modified": "2025-04-16T21:46:38.980Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) registers for the `SCREEN_ON` and `SMS_DELIVER` intents to perform actions when the device is unlocked and when the device receives an SMS message.(Citation: SecurityIntelligence TrickMo)",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c.json b/mobile-attack/relationship/relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c.json
index 0ee4e7f09b..e2563515df 100644
--- a/mobile-attack/relationship/relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c.json
+++ b/mobile-attack/relationship/relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--cc44ba47-79f1-48d3-86a2-c3d188ed6c38",
+    "id": "bundle--ded908ee-9bce-4b52-9ee0-7b409e5ded94",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--024f9ee4-cb7d-49f4-b180-ad1e5e168a4c",
             "created": "2017-10-25T14:48:53.747Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Android 7 and later iOS versions introduced changes that prevent applications from performing Process Discovery without elevated privileges.  ",
-            "modified": "2022-03-30T20:32:46.334Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:39.209Z",
+            "description": "Android 7 and later iOS versions introduced changes that prevent applications from performing Process Discovery without elevated privileges.  ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f.json b/mobile-attack/relationship/relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f.json
index 7f93094011..aed42b0b28 100644
--- a/mobile-attack/relationship/relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f.json
+++ b/mobile-attack/relationship/relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--0b1060b2-dc3e-4f1a-98e6-24b6b01096ba",
+    "id": "bundle--aeaa7ee0-820b-42d4-bf33-6423519d695d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f",
             "type": "relationship",
+            "id": "relationship--027a36dc-cd9e-4282-b101-b9a0abbb312f",
             "created": "2020-09-11T14:54:16.640Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Desert Scorpion",
-                    "url": "https://blog.lookout.com/desert-scorpion-google-play",
-                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
+                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/desert-scorpion-google-play"
                 }
             ],
-            "modified": "2020-09-11T14:54:16.640Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:39.418Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can encrypt exfiltrated data.(Citation: Lookout Desert Scorpion)",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0291c9d5-8977-420d-8374-b786e3095a73.json b/mobile-attack/relationship/relationship--0291c9d5-8977-420d-8374-b786e3095a73.json
index 1acb79d12a..7f26522026 100644
--- a/mobile-attack/relationship/relationship--0291c9d5-8977-420d-8374-b786e3095a73.json
+++ b/mobile-attack/relationship/relationship--0291c9d5-8977-420d-8374-b786e3095a73.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--df925760-61bb-46dc-8556-6b0dd0c86551",
+    "id": "bundle--d5bf5629-5ae5-46d6-ba9e-7d633b5e59c2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T15:34:15.917Z",
+            "modified": "2025-04-16T21:46:39.649Z",
             "description": "Mobile security products can potentially utilize device APIs to determine if a device has been rooted or jailbroken.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e.json b/mobile-attack/relationship/relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e.json
index c072ffb165..ea97cb1ee9 100644
--- a/mobile-attack/relationship/relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e.json
+++ b/mobile-attack/relationship/relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--43992846-f958-4b08-8a88-71c0f674892c",
+    "id": "bundle--1967bf20-e47f-4e1b-88f5-8158f0c405ac",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e",
             "type": "relationship",
+            "id": "relationship--02b3c8fe-1539-4c77-b67e-07fa8a22c91e",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:39.860Z",
             "description": "Some original variants of [BrainTest](https://attack.mitre.org/software/S0293) had the capability to automatically root some devices, but that behavior was not observed in later samples.(Citation: Lookout-BrainTest)",
             "relationship_type": "uses",
             "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc.json b/mobile-attack/relationship/relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc.json
index 622dc07dcd..a3252a5d55 100644
--- a/mobile-attack/relationship/relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc.json
+++ b/mobile-attack/relationship/relationship--02b5cb07-9eb5-4e47-a4df-9c3985ad70fc.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5a1f628d-0809-46d2-a1e0-bc6a9162d8c3",
+    "id": "bundle--8da623b5-817d-486c-8ab2-b6ab74b2b53d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:26:41.762Z",
+            "modified": "2025-04-16T21:46:40.056Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can abuse existing root access to copy components into the system partition.(Citation: SecureList BusyGasper)",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--02e4aedc-0674-4598-948b-0a32758af9ca.json b/mobile-attack/relationship/relationship--02e4aedc-0674-4598-948b-0a32758af9ca.json
index d35b79d94a..371caf558d 100644
--- a/mobile-attack/relationship/relationship--02e4aedc-0674-4598-948b-0a32758af9ca.json
+++ b/mobile-attack/relationship/relationship--02e4aedc-0674-4598-948b-0a32758af9ca.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--00f6ca8d-7631-440a-b481-038a7836e26d",
+    "id": "bundle--00eb3698-b351-4495-a105-d01435f0c7f8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--02e4aedc-0674-4598-948b-0a32758af9ca",
             "created": "2022-04-01T13:14:43.195Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:40.269Z",
             "description": "",
-            "modified": "2022-04-01T13:14:43.195Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--79eec66a-9bd0-4a3f-ac82-19159e94bd44",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b.json b/mobile-attack/relationship/relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b.json
index 41994e689f..15eadef95f 100644
--- a/mobile-attack/relationship/relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b.json
+++ b/mobile-attack/relationship/relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4278265c-5bdd-444c-9af5-c8a5017e3191",
+    "id": "bundle--74d57b14-cbc9-44ff-9ddb-35bd69c33f20",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b",
             "type": "relationship",
+            "id": "relationship--03038590-e0c3-4751-b6fb-8a9ffff27e1b",
             "created": "2020-12-24T22:04:27.914Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T22:04:27.914Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:40.482Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has looked for .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files on external storage.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--03172b09-4f97-4fb8-95f0-92b2d8957408.json b/mobile-attack/relationship/relationship--03172b09-4f97-4fb8-95f0-92b2d8957408.json
index c4b6de4224..caed4a9f79 100644
--- a/mobile-attack/relationship/relationship--03172b09-4f97-4fb8-95f0-92b2d8957408.json
+++ b/mobile-attack/relationship/relationship--03172b09-4f97-4fb8-95f0-92b2d8957408.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--a162d818-129a-4429-bc45-2490bc407c04",
+    "id": "bundle--68ced8f4-b98c-4040-b6e8-b3e3574e325b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--03172b09-4f97-4fb8-95f0-92b2d8957408",
             "created": "2020-06-26T14:55:13.349Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Cybereason EventBot",
-                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
-                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
+                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.",
+                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:40.752Z",
             "description": "[EventBot](https://attack.mitre.org/software/S0478) has encrypted base64-encoded payload data using RC4 and Curve25519.(Citation: Cybereason EventBot)",
-            "modified": "2022-04-18T15:57:14.375Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
             "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0330db55-06e0-45a2-85a6-17617a37fdaf.json b/mobile-attack/relationship/relationship--0330db55-06e0-45a2-85a6-17617a37fdaf.json
index b14dddfb6d..9b298eb66a 100644
--- a/mobile-attack/relationship/relationship--0330db55-06e0-45a2-85a6-17617a37fdaf.json
+++ b/mobile-attack/relationship/relationship--0330db55-06e0-45a2-85a6-17617a37fdaf.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--8e11f7d0-a831-4a42-811a-1b57cc8001fa",
+    "id": "bundle--9181d744-87df-495d-82bd-cf42bfe6485a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--0330db55-06e0-45a2-85a6-17617a37fdaf",
             "created": "2022-04-06T13:57:49.186Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:40.949Z",
             "description": "",
-            "modified": "2022-04-06T13:57:49.186Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--f981d199-2720-467e-9dc9-eea04dbe05cf",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8.json b/mobile-attack/relationship/relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8.json
index 8d10ff42ea..19519d3043 100644
--- a/mobile-attack/relationship/relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8.json
+++ b/mobile-attack/relationship/relationship--035192e3-94f4-426d-9be9-312ddd1ce6a8.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--41228b6d-ffbc-48b7-a967-45ecbea3b2b8",
+    "id": "bundle--23ebc7eb-9894-493b-857d-47a82f764244",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:22:18.013Z",
+            "modified": "2025-04-16T21:46:41.155Z",
             "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect SMS messages.(Citation: SecureList - ViceLeaker 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--035bdf9a-dc4c-403a-b5c4-9b9b42675122.json b/mobile-attack/relationship/relationship--035bdf9a-dc4c-403a-b5c4-9b9b42675122.json
new file mode 100644
index 0000000000..dd0f0225ef
--- /dev/null
+++ b/mobile-attack/relationship/relationship--035bdf9a-dc4c-403a-b5c4-9b9b42675122.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--594fd429-543c-4c7c-92d8-0ef7c2bc4bdc",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--035bdf9a-dc4c-403a-b5c4-9b9b42675122",
+            "created": "2025-03-28T14:40:32.390Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:41.387Z",
+            "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has loaded additional modules stored in memory.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f",
+            "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--03ff6271-d7bc-40f3-b83d-25c541333694.json b/mobile-attack/relationship/relationship--03ff6271-d7bc-40f3-b83d-25c541333694.json
index a7b87bc754..80d4bee411 100644
--- a/mobile-attack/relationship/relationship--03ff6271-d7bc-40f3-b83d-25c541333694.json
+++ b/mobile-attack/relationship/relationship--03ff6271-d7bc-40f3-b83d-25c541333694.json
@@ -1,23 +1,23 @@
 {
     "type": "bundle",
-    "id": "bundle--6551c833-3a66-43af-83ba-531ac1446d43",
+    "id": "bundle--de0cbaea-0d4a-4516-9d26-ff8f19288f44",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--03ff6271-d7bc-40f3-b83d-25c541333694",
+            "created": "2019-11-19T17:32:20.701Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--03ff6271-d7bc-40f3-b83d-25c541333694",
-            "type": "relationship",
-            "created": "2019-11-19T17:32:20.701Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2019-12-26T16:14:33.468Z",
+            "modified": "2025-04-16T21:46:41.595Z",
             "description": "If a user sees a persistent notification they do not recognize, they should uninstall the source application and look for other unwanted applications or anomalies.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71.json b/mobile-attack/relationship/relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71.json
index 3c819a1874..727a09a7c5 100644
--- a/mobile-attack/relationship/relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71.json
+++ b/mobile-attack/relationship/relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--ecafacf6-9fac-48a8-8f19-5db5e23119ca",
+    "id": "bundle--03d22b6b-88e7-4655-b2cb-3244365ecd32",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--042a4f26-612e-4ed5-b7f3-911a47ec5d71",
             "created": "2022-04-18T15:49:00.561Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SecureList BusyGasper",
-                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/",
-                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021."
+                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.",
+                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:41.838Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can download text files with commands from an FTP server and exfiltrate data via email.(Citation: SecureList BusyGasper)",
-            "modified": "2022-04-18T15:49:00.561Z",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--04530307-22d8-4a06-9056-55eea225fabb.json b/mobile-attack/relationship/relationship--04530307-22d8-4a06-9056-55eea225fabb.json
index 7b49f3d674..99858b9283 100644
--- a/mobile-attack/relationship/relationship--04530307-22d8-4a06-9056-55eea225fabb.json
+++ b/mobile-attack/relationship/relationship--04530307-22d8-4a06-9056-55eea225fabb.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--5228cb3e-02b3-4031-b6ba-c7b5ccc7ba3e",
+    "id": "bundle--d7bd0a04-6b29-4b66-bfe5-d233bb3efa9c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--04530307-22d8-4a06-9056-55eea225fabb",
             "type": "relationship",
+            "id": "relationship--04530307-22d8-4a06-9056-55eea225fabb",
             "created": "2019-07-10T15:35:43.710Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
+                    "source_name": "Lookout Dark Caracal Jan 2018",
                     "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
-                    "source_name": "Lookout Dark Caracal Jan 2018"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
                 }
             ],
-            "modified": "2019-08-09T18:06:11.842Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:42.051Z",
             "description": "[Pallas](https://attack.mitre.org/software/S0399) retrieves messages and decryption keys for popular messaging applications and other accounts stored on the device.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--046acda0-91de-4385-bcfb-157570d8e51d.json b/mobile-attack/relationship/relationship--046acda0-91de-4385-bcfb-157570d8e51d.json
index b35826e5e0..c8fe34286a 100644
--- a/mobile-attack/relationship/relationship--046acda0-91de-4385-bcfb-157570d8e51d.json
+++ b/mobile-attack/relationship/relationship--046acda0-91de-4385-bcfb-157570d8e51d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--cbe29a3e-2e56-46c3-833c-6a55666ec29e",
+    "id": "bundle--b9ee96e2-e9c9-43b0-acaa-4cd84fed6011",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-30T15:26:46.611Z",
+            "modified": "2025-04-16T21:46:42.263Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can search for installed applications that match a list of targets.(Citation: cleafy_sova_1122)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--049a5149-00c9-492a-8ffb-463f3d0cd910.json b/mobile-attack/relationship/relationship--049a5149-00c9-492a-8ffb-463f3d0cd910.json
index a99c357a4f..8befea9fc1 100644
--- a/mobile-attack/relationship/relationship--049a5149-00c9-492a-8ffb-463f3d0cd910.json
+++ b/mobile-attack/relationship/relationship--049a5149-00c9-492a-8ffb-463f3d0cd910.json
@@ -1,38 +1,37 @@
 {
     "type": "bundle",
-    "id": "bundle--a26fcc26-96f7-45f9-8b12-4dfaa34922ea",
+    "id": "bundle--63650243-947d-403d-bc9b-8c3fa9366822",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--049a5149-00c9-492a-8ffb-463f3d0cd910",
             "created": "2022-03-30T20:13:28.442Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Android 10 Limitations to Hiding App Icons",
-                    "url": "https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons",
-                    "description": "Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022."
+                    "description": "Android. (n.d.). Android 10 Release Notes: Limitations to hiding app icons. Retrieved March 30, 2022.",
+                    "url": "https://source.android.com/setup/start/android-10-release#limitations_to_hiding_app_icons"
                 },
                 {
                     "source_name": "LauncherApps getActivityList",
-                    "url": "https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist",
-                    "description": "Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022."
+                    "description": "Android. (n.d.). LauncherApps: getActivityList. Retrieved March 30, 2022.",
+                    "url": "https://developer.android.com/reference/kotlin/android/content/pm/LauncherApps#getactivitylist"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:42.468Z",
             "description": "Android 10 introduced changes to prevent malicious applications from fully suppressing their icon in the launcher.(Citation: Android 10 Limitations to Hiding App Icons)(Citation: LauncherApps getActivityList)",
-            "modified": "2022-05-20T17:16:08.998Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--049b0c71-63e3-47ce-bb0b-149df0344b15.json b/mobile-attack/relationship/relationship--049b0c71-63e3-47ce-bb0b-149df0344b15.json
index 0d0ccf9e98..de01cfbe01 100644
--- a/mobile-attack/relationship/relationship--049b0c71-63e3-47ce-bb0b-149df0344b15.json
+++ b/mobile-attack/relationship/relationship--049b0c71-63e3-47ce-bb0b-149df0344b15.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--faa0ed17-5826-4217-9b39-4a2d68436d67",
+    "id": "bundle--dcaabadf-b9e9-484b-979e-188abd9029f1",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:15:59.861Z",
+            "modified": "2025-04-16T21:46:42.695Z",
             "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access device contacts.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--049c39ab-c036-457a-9b8f-4318416658b8.json b/mobile-attack/relationship/relationship--049c39ab-c036-457a-9b8f-4318416658b8.json
index 225fafe5d3..50f90df8c7 100644
--- a/mobile-attack/relationship/relationship--049c39ab-c036-457a-9b8f-4318416658b8.json
+++ b/mobile-attack/relationship/relationship--049c39ab-c036-457a-9b8f-4318416658b8.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--12506aa6-a7f4-40af-9f12-60b5bf6a1e2e",
+    "id": "bundle--a047dedf-ba5e-42fa-9192-b8b0bb607f0e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--049c39ab-c036-457a-9b8f-4318416658b8",
             "created": "2022-03-30T19:54:24.468Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "A locked bootloader could prevent unauthorized modifications of protected operating system files. ",
-            "modified": "2022-03-30T19:55:15.724Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:42.902Z",
+            "description": "A locked bootloader could prevent unauthorized modifications of protected operating system files. ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
             "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112.json b/mobile-attack/relationship/relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112.json
index fdc3ec5583..5348f362f8 100644
--- a/mobile-attack/relationship/relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112.json
+++ b/mobile-attack/relationship/relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b7487d96-2c58-4501-861f-4fd630124207",
+    "id": "bundle--98068b21-c3fd-4e5a-b40b-5ef508a93b58",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--04ae1d87-1741-4cfd-84ff-3c5e46c0b112",
             "created": "2022-04-05T19:59:03.285Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:43.107Z",
             "description": "",
-            "modified": "2022-04-05T19:59:03.285Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626",
             "target_ref": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc.json b/mobile-attack/relationship/relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc.json
index ef46f4b23d..2077997725 100644
--- a/mobile-attack/relationship/relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc.json
+++ b/mobile-attack/relationship/relationship--04ec5f2f-b14f-46ae-b151-05f9b7af0bcc.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--511c8966-7664-4e92-b212-555a0c90c412",
+    "id": "bundle--de3fd470-2368-4f39-a185-d07e3fcfe40a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T14:53:48.653Z",
+            "modified": "2025-04-16T21:46:43.318Z",
             "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe.json b/mobile-attack/relationship/relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe.json
index 806e4c9958..2d41cec244 100644
--- a/mobile-attack/relationship/relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe.json
+++ b/mobile-attack/relationship/relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--cc40946f-d105-4d8f-888d-ebd7b5846c74",
+    "id": "bundle--124263d1-c667-452e-be6b-e9e3eeb3fc40",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe",
             "type": "relationship",
+            "id": "relationship--04eeed4b-e0fc-4fff-8c61-4c175f26a0fe",
             "created": "2019-12-10T16:07:41.093Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList DVMap June 2017",
-                    "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/",
-                    "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019."
+                    "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.",
+                    "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"
                 }
             ],
-            "modified": "2019-12-10T16:07:41.093Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:43.535Z",
             "description": "[Dvmap](https://attack.mitre.org/software/S0420) can download code and binaries from the C2 server to execute on the device as root.(Citation: SecureList DVMap June 2017)",
             "relationship_type": "uses",
             "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--05243ccb-0aeb-4db4-bb03-51a65fb715ab.json b/mobile-attack/relationship/relationship--05243ccb-0aeb-4db4-bb03-51a65fb715ab.json
index 34c35f4660..befd7c9ee9 100644
--- a/mobile-attack/relationship/relationship--05243ccb-0aeb-4db4-bb03-51a65fb715ab.json
+++ b/mobile-attack/relationship/relationship--05243ccb-0aeb-4db4-bb03-51a65fb715ab.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--ff1cd23a-e293-4fe0-8fe3-a13e234c2c89",
+    "id": "bundle--70bbb95c-9404-4fd5-8de9-ad44267149bb",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--05243ccb-0aeb-4db4-bb03-51a65fb715ab",
             "created": "2020-09-11T14:54:16.589Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Lookout Desert Scorpion",
-                    "url": "https://blog.lookout.com/desert-scorpion-google-play",
-                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
+                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/desert-scorpion-google-play"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:43.752Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can be controlled using SMS messages.(Citation: Lookout Desert Scorpion)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--05563777-5771-4bd6-a1af-3e244cf42372.json b/mobile-attack/relationship/relationship--05563777-5771-4bd6-a1af-3e244cf42372.json
index 9c98a9364d..16879cae80 100644
--- a/mobile-attack/relationship/relationship--05563777-5771-4bd6-a1af-3e244cf42372.json
+++ b/mobile-attack/relationship/relationship--05563777-5771-4bd6-a1af-3e244cf42372.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--1ea74d84-aea0-465d-bfae-d85c77d96ac3",
+    "id": "bundle--dd0c7302-f5ce-4133-8680-bce36d8b4904",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--05563777-5771-4bd6-a1af-3e244cf42372",
             "type": "relationship",
+            "id": "relationship--05563777-5771-4bd6-a1af-3e244cf42372",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:43.954Z",
             "description": "Most [KeyRaider](https://attack.mitre.org/software/S0288) samples search to find the Apple account's username, password and device's GUID in data being transferred.(Citation: Xiao-KeyRaider)",
             "relationship_type": "uses",
             "source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef.json b/mobile-attack/relationship/relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef.json
index b30b884496..90853deb66 100644
--- a/mobile-attack/relationship/relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef.json
+++ b/mobile-attack/relationship/relationship--0569a1e0-1eb5-4e87-ae09-b698571012ef.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--71039e71-32a0-4101-99d8-7f546ed10508",
+    "id": "bundle--63ea61dc-2c61-40eb-96f2-d7ebce641261",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:22:32.033Z",
+            "modified": "2025-04-16T21:46:44.154Z",
             "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather SMS messages.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--05c36a8c-1526-4d5d-93c1-331fd132c30b.json b/mobile-attack/relationship/relationship--05c36a8c-1526-4d5d-93c1-331fd132c30b.json
index cf2c616292..08b38801f0 100644
--- a/mobile-attack/relationship/relationship--05c36a8c-1526-4d5d-93c1-331fd132c30b.json
+++ b/mobile-attack/relationship/relationship--05c36a8c-1526-4d5d-93c1-331fd132c30b.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--20e889a3-c403-43c8-a457-24a79ccf914b",
+    "id": "bundle--e4e1b188-cb9c-4b62-a4d9-8367ae680fb3",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--05c36a8c-1526-4d5d-93c1-331fd132c30b",
             "created": "2023-09-21T19:38:21.735Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-21T19:38:21.735Z",
+            "modified": "2025-04-16T21:46:44.375Z",
             "description": "Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
             "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76.json b/mobile-attack/relationship/relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76.json
index 6bb7780723..cd6d0c8186 100644
--- a/mobile-attack/relationship/relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76.json
+++ b/mobile-attack/relationship/relationship--05c57e75-04b8-4bf6-8022-2e89f74e4b76.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--0eba7bed-cd2f-43ff-a67d-d1ee92a2f2ae",
+    "id": "bundle--959f1736-bd5c-4b8f-b456-cf3be4b44a24",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:35:41.700Z",
+            "modified": "2025-04-16T21:46:44.598Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) has collected all outgoing phone numbers that start with \u201c86\u201d.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--06348e22-9a06-4e4c-a57c-e438462e7fce.json b/mobile-attack/relationship/relationship--06348e22-9a06-4e4c-a57c-e438462e7fce.json
index 9c8ac16859..3aee4df6c5 100644
--- a/mobile-attack/relationship/relationship--06348e22-9a06-4e4c-a57c-e438462e7fce.json
+++ b/mobile-attack/relationship/relationship--06348e22-9a06-4e4c-a57c-e438462e7fce.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--601b3c54-db6b-4f02-8f4e-dc2c39a00235",
+    "id": "bundle--95d8983b-1eb0-4e2d-99d2-e903bb805ef0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--06348e22-9a06-4e4c-a57c-e438462e7fce",
             "type": "relationship",
+            "id": "relationship--06348e22-9a06-4e4c-a57c-e438462e7fce",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/",
+                    "source_name": "Kaspersky-Skygofree",
                     "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
-                    "source_name": "Kaspersky-Skygofree"
+                    "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
                 }
             ],
-            "modified": "2019-08-09T18:08:07.173Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:44.818Z",
             "description": "[Skygofree](https://attack.mitre.org/software/S0327) can record audio via the microphone when an infected device is in a specified location.(Citation: Kaspersky-Skygofree)",
             "relationship_type": "uses",
             "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--06869cb8-7384-4d85-aa0a-78256133c88d.json b/mobile-attack/relationship/relationship--06869cb8-7384-4d85-aa0a-78256133c88d.json
new file mode 100644
index 0000000000..0468758bef
--- /dev/null
+++ b/mobile-attack/relationship/relationship--06869cb8-7384-4d85-aa0a-78256133c88d.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--91d421c2-a388-47f3-813a-4494bfc833e1",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--06869cb8-7384-4d85-aa0a-78256133c88d",
+            "created": "2024-04-02T19:46:53.072Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SentinelLabs AridViper 2023",
+                    "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.",
+                    "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/"
+                },
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:45.031Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) can make phone calls.(Citation: welivesecurity_apt-c-23)(Citation: SentinelLabs AridViper 2023)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--068c3d23-8aa2-48e9-acb3-c72651c94f0b.json b/mobile-attack/relationship/relationship--068c3d23-8aa2-48e9-acb3-c72651c94f0b.json
index 20af7f92a9..7d7950b03c 100644
--- a/mobile-attack/relationship/relationship--068c3d23-8aa2-48e9-acb3-c72651c94f0b.json
+++ b/mobile-attack/relationship/relationship--068c3d23-8aa2-48e9-acb3-c72651c94f0b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--93ed925e-f192-4a75-8758-c4f659d82bab",
+    "id": "bundle--b69f1678-0200-4708-81e5-22f8370da492",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T20:29:39.488Z",
+            "modified": "2025-04-16T21:46:45.260Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) on a compromised website to distribute a malicious version of a legitimate application.(Citation: trendmicro_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--069b2328-442b-491e-962d-d3fe01f0549e.json b/mobile-attack/relationship/relationship--069b2328-442b-491e-962d-d3fe01f0549e.json
index 46acf77fee..2346e6113c 100644
--- a/mobile-attack/relationship/relationship--069b2328-442b-491e-962d-d3fe01f0549e.json
+++ b/mobile-attack/relationship/relationship--069b2328-442b-491e-962d-d3fe01f0549e.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--dc422a49-f3b1-4944-8f1b-ea57307fa3d4",
+    "id": "bundle--53238edf-b457-47d5-b511-42787779227a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--069b2328-442b-491e-962d-d3fe01f0549e",
             "created": "2019-09-04T14:28:15.479Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Lookout-Monokle",
-                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
-                    "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019."
+                    "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
+                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:45.481Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can be controlled via email and SMS from a set of \"control phones.\"(Citation: Lookout-Monokle)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--06e2e07f-7835-4ef8-bcc0-bb5e2886839d.json b/mobile-attack/relationship/relationship--06e2e07f-7835-4ef8-bcc0-bb5e2886839d.json
index 1ba647fe91..0bc8c12361 100644
--- a/mobile-attack/relationship/relationship--06e2e07f-7835-4ef8-bcc0-bb5e2886839d.json
+++ b/mobile-attack/relationship/relationship--06e2e07f-7835-4ef8-bcc0-bb5e2886839d.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--b518cb0e-1b53-4d97-9a55-ac1c2caf0796",
+    "id": "bundle--9b3e9a1d-ec0c-464f-a8d0-087ff6439505",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--06e2e07f-7835-4ef8-bcc0-bb5e2886839d",
             "created": "2023-08-16T16:40:14.482Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:40:14.482Z",
+            "modified": "2025-04-16T21:46:45.721Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather basic device information such as version, model, root status, and country.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85.json b/mobile-attack/relationship/relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85.json
index b3a296446d..5401f4a1de 100644
--- a/mobile-attack/relationship/relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85.json
+++ b/mobile-attack/relationship/relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--3211c198-f99b-4e99-bd08-10e2e8fef233",
+    "id": "bundle--7159afd9-2f85-4555-9e1f-d89c11f53afa",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85",
             "type": "relationship",
+            "id": "relationship--07036963-6f5e-4eb5-9b20-3f81dd582c85",
             "created": "2020-11-20T16:37:28.547Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Symantec GoldenCup",
-                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans",
-                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."
+                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.",
+                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"
                 }
             ],
-            "modified": "2020-11-20T16:37:28.547Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:45.933Z",
             "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect various pieces of device information, such as serial number and product information.(Citation: Symantec GoldenCup)",
             "relationship_type": "uses",
             "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0727ac06-5b46-4f79-abe9-63c1b923d383.json b/mobile-attack/relationship/relationship--0727ac06-5b46-4f79-abe9-63c1b923d383.json
index ca70e22620..d387522c5b 100644
--- a/mobile-attack/relationship/relationship--0727ac06-5b46-4f79-abe9-63c1b923d383.json
+++ b/mobile-attack/relationship/relationship--0727ac06-5b46-4f79-abe9-63c1b923d383.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--1c96be9e-8960-4ef1-9a24-f9c3184da8fa",
+    "id": "bundle--426d824b-a35f-4fe5-afe6-2bda2e648349",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:07:11.541Z",
+            "modified": "2025-04-16T21:46:46.140Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has included encoded shell scripts to potentially aid in the rooting process.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--076d8c54-e6f6-47c4-9f61-52964d4f1c35.json b/mobile-attack/relationship/relationship--076d8c54-e6f6-47c4-9f61-52964d4f1c35.json
index b8cdcb15a7..49ca98452c 100644
--- a/mobile-attack/relationship/relationship--076d8c54-e6f6-47c4-9f61-52964d4f1c35.json
+++ b/mobile-attack/relationship/relationship--076d8c54-e6f6-47c4-9f61-52964d4f1c35.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e198084c-1d40-4562-aa97-12cf1d773b3f",
+    "id": "bundle--fc4a22e7-1fa0-4634-bca4-4e7de127b858",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T20:29:50.603Z",
+            "modified": "2025-04-16T21:46:46.369Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to encrypt C2 communication using AES.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--078653a6-3613-4923-ae5a-1bccb8552e67.json b/mobile-attack/relationship/relationship--078653a6-3613-4923-ae5a-1bccb8552e67.json
index 481b13287f..0c23c43897 100644
--- a/mobile-attack/relationship/relationship--078653a6-3613-4923-ae5a-1bccb8552e67.json
+++ b/mobile-attack/relationship/relationship--078653a6-3613-4923-ae5a-1bccb8552e67.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--3ff0fc65-9475-4267-b6bc-89b9690973ee",
+    "id": "bundle--6567a74f-f206-4832-b0e8-e70095d93498",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--078653a6-3613-4923-ae5a-1bccb8552e67",
             "type": "relationship",
+            "id": "relationship--078653a6-3613-4923-ae5a-1bccb8552e67",
             "created": "2020-09-11T16:22:03.250Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout ViperRAT",
-                    "url": "https://blog.lookout.com/viperrat-mobile-apt",
-                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
+                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/viperrat-mobile-apt"
                 }
             ],
-            "modified": "2020-09-11T16:22:03.250Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:46.582Z",
             "description": "[ViperRAT](https://attack.mitre.org/software/S0506) has been installed in two stages and can secretly install new applications.(Citation: Lookout ViperRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61.json b/mobile-attack/relationship/relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61.json
index fcdaf2d132..499ff8030b 100644
--- a/mobile-attack/relationship/relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61.json
+++ b/mobile-attack/relationship/relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--8fd975bb-1a6d-44bd-a55a-5bd6a06d5242",
+    "id": "bundle--8354cdd4-1329-48c2-ba9f-53b06f261b12",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61",
             "type": "relationship",
+            "id": "relationship--0791f28b-d06f-4fee-9cdb-85a6fd2eed61",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:46.817Z",
             "description": "[WireLurker](https://attack.mitre.org/software/S0312) monitors for iOS devices connected via USB to an infected OSX computer and installs downloaded third-party applications or automatically generated malicious applications onto the device.(Citation: PaloAlto-WireLurker)",
             "relationship_type": "uses",
             "source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
             "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--079911c5-0db9-4eb2-ab85-6ed6e118fbbc.json b/mobile-attack/relationship/relationship--079911c5-0db9-4eb2-ab85-6ed6e118fbbc.json
index 2c331ca4d7..033b36985a 100644
--- a/mobile-attack/relationship/relationship--079911c5-0db9-4eb2-ab85-6ed6e118fbbc.json
+++ b/mobile-attack/relationship/relationship--079911c5-0db9-4eb2-ab85-6ed6e118fbbc.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--097cb9e4-b971-4118-a763-bf754cd266e4",
+    "id": "bundle--a95dc4fa-1cd3-44f9-945c-af4af3c0a8da",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--079911c5-0db9-4eb2-ab85-6ed6e118fbbc",
             "created": "2022-03-30T19:36:20.304Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:47.021Z",
             "description": "Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.",
-            "modified": "2022-03-30T19:36:20.304Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--07c727a6-6323-477a-bb55-34e130959b4e.json b/mobile-attack/relationship/relationship--07c727a6-6323-477a-bb55-34e130959b4e.json
index b2c0b00576..83005d6303 100644
--- a/mobile-attack/relationship/relationship--07c727a6-6323-477a-bb55-34e130959b4e.json
+++ b/mobile-attack/relationship/relationship--07c727a6-6323-477a-bb55-34e130959b4e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b305a656-3bfa-4045-ac80-76f0d8939fcd",
+    "id": "bundle--19fbd7b4-f750-4a10-b65d-d0395267bf9e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:57.556Z",
+            "modified": "2025-04-16T21:46:47.257Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can mimic an app called \u201cStorage Settings\u201d if it cannot hide its icon.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--07dd3318-2965-4085-be64-a8e956c7b8da.json b/mobile-attack/relationship/relationship--07dd3318-2965-4085-be64-a8e956c7b8da.json
index a0ec97f48a..3528215f77 100644
--- a/mobile-attack/relationship/relationship--07dd3318-2965-4085-be64-a8e956c7b8da.json
+++ b/mobile-attack/relationship/relationship--07dd3318-2965-4085-be64-a8e956c7b8da.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4d871b73-dad5-4887-89aa-0055febaaed8",
+    "id": "bundle--7d7004a3-162a-4833-a0ff-cd92f5380033",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--07dd3318-2965-4085-be64-a8e956c7b8da",
             "type": "relationship",
+            "id": "relationship--07dd3318-2965-4085-be64-a8e956c7b8da",
             "created": "2020-12-18T20:14:47.319Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "WhiteOps TERRACOTTA",
-                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study",
-                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."
+                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.",
+                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"
                 }
             ],
-            "modified": "2020-12-18T20:14:47.319Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:47.478Z",
             "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has stored encoded strings.(Citation: WhiteOps TERRACOTTA)",
             "relationship_type": "uses",
             "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e.json b/mobile-attack/relationship/relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e.json
index 855a95a5e3..bc3c211aae 100644
--- a/mobile-attack/relationship/relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e.json
+++ b/mobile-attack/relationship/relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--373291b7-98f4-4a1c-9aea-5d80bd6f1ddf",
+    "id": "bundle--741d00ad-6a37-4cd6-b8e1-c20007dbb53c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--07fd2c39-c3e2-4044-b00b-71250cd7df2e",
             "created": "2022-03-30T18:15:03.625Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:47.696Z",
             "description": "",
-            "modified": "2022-03-30T18:15:03.625Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
             "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f.json b/mobile-attack/relationship/relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f.json
index c75afcc94a..46ae8280e8 100644
--- a/mobile-attack/relationship/relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f.json
+++ b/mobile-attack/relationship/relationship--0800f6bf-00c5-46d8-b876-1eeeb81b741f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--773d62a4-dd31-4264-a765-2164dabe8c63",
+    "id": "bundle--c623caf1-5c3e-40f9-a142-f810f0cfba02",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:45:55.097Z",
+            "modified": "2025-04-16T21:46:47.897Z",
             "description": "Application vetting services could look for use of standard APIs (e.g. the clipboard API) that could indicate data manipulation is occurring.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--082c3bd7-6088-4364-ae75-0eb45a635583.json b/mobile-attack/relationship/relationship--082c3bd7-6088-4364-ae75-0eb45a635583.json
new file mode 100644
index 0000000000..401fb412bd
--- /dev/null
+++ b/mobile-attack/relationship/relationship--082c3bd7-6088-4364-ae75-0eb45a635583.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--74ecaf0b-c1dd-49ab-92d8-111ce1240519",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--082c3bd7-6088-4364-ae75-0eb45a635583",
+            "created": "2025-03-27T22:48:11.444Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:48.109Z",
+            "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has checked if the device is jailbroken.(Citation: SecureList OpTriangulation 23Oct2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20",
+            "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--084786ee-9384-4a00-9e1b-48f94ea70126.json b/mobile-attack/relationship/relationship--084786ee-9384-4a00-9e1b-48f94ea70126.json
index 053809df6e..e906b43718 100644
--- a/mobile-attack/relationship/relationship--084786ee-9384-4a00-9e1b-48f94ea70126.json
+++ b/mobile-attack/relationship/relationship--084786ee-9384-4a00-9e1b-48f94ea70126.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f0b1c75f-4346-48f4-a5dc-b64fe612194b",
+    "id": "bundle--ada6254e-716c-4367-af6d-90e5a74a874e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:09:45.426Z",
+            "modified": "2025-04-16T21:46:48.317Z",
             "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate calendar events.(Citation: SWB Exodus March 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--085f8397-0233-42d7-855e-3dbd709f2eca.json b/mobile-attack/relationship/relationship--085f8397-0233-42d7-855e-3dbd709f2eca.json
index 42fe07212e..6776144ab0 100644
--- a/mobile-attack/relationship/relationship--085f8397-0233-42d7-855e-3dbd709f2eca.json
+++ b/mobile-attack/relationship/relationship--085f8397-0233-42d7-855e-3dbd709f2eca.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--85c1df8d-a35e-4120-9fa5-443f8e5c311e",
+    "id": "bundle--10c1edb8-0ffc-4560-9d9a-9e8429621aab",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:30:43.093Z",
+            "modified": "2025-04-16T21:46:48.527Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use the Android \u201cDirect Reply\u201d feature to spread the malware to other devices. It can also download the full version of the malware after initial device compromise.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f.json b/mobile-attack/relationship/relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f.json
index 00019d9df7..99f7343ee7 100644
--- a/mobile-attack/relationship/relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f.json
+++ b/mobile-attack/relationship/relationship--086c4c17-dde7-4a1f-90d1-79eb32f3c11f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--dd12d36c-68e9-4abe-8eb9-db5319d9e807",
+    "id": "bundle--00ec4b7a-442f-4d85-9374-3510cb7d9744",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T22:15:45.239Z",
+            "modified": "2025-04-16T21:46:48.746Z",
             "description": "Application vetting services could look for `android.permission.READ_SMS` in an Android application\u2019s manifest. Most applications do not need access to SMS messages, so extra scrutiny could be applied to those that request it. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8.json b/mobile-attack/relationship/relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8.json
index f0211b0c2d..f0b5d61a48 100644
--- a/mobile-attack/relationship/relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8.json
+++ b/mobile-attack/relationship/relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8.json
@@ -1,43 +1,42 @@
 {
     "type": "bundle",
-    "id": "bundle--b2b5ce62-ad94-43e9-ab50-101e42a8625e",
+    "id": "bundle--3c14f346-2639-4884-89af-69fdea330970",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--087609b6-cc6c-402f-ada9-00dbcbfecbe8",
             "created": "2022-04-01T15:16:02.324Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "iOS Universal Links",
-                    "url": "https://developer.apple.com/ios/universal-links/",
-                    "description": "Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020."
+                    "description": "Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020.",
+                    "url": "https://developer.apple.com/ios/universal-links/"
                 },
                 {
                     "source_name": "Android App Links",
-                    "url": "https://developer.android.com/training/app-links/verify-site-associations",
-                    "description": "Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020."
+                    "description": "Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020.",
+                    "url": "https://developer.android.com/training/app-links/verify-site-associations"
                 },
                 {
                     "source_name": "IETF-PKCE",
-                    "url": "https://tools.ietf.org/html/rfc7636",
-                    "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016."
+                    "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.",
+                    "url": "https://tools.ietf.org/html/rfc7636"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:48.952Z",
             "description": "Developers should use Android App Links(Citation: Android App Links) and iOS Universal Links(Citation: iOS Universal Links) to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE(Citation: IETF-PKCE) should be used to prevent use of stolen authorization codes. ",
-            "modified": "2022-04-01T15:16:02.324Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
             "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--088c74f5-4b43-48aa-a2be-275f0c02ffc8.json b/mobile-attack/relationship/relationship--088c74f5-4b43-48aa-a2be-275f0c02ffc8.json
index cbb485861a..b700fedf4c 100644
--- a/mobile-attack/relationship/relationship--088c74f5-4b43-48aa-a2be-275f0c02ffc8.json
+++ b/mobile-attack/relationship/relationship--088c74f5-4b43-48aa-a2be-275f0c02ffc8.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--77ce3978-c8ee-4c3b-9447-a585565d3ddc",
+    "id": "bundle--20d26a07-d79e-437e-ac22-3461937c50e7",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--088c74f5-4b43-48aa-a2be-275f0c02ffc8",
             "created": "2023-07-21T19:38:06.254Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:38:06.254Z",
+            "modified": "2025-04-16T21:46:49.166Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can retrieve account information for third party services, such as Google, Telegram, WeChat, or WhatsApp.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0891421a-8476-4d37-b274-645b90f139c7.json b/mobile-attack/relationship/relationship--0891421a-8476-4d37-b274-645b90f139c7.json
index 51d2126c67..06f2719d54 100644
--- a/mobile-attack/relationship/relationship--0891421a-8476-4d37-b274-645b90f139c7.json
+++ b/mobile-attack/relationship/relationship--0891421a-8476-4d37-b274-645b90f139c7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--dc0c2eae-72f3-4b37-a262-b703efb84bcf",
+    "id": "bundle--939c3b5d-8e80-492e-8d27-478431d8136f",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T20:30:02.657Z",
+            "modified": "2025-04-16T21:46:49.383Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect information regarding available Wi-Fi networks.(Citation: trendmicro_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--08a43019-d393-451f-a23c-2dfa17ec40b2.json b/mobile-attack/relationship/relationship--08a43019-d393-451f-a23c-2dfa17ec40b2.json
index 84c2c9128f..7d907385ef 100644
--- a/mobile-attack/relationship/relationship--08a43019-d393-451f-a23c-2dfa17ec40b2.json
+++ b/mobile-attack/relationship/relationship--08a43019-d393-451f-a23c-2dfa17ec40b2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8fcac243-57e6-489b-90b4-e6e94ae12b5a",
+    "id": "bundle--f7ac48e8-5d42-4aeb-9ccb-fc1db06745a4",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "cyble_drinik_1022",
-                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.",
-                    "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:51:07.963Z",
+            "modified": "2025-04-16T21:46:49.584Z",
             "description": "[Drinik](https://attack.mitre.org/software/S1054) can steal incoming SMS messages and send SMS messages from compromised devices. (Citation: cyble_drinik_1022)",
             "relationship_type": "uses",
             "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--08c81253-975c-4780-8e85-c72bc6a90c88.json b/mobile-attack/relationship/relationship--08c81253-975c-4780-8e85-c72bc6a90c88.json
index 014b406fd5..57792630f0 100644
--- a/mobile-attack/relationship/relationship--08c81253-975c-4780-8e85-c72bc6a90c88.json
+++ b/mobile-attack/relationship/relationship--08c81253-975c-4780-8e85-c72bc6a90c88.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--0b155335-5366-475c-8ddd-9744150daa07",
+    "id": "bundle--e7d112c4-f101-4238-a4f5-717e5857de5f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--08c81253-975c-4780-8e85-c72bc6a90c88",
             "created": "2020-10-29T19:21:23.225Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "WeLiveSecurity AdDisplayAshas",
-                    "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/",
-                    "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020."
+                    "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.",
+                    "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:49.813Z",
             "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can generate revenue by automatically displaying ads.(Citation: WeLiveSecurity AdDisplayAshas)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b.json b/mobile-attack/relationship/relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b.json
index cda61617fb..35da18fc77 100644
--- a/mobile-attack/relationship/relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b.json
+++ b/mobile-attack/relationship/relationship--08f1a4b1-96c9-44c2-bc5b-5a779541213b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--752b1b82-29a8-4407-984a-ce9986aba7c3",
+    "id": "bundle--39fba76d-83ae-4612-b4bf-f7111cc85f78",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:47:53.438Z",
+            "modified": "2025-04-16T21:46:50.033Z",
             "description": "[Dvmap](https://attack.mitre.org/software/S0420) replaces `/system/bin/ip` with a malicious version. [Dvmap](https://attack.mitre.org/software/S0420) can inject code by patching `libdmv.so` or `libandroid_runtime.so`, depending on the Android OS version. Both libraries are related to the Dalvik and ART runtime environments. The patched functions can only call `/system/bin/ip`, which was replaced with the malicious version.(Citation: SecureList DVMap June 2017)",
             "relationship_type": "uses",
             "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514",
             "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--09059576-658b-4944-9f7b-df003319fdaa.json b/mobile-attack/relationship/relationship--09059576-658b-4944-9f7b-df003319fdaa.json
index 866646e915..08a2fe2317 100644
--- a/mobile-attack/relationship/relationship--09059576-658b-4944-9f7b-df003319fdaa.json
+++ b/mobile-attack/relationship/relationship--09059576-658b-4944-9f7b-df003319fdaa.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--72be9fb9-feb6-44a3-9c10-cac77612045f",
+    "id": "bundle--a73f4320-c2a0-4644-9699-fed44982d3ac",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--09059576-658b-4944-9f7b-df003319fdaa",
             "created": "2024-02-21T00:00:40.770Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T00:00:40.770Z",
+            "modified": "2025-04-16T21:46:50.261Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--094f56d7-1a7d-4937-ac1a-d2337626feaa.json b/mobile-attack/relationship/relationship--094f56d7-1a7d-4937-ac1a-d2337626feaa.json
new file mode 100644
index 0000000000..1aa9ba4592
--- /dev/null
+++ b/mobile-attack/relationship/relationship--094f56d7-1a7d-4937-ac1a-d2337626feaa.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--cc26cb51-494d-4194-88a3-e85dada9248e",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--094f56d7-1a7d-4937-ac1a-d2337626feaa",
+            "created": "2025-03-27T23:00:01.923Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:50.460Z",
+            "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has encrypted data using 3DES.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f",
+            "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956.json b/mobile-attack/relationship/relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956.json
index 0ec1b27717..ace07e9a81 100644
--- a/mobile-attack/relationship/relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956.json
+++ b/mobile-attack/relationship/relationship--0972d3cf-717e-4ed2-a89d-9cbe61081956.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8ad95045-f6ac-4f63-b00a-54194ec24a1b",
+    "id": "bundle--2a7a008b-8756-4f73-9541-70244511c087",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:21:56.899Z",
+            "modified": "2025-04-16T21:46:50.672Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) has communicated with the C2 using HTTP requests or WebSockets as a backup.(Citation: Talos GPlayed) ",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0993769f-63fb-4720-bbcf-e6f37f71515e.json b/mobile-attack/relationship/relationship--0993769f-63fb-4720-bbcf-e6f37f71515e.json
index 04c9bc3109..d48cc342b3 100644
--- a/mobile-attack/relationship/relationship--0993769f-63fb-4720-bbcf-e6f37f71515e.json
+++ b/mobile-attack/relationship/relationship--0993769f-63fb-4720-bbcf-e6f37f71515e.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--57015e21-578e-4e55-aef5-19eaee5b16de",
+    "id": "bundle--6585443b-edbf-4749-bc39-cfbadf861e04",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--0993769f-63fb-4720-bbcf-e6f37f71515e",
             "type": "relationship",
+            "id": "relationship--0993769f-63fb-4720-bbcf-e6f37f71515e",
             "created": "2020-06-02T14:32:31.875Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Google Project Zero Insomnia",
-                    "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
-                    "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."
+                    "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.",
+                    "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"
                 }
             ],
-            "modified": "2020-06-02T14:32:31.875Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:50.893Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s name, serial number, iOS version, total disk space, and free disk space.(Citation: Google Project Zero Insomnia) ",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--09ad7d9f-d618-46c2-a9f3-e4a943245a72.json b/mobile-attack/relationship/relationship--09ad7d9f-d618-46c2-a9f3-e4a943245a72.json
index 9092c1e5fc..4fca1e5bc1 100644
--- a/mobile-attack/relationship/relationship--09ad7d9f-d618-46c2-a9f3-e4a943245a72.json
+++ b/mobile-attack/relationship/relationship--09ad7d9f-d618-46c2-a9f3-e4a943245a72.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--f46fe1ac-c40c-418d-8851-2de578a91384",
+    "id": "bundle--8d24ba00-49e3-4300-afe6-aeb553aa39e6",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--09ad7d9f-d618-46c2-a9f3-e4a943245a72",
             "created": "2023-09-21T19:37:48.020Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-21T19:37:48.020Z",
+            "modified": "2025-04-16T21:46:51.093Z",
             "description": "Users can be trained to identify social engineering techniques and phishing emails.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca.json b/mobile-attack/relationship/relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca.json
index df3cc330d8..f77e14b18f 100644
--- a/mobile-attack/relationship/relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca.json
+++ b/mobile-attack/relationship/relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--5f3860e9-8cfa-492d-9cb6-7ca518c41169",
+    "id": "bundle--ee4ba2cb-956e-4027-8f89-25c57fb6abb3",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--09c55c29-ce4f-4d3e-a940-f3a4b6f07bca",
             "created": "2022-04-06T13:22:57.754Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:51.323Z",
             "description": "",
-            "modified": "2022-04-06T13:22:57.754Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120",
             "target_ref": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--09c6bbd4-9058-4657-9d8e-656439637ac6.json b/mobile-attack/relationship/relationship--09c6bbd4-9058-4657-9d8e-656439637ac6.json
index 7a15d99e37..292c89273f 100644
--- a/mobile-attack/relationship/relationship--09c6bbd4-9058-4657-9d8e-656439637ac6.json
+++ b/mobile-attack/relationship/relationship--09c6bbd4-9058-4657-9d8e-656439637ac6.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ed38dcea-fb9e-4213-88fd-a5c6207e1659",
+    "id": "bundle--824dee0e-962d-45d7-b283-f3ec9a9d641d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T22:15:16.326Z",
+            "modified": "2025-04-16T21:46:51.523Z",
             "description": "Application vetting services could look for `android.permission.READ_CALL_LOG` in an Android application\u2019s manifest. Most applications do not need call log access, so extra scrutiny could be applied to those that request it. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d.json b/mobile-attack/relationship/relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d.json
index 012bbc871e..f0d0e7d0b2 100644
--- a/mobile-attack/relationship/relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d.json
+++ b/mobile-attack/relationship/relationship--09d08f16-9e4d-4279-9a8c-bdda7afdb37d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--878f7982-1e21-4268-b6e8-550f4b2b1d6a",
+    "id": "bundle--ac887452-661f-4123-8afa-919cbfe0bead",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:07:32.636Z",
+            "modified": "2025-04-16T21:46:51.755Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has encoded files, such as exploit binaries, to potentially use during and after the rooting process.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012.json b/mobile-attack/relationship/relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012.json
index bfb6d1c89a..205fed0ef1 100644
--- a/mobile-attack/relationship/relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012.json
+++ b/mobile-attack/relationship/relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012.json
@@ -1,22 +1,22 @@
 {
     "type": "bundle",
-    "id": "bundle--da6601e5-9897-4000-8643-08392daf0b56",
+    "id": "bundle--67a3e688-da71-49e4-89e9-2d65d609c472",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012",
+            "created": "2018-10-17T00:14:20.652Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--0a28b2f2-ca0e-4d9f-9840-26e8ce944012",
-            "type": "relationship",
-            "created": "2018-10-17T00:14:20.652Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2018-10-17T00:14:20.652Z",
+            "modified": "2025-04-16T21:46:51.960Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--f296fc9c-2ff5-43ee-941e-6b49c438270a",
             "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb.json b/mobile-attack/relationship/relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb.json
index 1eadc0d066..b9aa1ea518 100644
--- a/mobile-attack/relationship/relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb.json
+++ b/mobile-attack/relationship/relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--2dc9e55b-7511-4523-946e-603bbdb2b394",
+    "id": "bundle--38f1ec70-9e9f-4fa1-b1e0-6f890c26a520",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb",
             "type": "relationship",
+            "id": "relationship--0a2e4b01-e78f-4c05-b157-c6714d34fddb",
             "created": "2020-12-18T20:14:47.412Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "WhiteOps TERRACOTTA",
-                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study",
-                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."
+                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.",
+                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"
                 }
             ],
-            "modified": "2020-12-18T20:14:47.412Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:52.164Z",
             "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has included native modules.(Citation: WhiteOps TERRACOTTA)",
             "relationship_type": "uses",
             "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
             "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0a610208-06af-425f-a9af-cd0899261e33.json b/mobile-attack/relationship/relationship--0a610208-06af-425f-a9af-cd0899261e33.json
index f7ea8efa75..33ef9cd30d 100644
--- a/mobile-attack/relationship/relationship--0a610208-06af-425f-a9af-cd0899261e33.json
+++ b/mobile-attack/relationship/relationship--0a610208-06af-425f-a9af-cd0899261e33.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--1f1f3bb2-f172-445d-a9e7-8b90af9dbc19",
+    "id": "bundle--fd48c8de-3c03-4f3b-8441-8eab6c73d380",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--0a610208-06af-425f-a9af-cd0899261e33",
             "type": "relationship",
+            "id": "relationship--0a610208-06af-425f-a9af-cd0899261e33",
             "created": "2020-09-11T15:45:38.450Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "TrendMicro Coronavirus Updates",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
-                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
+                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"
                 }
             ],
-            "modified": "2020-09-11T15:45:38.450Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:52.372Z",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can send SMS messages.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0a737289-c62d-4c0a-a857-6d116f774864.json b/mobile-attack/relationship/relationship--0a737289-c62d-4c0a-a857-6d116f774864.json
index 6b0d0e1e29..d5c5ba34d6 100644
--- a/mobile-attack/relationship/relationship--0a737289-c62d-4c0a-a857-6d116f774864.json
+++ b/mobile-attack/relationship/relationship--0a737289-c62d-4c0a-a857-6d116f774864.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--b9f6fcc1-79f9-47b8-a24d-4fae4ff4d276",
+    "id": "bundle--bba08650-63da-4cf5-95f2-6780cbab99de",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--0a737289-c62d-4c0a-a857-6d116f774864",
             "type": "relationship",
+            "id": "relationship--0a737289-c62d-4c0a-a857-6d116f774864",
             "created": "2020-06-26T15:12:40.077Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "ESET DEFENSOR ID",
-                    "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/",
-                    "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020."
+                    "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.",
+                    "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/"
                 }
             ],
-            "modified": "2020-06-26T15:12:40.077Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:52.578Z",
             "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can abuse the accessibility service to read any text displayed on the screen.(Citation: ESET DEFENSOR ID)",
             "relationship_type": "uses",
             "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0ae94053-1963-45ba-a3a9-62e508281c8e.json b/mobile-attack/relationship/relationship--0ae94053-1963-45ba-a3a9-62e508281c8e.json
index 402757371e..63fdac8854 100644
--- a/mobile-attack/relationship/relationship--0ae94053-1963-45ba-a3a9-62e508281c8e.json
+++ b/mobile-attack/relationship/relationship--0ae94053-1963-45ba-a3a9-62e508281c8e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8d3b1111-5d4f-4627-b728-9d815c835458",
+    "id": "bundle--88dacd69-5781-40aa-bbfe-7d0ca23d15cd",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:21:58.318Z",
+            "modified": "2025-04-16T21:46:52.797Z",
             "description": "[TianySpy](https://attack.mitre.org/software/S1056) can install malicious configurations on iPhones to allow malware to be installed via Ad Hoc distribution.(Citation: trendmicro_tianyspy_0122) ",
             "relationship_type": "uses",
             "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6",
             "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070.json b/mobile-attack/relationship/relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070.json
index 72b1171fa5..65013d1494 100644
--- a/mobile-attack/relationship/relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070.json
+++ b/mobile-attack/relationship/relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--ce36715c-4499-4ba3-bc0e-cd0f521f5990",
+    "id": "bundle--34920b00-d8cd-44d5-b6e4-3687c6ec986a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--0b1aae4b-4dcd-41b6-a708-1441e5a24070",
             "created": "2022-04-15T17:18:44.185Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Talos Gustuff Apr 2019",
-                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
-                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."
+                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
+                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:52.998Z",
             "description": "[Gustuff](https://attack.mitre.org/software/S0406) obfuscated command information using a custom base85-based encoding.(Citation: Talos Gustuff Apr 2019)",
-            "modified": "2022-04-15T17:18:44.185Z",
             "relationship_type": "uses",
             "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d.json b/mobile-attack/relationship/relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d.json
index ad09223509..52e16559c8 100644
--- a/mobile-attack/relationship/relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d.json
+++ b/mobile-attack/relationship/relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--c3eb29e5-3885-4ee9-b2f3-9c8484606485",
+    "id": "bundle--51ad0019-87c9-4544-b1a5-1c2de8e7e79d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--0b1e5e78-9ee1-4fc3-9fe7-dc069b59e77d",
             "created": "2020-05-04T14:04:56.179Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Google Bread",
-                    "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
-                    "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
+                    "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.",
+                    "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:53.266Z",
             "description": "[Bread](https://attack.mitre.org/software/S0432) payloads have used several commercially available packers.(Citation: Google Bread)",
-            "modified": "2022-04-15T17:20:54.552Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
             "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651.json b/mobile-attack/relationship/relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651.json
index df2c2fd161..f4a54b202e 100644
--- a/mobile-attack/relationship/relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651.json
+++ b/mobile-attack/relationship/relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--b9d7a235-7567-491c-90de-8458367f770a",
+    "id": "bundle--95532005-dddc-44f4-8652-b7458b3847fd",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--0b1f2735-97d9-4f4a-9967-9fa1464bb651",
             "created": "2023-04-11T19:54:52.711Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-11T19:54:52.711Z",
+            "modified": "2025-04-16T21:46:53.464Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can programmatically tap the screen or swipe.(Citation: cleafy_sova_1122)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2.json b/mobile-attack/relationship/relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2.json
index 66c0958493..6094077008 100644
--- a/mobile-attack/relationship/relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2.json
+++ b/mobile-attack/relationship/relationship--0b531974-1a28-4f16-ba34-1f7c8371b6b2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--13f5c2d7-82b9-4fd3-b77b-0543dd901282",
+    "id": "bundle--b57990d8-5b57-4d3b-9e93-ae5fa0eb6990",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T17:15:34.376Z",
+            "modified": "2025-04-16T21:46:53.668Z",
             "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1.json b/mobile-attack/relationship/relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1.json
index 8b4a968e63..471fe7af33 100644
--- a/mobile-attack/relationship/relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1.json
+++ b/mobile-attack/relationship/relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--2334eeae-ac19-4548-b708-bc34f22b4125",
+    "id": "bundle--003cf730-132c-44f9-9e43-6567bcab2eaf",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1",
             "type": "relationship",
+            "id": "relationship--0b5bfa77-51b4-41b4-ae03-88b585d143c1",
             "created": "2020-09-11T14:54:16.650Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Desert Scorpion",
-                    "url": "https://blog.lookout.com/desert-scorpion-google-play",
-                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
+                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/desert-scorpion-google-play"
                 }
             ],
-            "modified": "2020-09-11T14:54:16.650Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:53.875Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) has been distributed in multiple stages.(Citation: Lookout Desert Scorpion)",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253.json b/mobile-attack/relationship/relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253.json
index 07b891c88f..9f64e09cfc 100644
--- a/mobile-attack/relationship/relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253.json
+++ b/mobile-attack/relationship/relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--3efdf46d-78b1-42f7-b818-f21eef1251e5",
+    "id": "bundle--3a1729ce-695d-4b44-a809-93d38c351dba",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253",
             "type": "relationship",
+            "id": "relationship--0b693e45-cc20-45a9-846f-2f5f4d3a3253",
             "created": "2020-12-31T18:25:05.178Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "CYBERWARCON CHEMISTGAMES",
-                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w",
-                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."
+                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.",
+                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"
                 }
             ],
-            "modified": "2020-12-31T18:25:05.178Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:54.086Z",
             "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has fingerprinted devices to uniquely identify them.(Citation: CYBERWARCON CHEMISTGAMES)",
             "relationship_type": "uses",
             "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0bb6f851-4302-4936-a98e-d23feecb234d.json b/mobile-attack/relationship/relationship--0bb6f851-4302-4936-a98e-d23feecb234d.json
index 126a8eff37..e7fcbc9051 100644
--- a/mobile-attack/relationship/relationship--0bb6f851-4302-4936-a98e-d23feecb234d.json
+++ b/mobile-attack/relationship/relationship--0bb6f851-4302-4936-a98e-d23feecb234d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4e36b684-22f0-4a77-a519-dee7e087e3ca",
+    "id": "bundle--c9f87e69-c282-472e-97dc-cb87ce93552d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--0bb6f851-4302-4936-a98e-d23feecb234d",
             "type": "relationship",
+            "id": "relationship--0bb6f851-4302-4936-a98e-d23feecb234d",
             "created": "2020-06-02T14:32:31.777Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Volexity Insomnia",
-                    "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/",
-                    "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."
+                    "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.",
+                    "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/"
                 }
             ],
-            "modified": "2020-06-02T14:32:31.777Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:54.320Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) exploits a WebKit vulnerability to achieve root access on the device.(Citation: Volexity Insomnia)",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349.json b/mobile-attack/relationship/relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349.json
index 59487b48df..422fc03749 100644
--- a/mobile-attack/relationship/relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349.json
+++ b/mobile-attack/relationship/relationship--0bbe5936-04bf-4c9a-bb43-cd37f36c3349.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--252e4b91-ad69-433f-965e-f58cd56993b4",
+    "id": "bundle--9670e24c-848a-49fd-8e79-e50b84f4404b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:44:31.187Z",
+            "modified": "2025-04-16T21:46:54.522Z",
             "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has registered to receive 14 different broadcast intents for automatically triggering malware payloads. (Citation: Microsoft MalLockerB)",
             "relationship_type": "uses",
             "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0bc73d69-e769-4d0f-9d44-368c94225b6e.json b/mobile-attack/relationship/relationship--0bc73d69-e769-4d0f-9d44-368c94225b6e.json
index f0fd9b44b2..abf223305f 100644
--- a/mobile-attack/relationship/relationship--0bc73d69-e769-4d0f-9d44-368c94225b6e.json
+++ b/mobile-attack/relationship/relationship--0bc73d69-e769-4d0f-9d44-368c94225b6e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2fd5ff9f-95b3-4654-b79a-7784d9d3270f",
+    "id": "bundle--757ab613-b957-47f5-a327-faf7ebb4ccbf",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:50:39.124Z",
+            "modified": "2025-04-16T21:46:54.749Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access the device\u2019s contact list.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0bc73eaf-a771-4ed0-b1f9-081ff4ca73ad.json b/mobile-attack/relationship/relationship--0bc73eaf-a771-4ed0-b1f9-081ff4ca73ad.json
index 3efdbe33ae..396948a44b 100644
--- a/mobile-attack/relationship/relationship--0bc73eaf-a771-4ed0-b1f9-081ff4ca73ad.json
+++ b/mobile-attack/relationship/relationship--0bc73eaf-a771-4ed0-b1f9-081ff4ca73ad.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--1b8d56f4-caef-42f4-8244-d5946ab859e5",
+    "id": "bundle--ba9d715b-22f2-48df-b568-f90a2598b352",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T16:44:01.271Z",
+            "modified": "2025-04-16T21:46:54.960Z",
             "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db.json b/mobile-attack/relationship/relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db.json
index 1e9da234a6..304d6229df 100644
--- a/mobile-attack/relationship/relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db.json
+++ b/mobile-attack/relationship/relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--b93a7e5b-28f0-4833-a821-277e07a810b9",
+    "id": "bundle--17e3530b-d2f0-4b35-874c-9bed834e3b39",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db",
             "type": "relationship",
+            "id": "relationship--0bcdeb29-6eed-4c96-a9ae-e56aadc4a5db",
             "created": "2019-08-09T17:59:48.988Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
+                    "source_name": "Lookout-StealthMango",
                     "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
-                    "source_name": "Lookout-StealthMango"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
                 }
             ],
-            "modified": "2019-08-09T17:59:48.988Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:55.163Z",
             "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can record and take pictures using the front and back cameras.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0c077d44-1c79-473c-8623-d6267ab47f34.json b/mobile-attack/relationship/relationship--0c077d44-1c79-473c-8623-d6267ab47f34.json
new file mode 100644
index 0000000000..4d288267ca
--- /dev/null
+++ b/mobile-attack/relationship/relationship--0c077d44-1c79-473c-8623-d6267ab47f34.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--a3b29227-55bc-478a-b000-68bb9a2aa9c0",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--0c077d44-1c79-473c-8623-d6267ab47f34",
+            "created": "2025-03-28T14:58:52.516Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:55.387Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors exploited a kernel vulnerability to obtain root privileges.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0c417238-738d-4bda-8359-d37d39414ebe.json b/mobile-attack/relationship/relationship--0c417238-738d-4bda-8359-d37d39414ebe.json
index 7c40c10705..a2e2b8e56f 100644
--- a/mobile-attack/relationship/relationship--0c417238-738d-4bda-8359-d37d39414ebe.json
+++ b/mobile-attack/relationship/relationship--0c417238-738d-4bda-8359-d37d39414ebe.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--7f2675f9-3ee1-4404-9e30-929ff50baa9f",
+    "id": "bundle--e1388676-0675-4aaf-b26e-4f881f7898cf",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--0c417238-738d-4bda-8359-d37d39414ebe",
             "created": "2023-08-04T18:30:41.599Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T18:30:41.599Z",
+            "modified": "2025-04-16T21:46:55.603Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate phone number and IMEI.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0c49a6e0-9837-424d-877b-4e232f5fe250.json b/mobile-attack/relationship/relationship--0c49a6e0-9837-424d-877b-4e232f5fe250.json
index f532262a12..07aed6f6f7 100644
--- a/mobile-attack/relationship/relationship--0c49a6e0-9837-424d-877b-4e232f5fe250.json
+++ b/mobile-attack/relationship/relationship--0c49a6e0-9837-424d-877b-4e232f5fe250.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5a8240ac-af42-49e0-9475-1b43981aa1fb",
+    "id": "bundle--10a55b64-65cd-4a00-a42c-0768fcb805bd",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T20:30:13.417Z",
+            "modified": "2025-04-16T21:46:55.810Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to communicate with the C2 server using HTTPS.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0c558826-5cea-422e-8e67-83e53c04d409.json b/mobile-attack/relationship/relationship--0c558826-5cea-422e-8e67-83e53c04d409.json
index de6a0a3f61..59236d8434 100644
--- a/mobile-attack/relationship/relationship--0c558826-5cea-422e-8e67-83e53c04d409.json
+++ b/mobile-attack/relationship/relationship--0c558826-5cea-422e-8e67-83e53c04d409.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--290888ea-d4a7-45b8-b391-f89838cd17bf",
+    "id": "bundle--bb398b77-591e-41ca-a07c-e7f93c184e77",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--0c558826-5cea-422e-8e67-83e53c04d409",
             "created": "2020-06-26T15:32:25.146Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "CheckPoint Cerberus",
-                    "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/",
-                    "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020."
+                    "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.",
+                    "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:56.020Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 using HTTP requests over port 8888.(Citation: CheckPoint Cerberus)",
-            "modified": "2022-04-20T16:37:46.192Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0cabc5f9-045e-490c-a97f-efe00dbade86.json b/mobile-attack/relationship/relationship--0cabc5f9-045e-490c-a97f-efe00dbade86.json
index 476ecf89cd..2d05d647e7 100644
--- a/mobile-attack/relationship/relationship--0cabc5f9-045e-490c-a97f-efe00dbade86.json
+++ b/mobile-attack/relationship/relationship--0cabc5f9-045e-490c-a97f-efe00dbade86.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--be397140-57d0-47b8-918f-0b1707faac67",
+    "id": "bundle--d19b2861-ff38-4ff8-8380-300a14383a43",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--0cabc5f9-045e-490c-a97f-efe00dbade86",
             "type": "relationship",
+            "id": "relationship--0cabc5f9-045e-490c-a97f-efe00dbade86",
             "created": "2020-01-27T17:05:58.276Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Trend Micro Bouncing Golf 2019",
                     "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
-                    "source_name": "Trend Micro Bouncing Golf 2019"
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
                 }
             ],
-            "modified": "2020-01-27T17:05:58.276Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:56.275Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can record video.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0cae6859-d7d1-483b-b473-4f32084938a9.json b/mobile-attack/relationship/relationship--0cae6859-d7d1-483b-b473-4f32084938a9.json
index 754b78db31..5b943124c4 100644
--- a/mobile-attack/relationship/relationship--0cae6859-d7d1-483b-b473-4f32084938a9.json
+++ b/mobile-attack/relationship/relationship--0cae6859-d7d1-483b-b473-4f32084938a9.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--bcbd3edc-1054-4e58-9e4a-a03da20f7c73",
+    "id": "bundle--33045032-1e08-4bf0-9838-2bb4053af8c1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--0cae6859-d7d1-483b-b473-4f32084938a9",
             "type": "relationship",
+            "id": "relationship--0cae6859-d7d1-483b-b473-4f32084938a9",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
                 }
             ],
-            "modified": "2019-08-09T17:52:31.818Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:56.483Z",
             "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) has the ability to record device audio.(Citation: Lookout-PegasusAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0cd58f68-2c93-4ecc-a7fb-b4aad483d14a.json b/mobile-attack/relationship/relationship--0cd58f68-2c93-4ecc-a7fb-b4aad483d14a.json
new file mode 100644
index 0000000000..67da7e0a05
--- /dev/null
+++ b/mobile-attack/relationship/relationship--0cd58f68-2c93-4ecc-a7fb-b4aad483d14a.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--95424ae1-6680-4cf6-b1fe-bd2247163d00",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--0cd58f68-2c93-4ecc-a7fb-b4aad483d14a",
+            "created": "2025-03-27T22:53:40.058Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:56.713Z",
+            "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has used the Protobuf library for command and control communication.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f",
+            "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0ce5bf43-39e1-4afb-a939-1984cc2d235c.json b/mobile-attack/relationship/relationship--0ce5bf43-39e1-4afb-a939-1984cc2d235c.json
index 6720edc8cc..5ce04a200b 100644
--- a/mobile-attack/relationship/relationship--0ce5bf43-39e1-4afb-a939-1984cc2d235c.json
+++ b/mobile-attack/relationship/relationship--0ce5bf43-39e1-4afb-a939-1984cc2d235c.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--3a49abea-9f07-4f73-b87e-a259968449cd",
+    "id": "bundle--3b77b7b5-0a57-44c3-a690-c39e8c02e731",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--0ce5bf43-39e1-4afb-a939-1984cc2d235c",
             "created": "2022-04-01T18:51:44.595Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:56.918Z",
             "description": "System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.",
-            "modified": "2022-04-01T18:51:44.595Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0cf39d51-2d80-4576-b088-e787b113513e.json b/mobile-attack/relationship/relationship--0cf39d51-2d80-4576-b088-e787b113513e.json
index 6468941de9..ffad44c22b 100644
--- a/mobile-attack/relationship/relationship--0cf39d51-2d80-4576-b088-e787b113513e.json
+++ b/mobile-attack/relationship/relationship--0cf39d51-2d80-4576-b088-e787b113513e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--accb6dfe-abae-4adc-a22c-7382fa735c55",
+    "id": "bundle--7686afd2-da9a-40ec-88fd-910521b3bf82",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-30T21:05:31.625Z",
+            "modified": "2025-04-16T21:46:57.132Z",
             "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can use HTTP to communicate with the C2 server.(Citation: Zimperium FlyTrap)",
             "relationship_type": "uses",
             "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0cfbea52-d6ab-467f-97e5-8c74b332b16f.json b/mobile-attack/relationship/relationship--0cfbea52-d6ab-467f-97e5-8c74b332b16f.json
index eea690b45b..815233d2e5 100644
--- a/mobile-attack/relationship/relationship--0cfbea52-d6ab-467f-97e5-8c74b332b16f.json
+++ b/mobile-attack/relationship/relationship--0cfbea52-d6ab-467f-97e5-8c74b332b16f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--089382e6-6ff7-4706-aeab-89586eb3fd66",
+    "id": "bundle--0e7932ff-f5fc-4ca2-8f97-22e508facba5",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:41:52.454Z",
+            "modified": "2025-04-16T21:46:57.380Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has hidden its app icon.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0d12ee41-9ac0-4083-bc28-6568be4b9d5b.json b/mobile-attack/relationship/relationship--0d12ee41-9ac0-4083-bc28-6568be4b9d5b.json
index b2b5cedb15..2588089e70 100644
--- a/mobile-attack/relationship/relationship--0d12ee41-9ac0-4083-bc28-6568be4b9d5b.json
+++ b/mobile-attack/relationship/relationship--0d12ee41-9ac0-4083-bc28-6568be4b9d5b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7e44bf6e-2734-426c-abf6-e43ae31cd8af",
+    "id": "bundle--6cffa6a2-df11-4ff3-b77f-275bc14e2920",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:50:42.655Z",
+            "modified": "2025-04-16T21:46:57.583Z",
             "description": "On Android, the user can review which applications have Device Administrator access in the device settings and revoke permission where appropriate. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a.json b/mobile-attack/relationship/relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a.json
index 8e64061cc0..c164e42c48 100644
--- a/mobile-attack/relationship/relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a.json
+++ b/mobile-attack/relationship/relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4c1b51cd-7519-48a5-9101-ba22d6b176eb",
+    "id": "bundle--92e1bc6e-2a41-48fa-8d07-954413c96f44",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a",
             "type": "relationship",
+            "id": "relationship--0d2d9c6e-6ac8-4cda-bfa4-cedf26a1760a",
             "created": "2021-02-17T20:43:52.333Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout FrozenCell",
-                    "url": "https://blog.lookout.com/frozencell-mobile-threat",
-                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."
+                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.",
+                    "url": "https://blog.lookout.com/frozencell-mobile-threat"
                 }
             ],
-            "modified": "2021-02-17T20:43:52.333Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:57.814Z",
             "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has used an online cell tower geolocation service to track targets.(Citation: Lookout FrozenCell)",
             "relationship_type": "uses",
             "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0d305e1e-df8f-4028-bf6f-1d7fed9e6184.json b/mobile-attack/relationship/relationship--0d305e1e-df8f-4028-bf6f-1d7fed9e6184.json
index 547a485192..aa0005ac28 100644
--- a/mobile-attack/relationship/relationship--0d305e1e-df8f-4028-bf6f-1d7fed9e6184.json
+++ b/mobile-attack/relationship/relationship--0d305e1e-df8f-4028-bf6f-1d7fed9e6184.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--7240d83a-e5be-4813-80fb-5c90d81f1a6d",
+    "id": "bundle--6d96bcde-1a56-46fd-9777-875d9412e054",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--0d305e1e-df8f-4028-bf6f-1d7fed9e6184",
             "created": "2022-03-30T17:53:56.805Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:58.016Z",
             "description": "",
-            "modified": "2022-03-30T17:53:56.805Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
             "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0d58e937-7e0f-4e1e-8c17-bab3906d7c43.json b/mobile-attack/relationship/relationship--0d58e937-7e0f-4e1e-8c17-bab3906d7c43.json
new file mode 100644
index 0000000000..4a2e893084
--- /dev/null
+++ b/mobile-attack/relationship/relationship--0d58e937-7e0f-4e1e-8c17-bab3906d7c43.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--fc78f255-4243-483b-a3b8-17bbfbd218f0",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--0d58e937-7e0f-4e1e-8c17-bab3906d7c43",
+            "created": "2024-04-02T19:46:33.757Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:58.222Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) has used blank screen overlays to hide malicious activity from the user.(Citation: welivesecurity_apt-c-23)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0d82a9ed-4184-4f95-99f4-5ee467fe6594.json b/mobile-attack/relationship/relationship--0d82a9ed-4184-4f95-99f4-5ee467fe6594.json
index 6cdb246bd9..ac890c38b9 100644
--- a/mobile-attack/relationship/relationship--0d82a9ed-4184-4f95-99f4-5ee467fe6594.json
+++ b/mobile-attack/relationship/relationship--0d82a9ed-4184-4f95-99f4-5ee467fe6594.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--532ef554-0322-42a5-bcc0-ab4c904e237a",
+    "id": "bundle--11deb610-8521-49e6-ad66-c551ce4f5a3d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--0d82a9ed-4184-4f95-99f4-5ee467fe6594",
             "created": "2022-04-05T17:14:08.267Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:58.426Z",
             "description": "",
-            "modified": "2022-04-05T17:14:08.267Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
             "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0df1f5d1-f2fd-441e-b3ce-bcd64f5f5f50.json b/mobile-attack/relationship/relationship--0df1f5d1-f2fd-441e-b3ce-bcd64f5f5f50.json
new file mode 100644
index 0000000000..1d5ddf30c8
--- /dev/null
+++ b/mobile-attack/relationship/relationship--0df1f5d1-f2fd-441e-b3ce-bcd64f5f5f50.json
@@ -0,0 +1,42 @@
+{
+    "type": "bundle",
+    "id": "bundle--89becd56-e3ff-4c80-90d8-1635de74d90e",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--0df1f5d1-f2fd-441e-b3ce-bcd64f5f5f50",
+            "created": "2025-03-24T20:14:19.503Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:58.645Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has used both HTTPS and Websockets to communicate with the C2.(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0e8607f6-daab-44df-b167-105403a4ef41.json b/mobile-attack/relationship/relationship--0e8607f6-daab-44df-b167-105403a4ef41.json
index 4451a2b523..a9a7377556 100644
--- a/mobile-attack/relationship/relationship--0e8607f6-daab-44df-b167-105403a4ef41.json
+++ b/mobile-attack/relationship/relationship--0e8607f6-daab-44df-b167-105403a4ef41.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8cb04940-b6eb-4583-9e1c-3fb9d0c91212",
+    "id": "bundle--32011ba7-8051-45e9-b142-17039668ed73",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:39:39.355Z",
+            "modified": "2025-04-16T21:46:58.873Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use the \u201cDirect Reply\u201d feature of Android to automatically reply to notifications with a message provided by C2.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0e9968b7-ad1e-440d-9fe3-2599a1571f39.json b/mobile-attack/relationship/relationship--0e9968b7-ad1e-440d-9fe3-2599a1571f39.json
index a93ca9e768..a39985d0df 100644
--- a/mobile-attack/relationship/relationship--0e9968b7-ad1e-440d-9fe3-2599a1571f39.json
+++ b/mobile-attack/relationship/relationship--0e9968b7-ad1e-440d-9fe3-2599a1571f39.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e7bcbc76-b836-4139-86c6-95a2dee6a970",
+    "id": "bundle--013f1148-d7ed-403e-9cf2-6649aee5a782",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:59:55.854Z",
+            "modified": "2025-04-16T21:46:59.077Z",
             "description": "[EventBot](https://attack.mitre.org/software/S0478) communicates with the C2 using HTTP requests.(Citation: Cybereason EventBot)",
             "relationship_type": "uses",
             "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1.json b/mobile-attack/relationship/relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1.json
index 77eaca2b70..eb26fd82b9 100644
--- a/mobile-attack/relationship/relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1.json
+++ b/mobile-attack/relationship/relationship--0e9edc13-7af7-43c4-8ec2-636b1f8cb7f1.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4a53107c-24ee-46e2-a276-d0d52c714472",
+    "id": "bundle--b7015368-f2e6-4871-ad6d-bbe07213966c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:25:52.381Z",
+            "modified": "2025-04-16T21:46:59.320Z",
             "description": "[BrainTest](https://attack.mitre.org/software/S0293) uses root privileges (if available) to copy an additional Android app package (APK) to /system/priv-app to maintain persistence even after a factory reset.(Citation: Lookout-BrainTest)",
             "relationship_type": "uses",
             "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
             "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4.json b/mobile-attack/relationship/relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4.json
index ad49aa060d..6931c90acc 100644
--- a/mobile-attack/relationship/relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4.json
+++ b/mobile-attack/relationship/relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--621b3ea1-4593-4fba-918d-03e9e8a3fb28",
+    "id": "bundle--1ca5e304-76a7-4f0e-8bd5-d87e1b70d11e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4",
             "type": "relationship",
+            "id": "relationship--0ef4845d-994e-4f0d-9eed-7cf600fc03b4",
             "created": "2020-06-02T14:32:31.885Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Google Project Zero Insomnia",
-                    "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
-                    "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."
+                    "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.",
+                    "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"
                 }
             ],
-            "modified": "2020-06-02T14:32:31.885Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:59.528Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can track the device\u2019s location.(Citation: Google Project Zero Insomnia)",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0efe4125-504f-4eea-b19f-a44c81ee31dd.json b/mobile-attack/relationship/relationship--0efe4125-504f-4eea-b19f-a44c81ee31dd.json
index 48c909671b..565b8f872f 100644
--- a/mobile-attack/relationship/relationship--0efe4125-504f-4eea-b19f-a44c81ee31dd.json
+++ b/mobile-attack/relationship/relationship--0efe4125-504f-4eea-b19f-a44c81ee31dd.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--c50facfe-f55a-4eea-ad34-6545d2a69f20",
+    "id": "bundle--8fc41ae0-b7ac-4cb2-89d1-2f59defa7191",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--0efe4125-504f-4eea-b19f-a44c81ee31dd",
             "created": "2021-01-05T20:16:20.488Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Zscaler TikTok Spyware",
-                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware",
-                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."
+                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.",
+                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:46:59.760Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can launch a fake Facebook login page.(Citation: Zscaler TikTok Spyware)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0f116d99-9ce4-4790-aeda-ad9199d8bf7b.json b/mobile-attack/relationship/relationship--0f116d99-9ce4-4790-aeda-ad9199d8bf7b.json
index 76edbec110..86918a1431 100644
--- a/mobile-attack/relationship/relationship--0f116d99-9ce4-4790-aeda-ad9199d8bf7b.json
+++ b/mobile-attack/relationship/relationship--0f116d99-9ce4-4790-aeda-ad9199d8bf7b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f6b0c207-14a6-4879-bb98-cf8f9c392833",
+    "id": "bundle--38c90550-0e36-494e-8cbb-db678f138226",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-31T22:06:56.734Z",
+            "modified": "2025-04-16T21:46:59.983Z",
             "description": "[FluBot](https://attack.mitre.org/software/S1067) can send SMS phishing messages to other contacts on an infected device.(Citation: proofpoint_flubot_0421)(Citation: bitdefender_flubot_0524)",
             "relationship_type": "uses",
             "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0f70bdf1-a6a7-406c-a4c0-cee509ff8369.json b/mobile-attack/relationship/relationship--0f70bdf1-a6a7-406c-a4c0-cee509ff8369.json
index 9531b8c9c9..369c293ba0 100644
--- a/mobile-attack/relationship/relationship--0f70bdf1-a6a7-406c-a4c0-cee509ff8369.json
+++ b/mobile-attack/relationship/relationship--0f70bdf1-a6a7-406c-a4c0-cee509ff8369.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--fff99e48-18f4-4cf2-84d1-6a0498f2792a",
+    "id": "bundle--2260b3ae-0f4c-4b49-86bb-a4059ae2d108",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:43:17.131Z",
+            "modified": "2025-04-16T21:47:00.216Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) can exfiltrate captured user credentials and event logs back to the C2 server. (Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef.json b/mobile-attack/relationship/relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef.json
index 8608fc70fa..377cde94d4 100644
--- a/mobile-attack/relationship/relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef.json
+++ b/mobile-attack/relationship/relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--233241c4-7ad4-4fc2-8bf9-c2d7d9d57184",
+    "id": "bundle--fc97624e-13a0-43e1-801d-61934a85a94e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef",
             "type": "relationship",
+            "id": "relationship--0f7e7c29-43f0-4aff-ae83-dfff331915ef",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
                 }
             ],
-            "modified": "2019-10-10T15:24:09.248Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:00.436Z",
             "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) collects the device's location.(Citation: Zscaler-SpyNote)",
             "relationship_type": "uses",
             "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0f949bc5-9f6a-4ec8-a29a-87e309aa08a2.json b/mobile-attack/relationship/relationship--0f949bc5-9f6a-4ec8-a29a-87e309aa08a2.json
index bb8ca13f5d..a8b2820f6c 100644
--- a/mobile-attack/relationship/relationship--0f949bc5-9f6a-4ec8-a29a-87e309aa08a2.json
+++ b/mobile-attack/relationship/relationship--0f949bc5-9f6a-4ec8-a29a-87e309aa08a2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6be197ef-66ca-4855-a49c-8f8c561a5f4b",
+    "id": "bundle--6486538b-4e78-4f4e-88e2-6b8b9e9c71cc",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:20:48.937Z",
+            "modified": "2025-04-16T21:47:00.657Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has modified or configured proxy information.(Citation: Lookout Uyghur Campaign) ",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--0fd34764-8a5d-43da-9bdf-5a0b7e436936.json b/mobile-attack/relationship/relationship--0fd34764-8a5d-43da-9bdf-5a0b7e436936.json
index 903486fb16..ef0cb05997 100644
--- a/mobile-attack/relationship/relationship--0fd34764-8a5d-43da-9bdf-5a0b7e436936.json
+++ b/mobile-attack/relationship/relationship--0fd34764-8a5d-43da-9bdf-5a0b7e436936.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--21566f17-ae90-4c69-96c2-88c31748a2a6",
+    "id": "bundle--28c76afa-52b7-4e54-a563-47eded2de722",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--0fd34764-8a5d-43da-9bdf-5a0b7e436936",
             "created": "2019-08-29T18:57:55.926Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Samsung Keyboards",
-                    "url": "https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-",
-                    "description": "Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved September 1, 2019."
+                    "description": "Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20201112021547/https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:00.868Z",
             "description": "When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.(Citation: Samsung Keyboards) An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features. ",
-            "modified": "2022-04-05T19:41:57.905Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--10560632-6449-4579-90eb-20fc46dcca08.json b/mobile-attack/relationship/relationship--10560632-6449-4579-90eb-20fc46dcca08.json
index b3c92395aa..963cd84a23 100644
--- a/mobile-attack/relationship/relationship--10560632-6449-4579-90eb-20fc46dcca08.json
+++ b/mobile-attack/relationship/relationship--10560632-6449-4579-90eb-20fc46dcca08.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--18267002-2b1e-4260-b89d-1c7dc0b39cdf",
+    "id": "bundle--b179a14c-e89d-4836-baec-172175264cec",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:49:16.886Z",
+            "modified": "2025-04-16T21:47:01.070Z",
             "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can check that the device IP is not in the range of known Google IP addresses before triggering the payload and can delay payload deployment to avoid detection during testing and avoid association with unwanted ads.(Citation: WeLiveSecurity AdDisplayAshas)",
             "relationship_type": "uses",
             "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--10c07066-df05-4dff-bb95-c76be02ea4ef.json b/mobile-attack/relationship/relationship--10c07066-df05-4dff-bb95-c76be02ea4ef.json
index ce2815fa58..2e6ef7074a 100644
--- a/mobile-attack/relationship/relationship--10c07066-df05-4dff-bb95-c76be02ea4ef.json
+++ b/mobile-attack/relationship/relationship--10c07066-df05-4dff-bb95-c76be02ea4ef.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--02f5a1d1-77ec-482b-889e-aeaf05d5f63c",
+    "id": "bundle--c64f2ce2-aa9a-4b20-b787-7c5f03f2d018",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:30:00.975Z",
+            "modified": "2025-04-16T21:47:01.280Z",
             "description": "[eSurv](https://attack.mitre.org/software/S0507) imposes geo-restrictions when delivering the second stage.(Citation: Lookout eSurv)",
             "relationship_type": "uses",
             "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
             "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451.json b/mobile-attack/relationship/relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451.json
index 1aa93a491b..c7afbf1f84 100644
--- a/mobile-attack/relationship/relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451.json
+++ b/mobile-attack/relationship/relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451.json
@@ -1,30 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--7e61bb59-225e-4e61-a575-f7e9cf10122b",
+    "id": "bundle--fb1cc708-9b06-42c0-8d71-5526c87ce2df",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451",
             "type": "relationship",
+            "id": "relationship--10e02179-0434-4d4b-86b4-5d9fbc5d5451",
             "created": "2019-10-10T15:03:27.682Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
-            "modified": "2019-10-10T15:03:27.682Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:01.486Z",
             "description": "[Exodus](https://attack.mitre.org/software/S0405) One encrypts data using XOR prior to exfiltration.(Citation: SWB Exodus March 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--11113fa5-150e-4574-89fc-5db66479e268.json b/mobile-attack/relationship/relationship--11113fa5-150e-4574-89fc-5db66479e268.json
index b3fba52f3d..9b022e2c79 100644
--- a/mobile-attack/relationship/relationship--11113fa5-150e-4574-89fc-5db66479e268.json
+++ b/mobile-attack/relationship/relationship--11113fa5-150e-4574-89fc-5db66479e268.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--268cf411-1a5f-4a30-a12a-b61ffc065bd4",
+    "id": "bundle--d8072be0-d37d-4a79-9d61-245f279d9e34",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--11113fa5-150e-4574-89fc-5db66479e268",
             "created": "2023-12-18T18:13:28.074Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -23,16 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:13:28.074Z",
+            "modified": "2025-04-16T21:47:01.709Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) has used an initial dropper to download an additional malicious application, and downloads its configuration file from the C2 server.(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--112966ab-6e28-482b-8bea-ed9f4ed17064.json b/mobile-attack/relationship/relationship--112966ab-6e28-482b-8bea-ed9f4ed17064.json
index 38376c2db0..3bb87f1a65 100644
--- a/mobile-attack/relationship/relationship--112966ab-6e28-482b-8bea-ed9f4ed17064.json
+++ b/mobile-attack/relationship/relationship--112966ab-6e28-482b-8bea-ed9f4ed17064.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--0019f5bf-0260-49aa-ba54-a00bd0d23e1a",
+    "id": "bundle--2980e85c-2de5-42ab-87f2-c716622bbb2d",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--112966ab-6e28-482b-8bea-ed9f4ed17064",
             "created": "2024-02-20T23:44:07.210Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:44:07.210Z",
+            "modified": "2025-04-16T21:47:01.906Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device IP address and SIM information.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--114f4334-16f4-402e-981a-902b2c9be6fb.json b/mobile-attack/relationship/relationship--114f4334-16f4-402e-981a-902b2c9be6fb.json
index da90ad5ef6..ea3a5e4140 100644
--- a/mobile-attack/relationship/relationship--114f4334-16f4-402e-981a-902b2c9be6fb.json
+++ b/mobile-attack/relationship/relationship--114f4334-16f4-402e-981a-902b2c9be6fb.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--5d21569d-0bee-41c7-a52e-f34789a75355",
+    "id": "bundle--bdc0790a-d760-476e-b7a7-d55e2d30b179",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--114f4334-16f4-402e-981a-902b2c9be6fb",
             "created": "2024-04-17T16:42:31.778Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-17T16:42:31.778Z",
+            "modified": "2025-04-16T21:47:02.111Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) distributed [StrongPity](https://attack.mitre.org/software/S0491) through the compromised official Syrian E-Gov website.(Citation: trendmicro_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--117a7e1e-d5dc-451d-ab79-f29bdfec40ae.json b/mobile-attack/relationship/relationship--117a7e1e-d5dc-451d-ab79-f29bdfec40ae.json
index b4414f196c..f89b8f8516 100644
--- a/mobile-attack/relationship/relationship--117a7e1e-d5dc-451d-ab79-f29bdfec40ae.json
+++ b/mobile-attack/relationship/relationship--117a7e1e-d5dc-451d-ab79-f29bdfec40ae.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e5287926-63dc-4542-961a-8baff589d77c",
+    "id": "bundle--28782fc3-9b21-4d21-b058-b5559a54c25a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:59.743Z",
+            "modified": "2025-04-16T21:47:02.315Z",
             "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) was placed in a repackaged version of an application used by Ukrainian artillery forces.(Citation: CrowdStrike-Android)",
             "relationship_type": "uses",
             "source_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--119b848b-84b4-4f86-a265-0c9eb8680072.json b/mobile-attack/relationship/relationship--119b848b-84b4-4f86-a265-0c9eb8680072.json
index c25a243785..9884ea3d7b 100644
--- a/mobile-attack/relationship/relationship--119b848b-84b4-4f86-a265-0c9eb8680072.json
+++ b/mobile-attack/relationship/relationship--119b848b-84b4-4f86-a265-0c9eb8680072.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--9deb0354-0237-4340-a680-ee6950bd13ca",
+    "id": "bundle--4022415f-216e-4c49-aad6-470dbd3edc80",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--119b848b-84b4-4f86-a265-0c9eb8680072",
             "created": "2021-10-01T14:42:49.171Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SecureList BusyGasper",
-                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/",
-                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021."
+                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.",
+                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:02.514Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can be controlled via IRC using freenode.net servers.(Citation: SecureList BusyGasper)",
-            "modified": "2022-04-18T19:01:58.546Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--11a1da8f-f0db-4abe-88bb-1ab06f271f3f.json b/mobile-attack/relationship/relationship--11a1da8f-f0db-4abe-88bb-1ab06f271f3f.json
index bc16693a32..5ef2625e51 100644
--- a/mobile-attack/relationship/relationship--11a1da8f-f0db-4abe-88bb-1ab06f271f3f.json
+++ b/mobile-attack/relationship/relationship--11a1da8f-f0db-4abe-88bb-1ab06f271f3f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b115f8a5-4c90-4452-a7de-3e0a5cff47f8",
+    "id": "bundle--7b44cccc-6107-4b91-8cb5-0248593002e7",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:57.223Z",
+            "modified": "2025-04-16T21:47:02.718Z",
             "description": "[ViperRAT](https://attack.mitre.org/software/S0506)\u2019s second stage has masqueraded as \u201cSystem Updates\u201d, \u201cViber Update\u201d, and \u201cWhatsApp Update\u201d.(Citation: Lookout ViperRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--11a992e7-83a3-4dc3-b391-fbd79e518943.json b/mobile-attack/relationship/relationship--11a992e7-83a3-4dc3-b391-fbd79e518943.json
index 0211779fe8..9c02044a3a 100644
--- a/mobile-attack/relationship/relationship--11a992e7-83a3-4dc3-b391-fbd79e518943.json
+++ b/mobile-attack/relationship/relationship--11a992e7-83a3-4dc3-b391-fbd79e518943.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--f344e8cd-1e89-4ea3-a3c5-ba99c93d93fe",
+    "id": "bundle--59a060b8-c38d-42fd-9d6b-8cf8ee684cc8",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--11a992e7-83a3-4dc3-b391-fbd79e518943",
             "created": "2023-07-21T19:40:08.668Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:40:08.668Z",
+            "modified": "2025-04-16T21:47:02.923Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can encrypt its data before exfiltration.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--11b20d60-6bec-4ce4-b02f-38ec276b3c9a.json b/mobile-attack/relationship/relationship--11b20d60-6bec-4ce4-b02f-38ec276b3c9a.json
new file mode 100644
index 0000000000..f8b5417a9d
--- /dev/null
+++ b/mobile-attack/relationship/relationship--11b20d60-6bec-4ce4-b02f-38ec276b3c9a.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--9f2f960c-a253-4455-9f84-ee675e385e6a",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--11b20d60-6bec-4ce4-b02f-38ec276b3c9a",
+            "created": "2025-03-24T14:58:31.408Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "McAfee MoqHao 2019",
+                    "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.",
+                    "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:03.132Z",
+            "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has attempted to detect anti-spam call applications.(Citation: McAfee MoqHao 2019) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42",
+            "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--11e30c59-c1bf-4354-9255-a6eb67d7a79e.json b/mobile-attack/relationship/relationship--11e30c59-c1bf-4354-9255-a6eb67d7a79e.json
new file mode 100644
index 0000000000..aeff658c1c
--- /dev/null
+++ b/mobile-attack/relationship/relationship--11e30c59-c1bf-4354-9255-a6eb67d7a79e.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--f4b1d138-3f67-43bd-963d-e4f08be702e2",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--11e30c59-c1bf-4354-9255-a6eb67d7a79e",
+            "created": "2025-03-28T15:11:21.490Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:03.369Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors stole data from SQLite databases.(Citation: SecureList OpTriangulation 23Oct2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879.json b/mobile-attack/relationship/relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879.json
index dec2096237..6a0c99ad37 100644
--- a/mobile-attack/relationship/relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879.json
+++ b/mobile-attack/relationship/relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--72fce200-70eb-4436-9136-fce84a30a1be",
+    "id": "bundle--85a74800-67c6-41b5-8812-4aba5e22a673",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879",
             "type": "relationship",
+            "id": "relationship--12098dee-27b3-4d0b-a15a-6b5955ba8879",
             "created": "2019-09-04T14:28:16.426Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Lookout-Monokle",
                     "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
-                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
-                    "source_name": "Lookout-Monokle"
+                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
                 }
             ],
-            "modified": "2019-09-04T14:32:13.000Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:03.575Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) uses XOR to obfuscate its second stage binary.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f.json b/mobile-attack/relationship/relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f.json
index b1b5c4fa91..35bdba0a58 100644
--- a/mobile-attack/relationship/relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f.json
+++ b/mobile-attack/relationship/relationship--1218ed50-bd44-4f37-baba-1aae998b5a1f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--661d37a5-89b2-443a-844b-c588c38add75",
+    "id": "bundle--4f2e2b1c-1520-4480-9e4b-2c7210d69eb1",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:17:40.860Z",
+            "modified": "2025-04-16T21:47:03.804Z",
             "description": "[Xbot](https://attack.mitre.org/software/S0298) can remotely lock infected Android devices and ask for a ransom.(Citation: PaloAlto-Xbot)",
             "relationship_type": "uses",
             "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
             "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--122ffed0-5f5a-4588-88a4-16924db24e9e.json b/mobile-attack/relationship/relationship--122ffed0-5f5a-4588-88a4-16924db24e9e.json
new file mode 100644
index 0000000000..f4e3bfac1d
--- /dev/null
+++ b/mobile-attack/relationship/relationship--122ffed0-5f5a-4588-88a4-16924db24e9e.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--d21bc5b2-6f17-4de5-b351-83795a44a701",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--122ffed0-5f5a-4588-88a4-16924db24e9e",
+            "created": "2024-03-26T19:35:11.640Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:04.014Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) can collect and exfiltrate files with specific extensions, such as .pdf, doc.(Citation: welivesecurity_apt-c-23) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1250f91c-723d-4b4c-afea-b3a71101951f.json b/mobile-attack/relationship/relationship--1250f91c-723d-4b4c-afea-b3a71101951f.json
index 0fa0e61933..42dd800a96 100644
--- a/mobile-attack/relationship/relationship--1250f91c-723d-4b4c-afea-b3a71101951f.json
+++ b/mobile-attack/relationship/relationship--1250f91c-723d-4b4c-afea-b3a71101951f.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ca5c95fc-754e-4166-be5c-e2f050bdd0dd",
+    "id": "bundle--c6a079f8-9116-4bad-8247-2e3cbd729b40",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--1250f91c-723d-4b4c-afea-b3a71101951f",
             "type": "relationship",
+            "id": "relationship--1250f91c-723d-4b4c-afea-b3a71101951f",
             "created": "2019-08-07T15:57:13.415Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Kaspersky Riltok June 2019",
-                    "url": "https://securelist.com/mobile-banker-riltok/91374/",
-                    "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."
+                    "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.",
+                    "url": "https://securelist.com/mobile-banker-riltok/91374/"
                 }
             ],
-            "modified": "2019-09-15T15:36:42.339Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:04.224Z",
             "description": "[Riltok](https://attack.mitre.org/software/S0403) can query the device's IMEI.(Citation: Kaspersky Riltok June 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--127e6672-d16a-4370-b277-4d04874a4cfe.json b/mobile-attack/relationship/relationship--127e6672-d16a-4370-b277-4d04874a4cfe.json
index 146324e6ca..edf2dced25 100644
--- a/mobile-attack/relationship/relationship--127e6672-d16a-4370-b277-4d04874a4cfe.json
+++ b/mobile-attack/relationship/relationship--127e6672-d16a-4370-b277-4d04874a4cfe.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8429dec1-95dc-46ac-9120-00d8bef60322",
+    "id": "bundle--0abd8907-bff9-4a3b-8d2b-929b1469a751",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-11T19:29:31.138Z",
+            "modified": "2025-04-16T21:47:04.426Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use overlays capture banking credentials and credit card information, and can open arbitrary WebViews from the C2.(Citation: threatfabric_sova_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1284ba4a-c48c-4533-ac35-664828616ee3.json b/mobile-attack/relationship/relationship--1284ba4a-c48c-4533-ac35-664828616ee3.json
index a9dfa19d6c..b672d376ed 100644
--- a/mobile-attack/relationship/relationship--1284ba4a-c48c-4533-ac35-664828616ee3.json
+++ b/mobile-attack/relationship/relationship--1284ba4a-c48c-4533-ac35-664828616ee3.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--ed8135b1-8403-452d-816f-8742fdee4f63",
+    "id": "bundle--7feaa36e-f437-4645-8dff-0d4f65d7408f",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--1284ba4a-c48c-4533-ac35-664828616ee3",
             "created": "2023-07-21T19:52:46.863Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:52:46.863Z",
+            "modified": "2025-04-16T21:47:04.650Z",
             "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can access and exfiltrate files, such as photos or video.(Citation: kaspersky_fakecalls_0422)",
             "relationship_type": "uses",
             "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1284f6fe-d352-415c-9479-82141524380a.json b/mobile-attack/relationship/relationship--1284f6fe-d352-415c-9479-82141524380a.json
index 53cab2a3a4..277547c7ee 100644
--- a/mobile-attack/relationship/relationship--1284f6fe-d352-415c-9479-82141524380a.json
+++ b/mobile-attack/relationship/relationship--1284f6fe-d352-415c-9479-82141524380a.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--90cbc8a9-049f-487a-bac9-33e90a73edae",
+    "id": "bundle--567b79fd-0107-44e8-b242-973f9a16b416",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--1284f6fe-d352-415c-9479-82141524380a",
             "created": "2022-03-30T18:06:48.250Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:04.846Z",
             "description": "Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). ",
-            "modified": "2022-03-30T18:06:48.250Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--12852406-87df-4892-a177-e15e81739000.json b/mobile-attack/relationship/relationship--12852406-87df-4892-a177-e15e81739000.json
index 6d7f467029..45d75513e8 100644
--- a/mobile-attack/relationship/relationship--12852406-87df-4892-a177-e15e81739000.json
+++ b/mobile-attack/relationship/relationship--12852406-87df-4892-a177-e15e81739000.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ef797d9e-068f-48cf-a4fa-007030225af3",
+    "id": "bundle--7ffb22ca-a3ab-43e4-9d69-886d12e8d01b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T15:34:56.071Z",
+            "modified": "2025-04-16T21:47:05.058Z",
             "description": "Application vetting services could potentially determine if an application contains code designed to exploit vulnerabilities.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--12d14048-793c-456c-a2b8-d812de547ca7.json b/mobile-attack/relationship/relationship--12d14048-793c-456c-a2b8-d812de547ca7.json
index 5af67afef0..a130ee452d 100644
--- a/mobile-attack/relationship/relationship--12d14048-793c-456c-a2b8-d812de547ca7.json
+++ b/mobile-attack/relationship/relationship--12d14048-793c-456c-a2b8-d812de547ca7.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--814e2bd0-cbc9-4bbe-9cb2-30e4c629742c",
+    "id": "bundle--c1eb0958-90ad-48e4-b2d0-29aacf961754",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--12d14048-793c-456c-a2b8-d812de547ca7",
             "created": "2023-09-28T17:19:38.041Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:19:38.041Z",
+            "modified": "2025-04-16T21:47:05.263Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can read SMS messages on the device.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--12d61e7d-7fa6-422d-9817-901decf6b650.json b/mobile-attack/relationship/relationship--12d61e7d-7fa6-422d-9817-901decf6b650.json
index 39f53908fe..e856eccdcf 100644
--- a/mobile-attack/relationship/relationship--12d61e7d-7fa6-422d-9817-901decf6b650.json
+++ b/mobile-attack/relationship/relationship--12d61e7d-7fa6-422d-9817-901decf6b650.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--d37a3dba-22e7-40e0-bbea-8922ff11135f",
+    "id": "bundle--eee6292f-5a41-46b0-9669-f47ad8566aa7",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--12d61e7d-7fa6-422d-9817-901decf6b650",
             "created": "2019-07-10T15:35:43.663Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Lookout Dark Caracal Jan 2018",
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
-                    "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018."
+                    "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:05.466Z",
             "description": "[Pallas](https://attack.mitre.org/software/S0399) uses phishing popups to harvest user credentials.(Citation: Lookout Dark Caracal Jan 2018)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--12de5aeb-9427-4665-81a0-257c76d6f188.json b/mobile-attack/relationship/relationship--12de5aeb-9427-4665-81a0-257c76d6f188.json
index 0863b544f6..476e285a49 100644
--- a/mobile-attack/relationship/relationship--12de5aeb-9427-4665-81a0-257c76d6f188.json
+++ b/mobile-attack/relationship/relationship--12de5aeb-9427-4665-81a0-257c76d6f188.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--a820b919-8527-426a-861c-cbe1fd462bd6",
+    "id": "bundle--86baf505-c9a2-4fd3-ad8a-602c202f3381",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--12de5aeb-9427-4665-81a0-257c76d6f188",
             "created": "2023-03-03T16:20:48.781Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-03T16:20:48.781Z",
+            "modified": "2025-04-16T21:47:05.676Z",
             "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has replaced device apps with ones it has downloaded.(Citation: paloalto_yispecter_1015)",
             "relationship_type": "uses",
             "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
             "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--12df8ac7-06a4-4389-8d86-d354c4536e28.json b/mobile-attack/relationship/relationship--12df8ac7-06a4-4389-8d86-d354c4536e28.json
new file mode 100644
index 0000000000..7567b3ac3b
--- /dev/null
+++ b/mobile-attack/relationship/relationship--12df8ac7-06a4-4389-8d86-d354c4536e28.json
@@ -0,0 +1,47 @@
+{
+    "type": "bundle",
+    "id": "bundle--800262d6-aae0-4557-889d-63528b4bbcef",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--12df8ac7-06a4-4389-8d86-d354c4536e28",
+            "created": "2024-03-26T19:32:36.539Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Cyware APT-C-23 2020",
+                    "description": "Cyware. (2020, October 2). APT\u2011C\u201123 is Still Active and Enhancing its Mobile Spying Capabilities. Retrieved December 2, 2024.",
+                    "url": "https://social.cyware.com/news/aptc23-is-still-active-and-enhancing-its-mobile-spying-capabilities-82e0cea4"
+                },
+                {
+                    "source_name": "SentinelLabs AridViper 2023",
+                    "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.",
+                    "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/"
+                },
+                {
+                    "source_name": "sophos_android_apt_spyware",
+                    "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"
+                },
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:05.881Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) reads notifications from applications and connected wearables.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: SentinelLabs AridViper 2023)(Citation: Cyware APT-C-23 2020)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--13078a96-2cda-4d0b-99f8-693a65a4b63d.json b/mobile-attack/relationship/relationship--13078a96-2cda-4d0b-99f8-693a65a4b63d.json
index d346c36fae..532cdc95f5 100644
--- a/mobile-attack/relationship/relationship--13078a96-2cda-4d0b-99f8-693a65a4b63d.json
+++ b/mobile-attack/relationship/relationship--13078a96-2cda-4d0b-99f8-693a65a4b63d.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--42351997-8b01-40c7-a66a-d6135f8dc4d1",
+    "id": "bundle--a2d35dff-6c8f-40c0-8880-03430ba44988",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--13078a96-2cda-4d0b-99f8-693a65a4b63d",
             "created": "2020-12-18T20:14:47.297Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "WhiteOps TERRACOTTA",
-                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study",
-                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."
+                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.",
+                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:06.103Z",
             "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has generated non-human advertising impressions.(Citation: WhiteOps TERRACOTTA)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1317fb3d-ded3-4b84-8007-147f3b02948a.json b/mobile-attack/relationship/relationship--1317fb3d-ded3-4b84-8007-147f3b02948a.json
index 2aecf2e8e8..45cc329681 100644
--- a/mobile-attack/relationship/relationship--1317fb3d-ded3-4b84-8007-147f3b02948a.json
+++ b/mobile-attack/relationship/relationship--1317fb3d-ded3-4b84-8007-147f3b02948a.json
@@ -1,32 +1,31 @@
 {
     "type": "bundle",
-    "id": "bundle--6b139d4d-c9b0-4853-b7a9-d2accb9a624e",
+    "id": "bundle--f43f8c77-568d-4e46-8b2a-98e945b9fdb0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--1317fb3d-ded3-4b84-8007-147f3b02948a",
             "created": "2022-04-05T19:52:38.539Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "CSRIC-WG1-FinalReport",
                     "description": "CSRIC-WG1-FinalReport"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:06.312Z",
             "description": "Filtering requests by checking request origin information may provide some defense against spurious operators.(Citation: CSRIC-WG1-FinalReport) ",
-            "modified": "2022-04-05T19:52:38.539Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124",
             "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1329a866-0f6b-4660-b537-a6d208352502.json b/mobile-attack/relationship/relationship--1329a866-0f6b-4660-b537-a6d208352502.json
index 829ad4a6ea..b0ac693bad 100644
--- a/mobile-attack/relationship/relationship--1329a866-0f6b-4660-b537-a6d208352502.json
+++ b/mobile-attack/relationship/relationship--1329a866-0f6b-4660-b537-a6d208352502.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--01950ad9-ff30-4864-95e1-45ead39b4dce",
+    "id": "bundle--b78ed6a7-59b6-4647-be42-c834b76d4a30",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-22T20:48:55.333Z",
+            "modified": "2025-04-16T21:47:06.509Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1343f1a3-0f03-4bcf-a9e6-4f5697ae35dd.json b/mobile-attack/relationship/relationship--1343f1a3-0f03-4bcf-a9e6-4f5697ae35dd.json
index 825b9cd470..1e5261b0be 100644
--- a/mobile-attack/relationship/relationship--1343f1a3-0f03-4bcf-a9e6-4f5697ae35dd.json
+++ b/mobile-attack/relationship/relationship--1343f1a3-0f03-4bcf-a9e6-4f5697ae35dd.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--fb252fe7-e07b-4df8-9d19-80c39d3921ce",
+    "id": "bundle--5b811364-1938-43f0-9468-af1e1c47f90a",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--1343f1a3-0f03-4bcf-a9e6-4f5697ae35dd",
             "created": "2023-08-04T18:35:25.381Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T18:35:25.381Z",
+            "modified": "2025-04-16T21:47:06.749Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can try to run arbitrary commands as root.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1348c744-3127-4a55-a5b4-2f439f41e941.json b/mobile-attack/relationship/relationship--1348c744-3127-4a55-a5b4-2f439f41e941.json
index 0e18f79012..ee1b9b5fab 100644
--- a/mobile-attack/relationship/relationship--1348c744-3127-4a55-a5b4-2f439f41e941.json
+++ b/mobile-attack/relationship/relationship--1348c744-3127-4a55-a5b4-2f439f41e941.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--fc1b0746-4c0e-48c2-a6ea-6090752e888f",
+    "id": "bundle--d0ad0942-828c-4acd-a405-ef126b8abcf6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:48:16.775Z",
+            "modified": "2025-04-16T21:47:06.950Z",
             "description": "[Zen](https://attack.mitre.org/software/S0494) can install itself on the system partition to achieve persistence. [Zen](https://attack.mitre.org/software/S0494) can also replace `framework.jar`, which allows it to intercept and modify the behavior of the standard Android API.(Citation: Google Security Zen)",
             "relationship_type": "uses",
             "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
             "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--13495d9c-6877-4bc9-888a-7d92362bcb40.json b/mobile-attack/relationship/relationship--13495d9c-6877-4bc9-888a-7d92362bcb40.json
index 56b59ff640..1b78f4e8c6 100644
--- a/mobile-attack/relationship/relationship--13495d9c-6877-4bc9-888a-7d92362bcb40.json
+++ b/mobile-attack/relationship/relationship--13495d9c-6877-4bc9-888a-7d92362bcb40.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--94df9d1a-1c7c-45d9-9baf-0e44db62a02f",
+    "id": "bundle--45019035-f36a-4883-8d20-af7dc10abd6b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T19:13:50.488Z",
+            "modified": "2025-04-16T21:47:07.165Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect device contacts.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--13518e48-bb32-4ee3-9cd0-e5f367a2fb2d.json b/mobile-attack/relationship/relationship--13518e48-bb32-4ee3-9cd0-e5f367a2fb2d.json
index a111b66f5a..507892586b 100644
--- a/mobile-attack/relationship/relationship--13518e48-bb32-4ee3-9cd0-e5f367a2fb2d.json
+++ b/mobile-attack/relationship/relationship--13518e48-bb32-4ee3-9cd0-e5f367a2fb2d.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--a442261b-ad28-46bf-93e4-b277a3da12eb",
+    "id": "bundle--fa2554e9-9d92-4d32-95e6-5d1ad707e224",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--13518e48-bb32-4ee3-9cd0-e5f367a2fb2d",
             "created": "2019-10-18T14:50:57.491Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Security updates often contain patches for vulnerabilities.",
-            "modified": "2022-03-30T15:52:58.256Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:07.379Z",
+            "description": "Security updates often contain patches for vulnerabilities.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--13aba849-5004-4457-9f3b-49e470b589e0.json b/mobile-attack/relationship/relationship--13aba849-5004-4457-9f3b-49e470b589e0.json
index 0c92ebb118..74c6aee617 100644
--- a/mobile-attack/relationship/relationship--13aba849-5004-4457-9f3b-49e470b589e0.json
+++ b/mobile-attack/relationship/relationship--13aba849-5004-4457-9f3b-49e470b589e0.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--474ddf8f-1a5e-470f-b5ab-81f773c4e6aa",
+    "id": "bundle--6b04affe-035c-4e5e-96c9-e8cc5358e1ce",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:21:05.598Z",
+            "modified": "2025-04-16T21:47:07.597Z",
             "description": "Application vetting services could look for connections to unknown domains or IP addresses. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
             "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--13e69c40-1511-4fac-b4c3-d31fc4b6c579.json b/mobile-attack/relationship/relationship--13e69c40-1511-4fac-b4c3-d31fc4b6c579.json
index 6ddf9e5d54..9dc2f1a85e 100644
--- a/mobile-attack/relationship/relationship--13e69c40-1511-4fac-b4c3-d31fc4b6c579.json
+++ b/mobile-attack/relationship/relationship--13e69c40-1511-4fac-b4c3-d31fc4b6c579.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--8a8072bc-750f-4afc-af1f-b8045000883d",
+    "id": "bundle--9e3d0457-80b3-43fd-9438-967b6af953ca",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--13e69c40-1511-4fac-b4c3-d31fc4b6c579",
             "created": "2023-07-21T19:40:25.197Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:40:25.197Z",
+            "modified": "2025-04-16T21:47:07.824Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can download and run code obtained from the C2.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--13efc415-5e17-4a16-81c2-64e74815907f.json b/mobile-attack/relationship/relationship--13efc415-5e17-4a16-81c2-64e74815907f.json
index a37aee45d0..d7c2c08cc4 100644
--- a/mobile-attack/relationship/relationship--13efc415-5e17-4a16-81c2-64e74815907f.json
+++ b/mobile-attack/relationship/relationship--13efc415-5e17-4a16-81c2-64e74815907f.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--90de15ff-e259-4686-b665-38c088e90307",
+    "id": "bundle--c5b54edb-0370-4a84-b645-972a60fe89cb",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--13efc415-5e17-4a16-81c2-64e74815907f",
             "created": "2017-12-14T16:46:06.044Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "PaloAlto-XcodeGhost",
-                    "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/",
-                    "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016."
+                    "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.",
+                    "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:08.050Z",
             "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) can prompt a fake alert dialog to phish user credentials.(Citation: PaloAlto-XcodeGhost)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--14143e21-51bf-4fa7-a949-d22a8271f590.json b/mobile-attack/relationship/relationship--14143e21-51bf-4fa7-a949-d22a8271f590.json
index be4caf3e1e..434494ff1c 100644
--- a/mobile-attack/relationship/relationship--14143e21-51bf-4fa7-a949-d22a8271f590.json
+++ b/mobile-attack/relationship/relationship--14143e21-51bf-4fa7-a949-d22a8271f590.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--11273960-1ead-43f5-b21b-2ff36e3c2d79",
+    "id": "bundle--7512bf5e-2bbc-4dc4-8d73-a609a8a8bb18",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--14143e21-51bf-4fa7-a949-d22a8271f590",
             "type": "relationship",
+            "id": "relationship--14143e21-51bf-4fa7-a949-d22a8271f590",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
+                    "source_name": "TrendMicro-RCSAndroid",
                     "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
-                    "source_name": "TrendMicro-RCSAndroid"
+                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
                 }
             ],
-            "modified": "2019-08-09T17:53:48.780Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:08.264Z",
             "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can record audio using the device microphone.(Citation: TrendMicro-RCSAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1417d832-3fa5-4a87-a40b-5ca2d4ee5d1c.json b/mobile-attack/relationship/relationship--1417d832-3fa5-4a87-a40b-5ca2d4ee5d1c.json
index 8758dd4c0f..665c8e6be8 100644
--- a/mobile-attack/relationship/relationship--1417d832-3fa5-4a87-a40b-5ca2d4ee5d1c.json
+++ b/mobile-attack/relationship/relationship--1417d832-3fa5-4a87-a40b-5ca2d4ee5d1c.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--30480e11-604c-4b67-980b-9387e1a978b5",
+    "id": "bundle--f3843ce8-62e4-422e-a69a-9694b458c200",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--1417d832-3fa5-4a87-a40b-5ca2d4ee5d1c",
             "created": "2022-04-01T14:59:39.294Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:08.471Z",
             "description": "Apple regularly provides security updates for known OS vulnerabilities.",
-            "modified": "2022-04-01T14:59:39.294Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--142532a6-bf7c-4b25-be23-16f01160f3c5.json b/mobile-attack/relationship/relationship--142532a6-bf7c-4b25-be23-16f01160f3c5.json
index 14c4d9e3d5..df9c8cf46f 100644
--- a/mobile-attack/relationship/relationship--142532a6-bf7c-4b25-be23-16f01160f3c5.json
+++ b/mobile-attack/relationship/relationship--142532a6-bf7c-4b25-be23-16f01160f3c5.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--08eccb03-c0e1-4170-9b9f-71915b62a64e",
+    "id": "bundle--804198dc-ad50-4005-8934-7ba6ec55a765",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--142532a6-bf7c-4b25-be23-16f01160f3c5",
             "type": "relationship",
+            "id": "relationship--142532a6-bf7c-4b25-be23-16f01160f3c5",
             "created": "2020-09-15T15:18:12.417Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Cybereason FakeSpy",
-                    "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
-                    "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
+                    "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.",
+                    "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"
                 }
             ],
-            "modified": "2020-09-15T15:18:12.417Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:08.702Z",
             "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect account information stored on the device, as well as data in external storage.(Citation: Cybereason FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--143833fb-8034-4e75-a030-d8e47f9bebef.json b/mobile-attack/relationship/relationship--143833fb-8034-4e75-a030-d8e47f9bebef.json
index 232da3f494..bc5b55b138 100644
--- a/mobile-attack/relationship/relationship--143833fb-8034-4e75-a030-d8e47f9bebef.json
+++ b/mobile-attack/relationship/relationship--143833fb-8034-4e75-a030-d8e47f9bebef.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4e42267f-9a73-4309-94c5-525d74812a25",
+    "id": "bundle--76736633-aa4d-42cc-affa-89db138e1c4a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-16T15:49:06.103Z",
+            "modified": "2025-04-16T21:47:08.907Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can track the device's location.(Citation: cleafy_brata_0122)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--14474366-938a-4359-bf24-e2c718adfaf5.json b/mobile-attack/relationship/relationship--14474366-938a-4359-bf24-e2c718adfaf5.json
index 63a6361f2f..c63c6a0b96 100644
--- a/mobile-attack/relationship/relationship--14474366-938a-4359-bf24-e2c718adfaf5.json
+++ b/mobile-attack/relationship/relationship--14474366-938a-4359-bf24-e2c718adfaf5.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--99f59b56-47d4-4821-8294-5738b3a9eee5",
+    "id": "bundle--d8637b63-f996-4bf0-a84b-514c9e120a1f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--14474366-938a-4359-bf24-e2c718adfaf5",
             "type": "relationship",
+            "id": "relationship--14474366-938a-4359-bf24-e2c718adfaf5",
             "created": "2020-06-26T14:55:13.382Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Cybereason EventBot",
-                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
-                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
+                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.",
+                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"
                 }
             ],
-            "modified": "2020-06-26T14:55:13.382Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:09.130Z",
             "description": "[EventBot](https://attack.mitre.org/software/S0478) can download new libraries when instructed to.(Citation: Cybereason EventBot)",
             "relationship_type": "uses",
             "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--146275c0-b6dd-4700-bded-bc361a67d023.json b/mobile-attack/relationship/relationship--146275c0-b6dd-4700-bded-bc361a67d023.json
index 9fd808295f..63581fb7c5 100644
--- a/mobile-attack/relationship/relationship--146275c0-b6dd-4700-bded-bc361a67d023.json
+++ b/mobile-attack/relationship/relationship--146275c0-b6dd-4700-bded-bc361a67d023.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--c0642521-9607-4056-9eee-eeca4902e19d",
+    "id": "bundle--54577479-ab1b-4b83-8b7b-a5e839a1ed21",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--146275c0-b6dd-4700-bded-bc361a67d023",
             "type": "relationship",
+            "id": "relationship--146275c0-b6dd-4700-bded-bc361a67d023",
             "created": "2020-09-14T14:13:45.253Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout eSurv",
-                    "url": "https://blog.lookout.com/esurv-research",
-                    "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
+                    "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/esurv-research"
                 }
             ],
-            "modified": "2020-09-14T14:13:45.253Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:09.364Z",
             "description": "[eSurv](https://attack.mitre.org/software/S0507) can record audio.(Citation: Lookout eSurv)",
             "relationship_type": "uses",
             "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--147d82a6-a61a-41d0-8eef-b6193bdd92d6.json b/mobile-attack/relationship/relationship--147d82a6-a61a-41d0-8eef-b6193bdd92d6.json
index 093cb9847f..a5b67b96a4 100644
--- a/mobile-attack/relationship/relationship--147d82a6-a61a-41d0-8eef-b6193bdd92d6.json
+++ b/mobile-attack/relationship/relationship--147d82a6-a61a-41d0-8eef-b6193bdd92d6.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--f6148756-2e8d-49a7-9fad-0e18f51d8f2a",
+    "id": "bundle--b6861b90-530c-4e82-b12e-81de32f19d1d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--147d82a6-a61a-41d0-8eef-b6193bdd92d6",
             "created": "2022-03-30T15:18:21.256Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:09.574Z",
             "description": "",
-            "modified": "2022-03-30T15:18:21.256Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--c5089859-b21f-40a3-8be4-63e381b8b1c0",
             "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--148703c5-6d07-439c-a4ff-d77119c70857.json b/mobile-attack/relationship/relationship--148703c5-6d07-439c-a4ff-d77119c70857.json
index b3e09b17d6..eb92811175 100644
--- a/mobile-attack/relationship/relationship--148703c5-6d07-439c-a4ff-d77119c70857.json
+++ b/mobile-attack/relationship/relationship--148703c5-6d07-439c-a4ff-d77119c70857.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a52fa104-278a-431e-b439-026158123187",
+    "id": "bundle--b48969ec-8921-409d-9f41-f2184d85f72f",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:23:41.266Z",
+            "modified": "2025-04-16T21:47:09.793Z",
             "description": "Many properly configured firewalls may also naturally block command and control traffic over non-standard ports.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
             "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--15065492-1aef-4cf8-af3c-cc763eee5daf.json b/mobile-attack/relationship/relationship--15065492-1aef-4cf8-af3c-cc763eee5daf.json
index ab60928115..b62095519e 100644
--- a/mobile-attack/relationship/relationship--15065492-1aef-4cf8-af3c-cc763eee5daf.json
+++ b/mobile-attack/relationship/relationship--15065492-1aef-4cf8-af3c-cc763eee5daf.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--38dea794-3594-4a68-a088-5abc3ef9bf7e",
+    "id": "bundle--f9870e29-7731-41a6-8453-bc9764763747",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:49:32.064Z",
+            "modified": "2025-04-16T21:47:09.993Z",
             "description": "[Dendroid](https://attack.mitre.org/software/S0301) can detect if it is being ran on an emulator.(Citation: Lookout-Dendroid)",
             "relationship_type": "uses",
             "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1508c120-06fa-4da2-8fcd-7fdc133228fa.json b/mobile-attack/relationship/relationship--1508c120-06fa-4da2-8fcd-7fdc133228fa.json
new file mode 100644
index 0000000000..d6e90c5e39
--- /dev/null
+++ b/mobile-attack/relationship/relationship--1508c120-06fa-4da2-8fcd-7fdc133228fa.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--a4062a55-4626-4dcc-ba6b-6547a269e623",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--1508c120-06fa-4da2-8fcd-7fdc133228fa",
+            "created": "2025-03-28T15:05:17.381Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:10.223Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors removed files from the device.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--15706c6d-803b-4857-9fcb-ce9af2c9d73b.json b/mobile-attack/relationship/relationship--15706c6d-803b-4857-9fcb-ce9af2c9d73b.json
new file mode 100644
index 0000000000..e6e23a8526
--- /dev/null
+++ b/mobile-attack/relationship/relationship--15706c6d-803b-4857-9fcb-ce9af2c9d73b.json
@@ -0,0 +1,42 @@
+{
+    "type": "bundle",
+    "id": "bundle--35ae3c2a-5df7-4cda-8ab4-76e25f2f3cbf",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--15706c6d-803b-4857-9fcb-ce9af2c9d73b",
+            "created": "2025-03-24T20:13:23.329Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:10.469Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has retrieved files from the C2 server.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024) Examples of files from the C2 are ` amfidebilitate` (jailbreak component), ` jbexec ` (executable to verify jailbreak), `bb` (FrameworkLoader), `cc` (launchctl binary for persistence), `b.plist` (configuration for auto-start), and `resources.zip`, which contains additional jailbreak-related components.(Citation: LinkedIn Dmitry LightSpy 2025)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--15772932-8a5c-4616-9fea-b2bd1ecace4b.json b/mobile-attack/relationship/relationship--15772932-8a5c-4616-9fea-b2bd1ecace4b.json
new file mode 100644
index 0000000000..269899a752
--- /dev/null
+++ b/mobile-attack/relationship/relationship--15772932-8a5c-4616-9fea-b2bd1ecace4b.json
@@ -0,0 +1,47 @@
+{
+    "type": "bundle",
+    "id": "bundle--85733e56-a90e-49b3-9004-125028457c38",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--15772932-8a5c-4616-9fea-b2bd1ecace4b",
+            "created": "2025-04-14T17:40:59.181Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:10.710Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) uses the WifiList (or `libWifiList`) plugin to gather Wi-Fi network information, such as the SSID, BSSID, signal strength (RSSI), channel, security type, and previously saved networks.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)(Citation: Threatfabric LightSpy 2023)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd.json b/mobile-attack/relationship/relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd.json
index 06a90bcfa9..9b92bbb983 100644
--- a/mobile-attack/relationship/relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd.json
+++ b/mobile-attack/relationship/relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e4652c72-2ecd-4bce-a423-f06a04ff1aba",
+    "id": "bundle--104463dc-88f7-40e5-b558-df20bd7014b4",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd",
             "type": "relationship",
+            "id": "relationship--1577a79c-5f70-41cc-95bd-2407cfd1acbd",
             "created": "2020-06-26T15:12:40.094Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "ESET DEFENSOR ID",
-                    "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/",
-                    "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020."
+                    "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.",
+                    "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/"
                 }
             ],
-            "modified": "2020-06-26T15:12:40.094Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:10.904Z",
             "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can abuse the accessibility service to perform actions on behalf of the user, including launching attacker-specified applications to steal data.(Citation: ESET DEFENSOR ID)",
             "relationship_type": "uses",
             "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663",
             "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--158f71f5-e24a-4c5b-95d9-6f7e03257052.json b/mobile-attack/relationship/relationship--158f71f5-e24a-4c5b-95d9-6f7e03257052.json
index 886133f917..0c798b0dcd 100644
--- a/mobile-attack/relationship/relationship--158f71f5-e24a-4c5b-95d9-6f7e03257052.json
+++ b/mobile-attack/relationship/relationship--158f71f5-e24a-4c5b-95d9-6f7e03257052.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7ae3540c-e46d-41f1-8be1-e95b5e1fb486",
+    "id": "bundle--194d59a9-5e51-4731-9b20-3ac6acb5e52b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T20:30:25.144Z",
+            "modified": "2025-04-16T21:47:11.105Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect SMS messages.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--15d83ba8-be89-4151-9c6e-35d14df4fa80.json b/mobile-attack/relationship/relationship--15d83ba8-be89-4151-9c6e-35d14df4fa80.json
index e1443193c2..40a7865957 100644
--- a/mobile-attack/relationship/relationship--15d83ba8-be89-4151-9c6e-35d14df4fa80.json
+++ b/mobile-attack/relationship/relationship--15d83ba8-be89-4151-9c6e-35d14df4fa80.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--ea5a16d4-b877-4c18-bfb4-683a323341b6",
+    "id": "bundle--80fd7968-7ed6-444c-abfb-6ce8fe407a19",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--15d83ba8-be89-4151-9c6e-35d14df4fa80",
             "created": "2022-03-30T19:33:05.375Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:11.327Z",
             "description": "Security updates typically provide patches for vulnerabilities that enable device rooting.",
-            "modified": "2022-03-30T19:33:05.375Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9.json b/mobile-attack/relationship/relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9.json
index d28195b27b..89923272b0 100644
--- a/mobile-attack/relationship/relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9.json
+++ b/mobile-attack/relationship/relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--dd6a01ab-0cd6-48da-a443-e509489253b1",
+    "id": "bundle--ac1c49b5-0af1-4fed-bb19-0cb531fa4683",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9",
             "type": "relationship",
+            "id": "relationship--15eccf44-e528-41fb-9cb8-834c8c0ca9d9",
             "created": "2020-04-24T17:46:31.582Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecurityIntelligence TrickMo",
-                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
-                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
+                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.",
+                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"
                 }
             ],
-            "modified": "2020-04-24T17:46:31.582Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:11.540Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1687c7a0-a453-4737-a10d-c57b94d5a458.json b/mobile-attack/relationship/relationship--1687c7a0-a453-4737-a10d-c57b94d5a458.json
new file mode 100644
index 0000000000..c6a0aeb963
--- /dev/null
+++ b/mobile-attack/relationship/relationship--1687c7a0-a453-4737-a10d-c57b94d5a458.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--a999f81a-47b8-4c5d-8f2a-5b96b05010da",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--1687c7a0-a453-4737-a10d-c57b94d5a458",
+            "created": "2025-03-28T14:56:15.832Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                },
+                {
+                    "source_name": "SecureList OpTriangulation 01Jun2023",
+                    "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/operation-triangulation/109842/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:11.764Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors downloaded subsequent stages from the C2.(Citation: SecureList OpTriangulation 01Jun2023)(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d.json b/mobile-attack/relationship/relationship--16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d.json
index 3bd94e2882..aa1cadfff6 100644
--- a/mobile-attack/relationship/relationship--16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d.json
+++ b/mobile-attack/relationship/relationship--16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ee2dbe8f-40ca-4f04-ae74-becdbc33175a",
+    "id": "bundle--3a0359a6-c699-4ba2-9969-614983af2219",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d",
             "type": "relationship",
+            "id": "relationship--16955c8e-65ab-4c9a-a8b1-bec4d5a45f8d",
             "created": "2021-10-01T14:42:48.740Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList BusyGasper",
-                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/",
-                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021."
+                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.",
+                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"
                 }
             ],
-            "modified": "2021-10-12T13:51:41.045Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:11.980Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect images stored on the device and browser history.(Citation: SecureList BusyGasper)",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--16d969ca-59ae-4c87-888f-fa231ad863d1.json b/mobile-attack/relationship/relationship--16d969ca-59ae-4c87-888f-fa231ad863d1.json
index 2b742427c3..1d400f5b3f 100644
--- a/mobile-attack/relationship/relationship--16d969ca-59ae-4c87-888f-fa231ad863d1.json
+++ b/mobile-attack/relationship/relationship--16d969ca-59ae-4c87-888f-fa231ad863d1.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--dc20acb6-fc14-4e27-9be7-8e9db1450ca7",
+    "id": "bundle--206afd9e-55f1-4c76-a9fa-20832a50f5e3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T20:30:37.287Z",
+            "modified": "2025-04-16T21:47:12.208Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect message notifications from 17 applications.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--17141729-226d-40d4-928d-ffbd2eed7d11.json b/mobile-attack/relationship/relationship--17141729-226d-40d4-928d-ffbd2eed7d11.json
index 56f76fad5b..43d3152c49 100644
--- a/mobile-attack/relationship/relationship--17141729-226d-40d4-928d-ffbd2eed7d11.json
+++ b/mobile-attack/relationship/relationship--17141729-226d-40d4-928d-ffbd2eed7d11.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--9458e3a1-0720-4d34-9c7d-84831af750ce",
+    "id": "bundle--3d1ab2f7-8562-4036-a413-e755641808c9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--17141729-226d-40d4-928d-ffbd2eed7d11",
             "created": "2022-04-05T19:37:16.086Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:12.412Z",
             "description": "",
-            "modified": "2022-04-05T19:37:16.086Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--173c0c41-c7e3-48e9-b785-d9e0232d85ca.json b/mobile-attack/relationship/relationship--173c0c41-c7e3-48e9-b785-d9e0232d85ca.json
index d5620da23a..abf5851083 100644
--- a/mobile-attack/relationship/relationship--173c0c41-c7e3-48e9-b785-d9e0232d85ca.json
+++ b/mobile-attack/relationship/relationship--173c0c41-c7e3-48e9-b785-d9e0232d85ca.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--51e7af40-da20-4d5e-9763-b74f04fb667c",
+    "id": "bundle--421f4a67-0ff8-4d66-bfc9-c312b804b127",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:50:52.737Z",
+            "modified": "2025-04-16T21:47:12.613Z",
             "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device\u2019s contact list.(Citation: Lookout ViperRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--17558571-7352-470b-b728-0511fb3f699d.json b/mobile-attack/relationship/relationship--17558571-7352-470b-b728-0511fb3f699d.json
index fb09d05902..e3f0acc17f 100644
--- a/mobile-attack/relationship/relationship--17558571-7352-470b-b728-0511fb3f699d.json
+++ b/mobile-attack/relationship/relationship--17558571-7352-470b-b728-0511fb3f699d.json
@@ -1,23 +1,23 @@
 {
     "type": "bundle",
-    "id": "bundle--25524b57-43a6-443f-b448-9da5ab3ad60d",
+    "id": "bundle--76aa5041-fa35-41d1-a460-1000b96a17cb",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--17558571-7352-470b-b728-0511fb3f699d",
+            "created": "2019-10-18T15:51:48.484Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--17558571-7352-470b-b728-0511fb3f699d",
-            "type": "relationship",
-            "created": "2019-10-18T15:51:48.484Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2020-06-24T15:02:13.534Z",
+            "modified": "2025-04-16T21:47:12.812Z",
             "description": "Users should be warned against granting access to accessibility features, and to carefully scrutinize applications that request this dangerous permission.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--17697784-f6e0-4062-adaa-7779e44e2d62.json b/mobile-attack/relationship/relationship--17697784-f6e0-4062-adaa-7779e44e2d62.json
index 0b16e64a45..a357a0b0e3 100644
--- a/mobile-attack/relationship/relationship--17697784-f6e0-4062-adaa-7779e44e2d62.json
+++ b/mobile-attack/relationship/relationship--17697784-f6e0-4062-adaa-7779e44e2d62.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--c3c56968-bfce-4931-8ab3-dd7c73adbed6",
+    "id": "bundle--0fa5ce37-19fb-4425-9a2a-5bf43729581b",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--17697784-f6e0-4062-adaa-7779e44e2d62",
             "created": "2024-02-20T23:57:03.657Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:57:03.657Z",
+            "modified": "2025-04-16T21:47:13.024Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) checks if the device is connected via Wi-Fi or mobile data.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--17adf4c2-e278-41fc-9183-cda5c8b74de7.json b/mobile-attack/relationship/relationship--17adf4c2-e278-41fc-9183-cda5c8b74de7.json
index dd4a20e6e7..61ff2ed6b3 100644
--- a/mobile-attack/relationship/relationship--17adf4c2-e278-41fc-9183-cda5c8b74de7.json
+++ b/mobile-attack/relationship/relationship--17adf4c2-e278-41fc-9183-cda5c8b74de7.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b1988f5a-caf7-4e61-ac0f-d48bcb24581b",
+    "id": "bundle--e51f3047-c0e3-4b63-9e9d-99f9d97d6949",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--17adf4c2-e278-41fc-9183-cda5c8b74de7",
             "created": "2022-03-31T19:53:01.320Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:13.275Z",
             "description": "",
-            "modified": "2022-03-31T19:53:01.320Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--17e94f34-e367-491c-9f9f-79294e124b4f.json b/mobile-attack/relationship/relationship--17e94f34-e367-491c-9f9f-79294e124b4f.json
index 3618ea4e05..10ff59d7ec 100644
--- a/mobile-attack/relationship/relationship--17e94f34-e367-491c-9f9f-79294e124b4f.json
+++ b/mobile-attack/relationship/relationship--17e94f34-e367-491c-9f9f-79294e124b4f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a2e27671-44ab-4d1c-8107-215b450f854c",
+    "id": "bundle--9fafe205-73a6-4d86-a502-9c7f868c9d61",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:22:48.246Z",
+            "modified": "2025-04-16T21:47:13.482Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) can intercept SMS messages.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--18186ee9-0ae4-405c-bf73-4d9ca1689744.json b/mobile-attack/relationship/relationship--18186ee9-0ae4-405c-bf73-4d9ca1689744.json
new file mode 100644
index 0000000000..e54eec357b
--- /dev/null
+++ b/mobile-attack/relationship/relationship--18186ee9-0ae4-405c-bf73-4d9ca1689744.json
@@ -0,0 +1,52 @@
+{
+    "type": "bundle",
+    "id": "bundle--55b5f465-746d-4b0c-93dc-07713ec00f67",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--18186ee9-0ae4-405c-bf73-4d9ca1689744",
+            "created": "2025-03-24T20:07:56.454Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Shoshin_Kaspersky LightSpy 2020",
+                    "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.",
+                    "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:13.721Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s contact list.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1822e616-ae33-487c-8aa6-4fa81e724184.json b/mobile-attack/relationship/relationship--1822e616-ae33-487c-8aa6-4fa81e724184.json
index 92f49a10f4..d162c24ab5 100644
--- a/mobile-attack/relationship/relationship--1822e616-ae33-487c-8aa6-4fa81e724184.json
+++ b/mobile-attack/relationship/relationship--1822e616-ae33-487c-8aa6-4fa81e724184.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--fae59671-297c-4db4-b7da-d4ad740b3469",
+    "id": "bundle--173264a2-de9a-47e8-bf8a-20de46ebeba8",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:06:22.576Z",
+            "modified": "2025-04-16T21:47:13.928Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included contact list exfiltration in the malicious apps deployed as part of Operation BULL.(Citation: BlackBerry Bahamut)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--185764e3-b559-4a65-818e-1cad4db6d105.json b/mobile-attack/relationship/relationship--185764e3-b559-4a65-818e-1cad4db6d105.json
index 2fc9791d6e..86831341e6 100644
--- a/mobile-attack/relationship/relationship--185764e3-b559-4a65-818e-1cad4db6d105.json
+++ b/mobile-attack/relationship/relationship--185764e3-b559-4a65-818e-1cad4db6d105.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--ba1ff875-cbbe-4ffb-a9e2-56b7f547983a",
+    "id": "bundle--ed963212-ce9a-4992-aa36-fb51b98fb44f",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--185764e3-b559-4a65-818e-1cad4db6d105",
             "created": "2024-04-04T17:42:29.902Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-04T17:42:29.902Z",
+            "modified": "2025-04-16T21:47:14.147Z",
             "description": "[AndroRAT](https://attack.mitre.org/software/S0292) can send SMS messages.(Citation: forcepoint_bitter) ",
             "relationship_type": "uses",
             "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--188c09ee-ca3b-4bac-ad69-36489c50b5bd.json b/mobile-attack/relationship/relationship--188c09ee-ca3b-4bac-ad69-36489c50b5bd.json
index 178209d0d6..f5aab06948 100644
--- a/mobile-attack/relationship/relationship--188c09ee-ca3b-4bac-ad69-36489c50b5bd.json
+++ b/mobile-attack/relationship/relationship--188c09ee-ca3b-4bac-ad69-36489c50b5bd.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--2ef9c99c-a594-403a-8dfd-74761f9796c2",
+    "id": "bundle--589a2fa9-9736-4b76-8ecc-e6c23a2542d9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--188c09ee-ca3b-4bac-ad69-36489c50b5bd",
             "created": "2022-04-01T18:50:00.027Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:14.378Z",
             "description": "",
-            "modified": "2022-04-01T18:50:00.027Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591",
             "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--18905da3-a92e-4b1b-ae5c-1de1e4d35495.json b/mobile-attack/relationship/relationship--18905da3-a92e-4b1b-ae5c-1de1e4d35495.json
index f611024e5d..719a4e30bb 100644
--- a/mobile-attack/relationship/relationship--18905da3-a92e-4b1b-ae5c-1de1e4d35495.json
+++ b/mobile-attack/relationship/relationship--18905da3-a92e-4b1b-ae5c-1de1e4d35495.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--2c389cc1-1932-475b-931e-12eac8823b7b",
+    "id": "bundle--62160fb0-485c-46f8-9bd1-73d910201699",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--18905da3-a92e-4b1b-ae5c-1de1e4d35495",
             "created": "2024-02-20T23:52:29.033Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:52:29.033Z",
+            "modified": "2025-04-16T21:47:14.583Z",
             "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device networking information, including phone number, IMEI, and IMSI.(Citation: Cybereason FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--18a6020d-8fea-4a6e-84ab-a18343f2acea.json b/mobile-attack/relationship/relationship--18a6020d-8fea-4a6e-84ab-a18343f2acea.json
index b4d830796f..f126c3d78d 100644
--- a/mobile-attack/relationship/relationship--18a6020d-8fea-4a6e-84ab-a18343f2acea.json
+++ b/mobile-attack/relationship/relationship--18a6020d-8fea-4a6e-84ab-a18343f2acea.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--5d3f89be-e273-4dde-a01f-b38ff497514d",
+    "id": "bundle--e847b1a6-3f25-422e-8075-e1e56b65b34e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--18a6020d-8fea-4a6e-84ab-a18343f2acea",
             "created": "2022-04-06T13:40:14.515Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Android 10 Privacy Changes",
-                    "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data",
-                    "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019."
+                    "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.",
+                    "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:14.795Z",
             "description": "Android 10 prevents applications from accessing clipboard data unless the application is on the foreground or is set as the device\u2019s default input method editor (IME).(Citation: Android 10 Privacy Changes)",
-            "modified": "2022-04-06T13:40:14.515Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c.json b/mobile-attack/relationship/relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c.json
index e02b30ebf0..30b64aa95d 100644
--- a/mobile-attack/relationship/relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c.json
+++ b/mobile-attack/relationship/relationship--18afa4ad-4fd7-47ad-acdb-3b298b640d3c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--cf1ec2d7-9d1b-41c1-bb5e-5ad26bc229d9",
+    "id": "bundle--5d3c2d93-973b-41dc-8c09-97ea48dd8fac",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:26:05.199Z",
+            "modified": "2025-04-16T21:47:15.006Z",
             "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is auto-rooting adware that embeds itself as a system application, making it nearly impossible to remove.(Citation: Lookout-Adware)",
             "relationship_type": "uses",
             "source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
             "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c.json b/mobile-attack/relationship/relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c.json
index 53e65b5f74..05e94019ac 100644
--- a/mobile-attack/relationship/relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c.json
+++ b/mobile-attack/relationship/relationship--18d3f4c7-2888-4d27-9ac7-b7ade1a1c04c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--66069178-fd26-4c87-ae6a-75a1373a7ff9",
+    "id": "bundle--3221147d-30f8-40bd-8c30-d990cbbe049d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:23:04.150Z",
+            "modified": "2025-04-16T21:47:15.233Z",
             "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted the full contents of text messages.(Citation: NYTimes-BackDoor)",
             "relationship_type": "uses",
             "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1987b242-c868-40b2-993d-9dbeea311d4b.json b/mobile-attack/relationship/relationship--1987b242-c868-40b2-993d-9dbeea311d4b.json
index 704c7de035..d58a52ba32 100644
--- a/mobile-attack/relationship/relationship--1987b242-c868-40b2-993d-9dbeea311d4b.json
+++ b/mobile-attack/relationship/relationship--1987b242-c868-40b2-993d-9dbeea311d4b.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--0681bf00-c5d1-4aed-a125-01f698605256",
+    "id": "bundle--fc83e1a6-cb15-42a9-9405-6410c0b039cd",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--1987b242-c868-40b2-993d-9dbeea311d4b",
             "created": "2022-03-30T14:08:09.882Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:15.453Z",
             "description": "",
-            "modified": "2022-03-30T14:08:09.882Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
             "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--198b99e6-3954-4c93-90bc-4227b45270a4.json b/mobile-attack/relationship/relationship--198b99e6-3954-4c93-90bc-4227b45270a4.json
index 7a63094651..668d94bdbb 100644
--- a/mobile-attack/relationship/relationship--198b99e6-3954-4c93-90bc-4227b45270a4.json
+++ b/mobile-attack/relationship/relationship--198b99e6-3954-4c93-90bc-4227b45270a4.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--d705bce3-9304-4a76-b5bb-912872ecea41",
+    "id": "bundle--5af872cd-c0af-4892-9fc7-28dc15654821",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--198b99e6-3954-4c93-90bc-4227b45270a4",
             "created": "2023-08-04T19:03:55.638Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T19:03:55.638Z",
+            "modified": "2025-04-16T21:47:15.672Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can delete locally gathered files after uploading them to the C2 to avoid suspicion.(Citation: lookout_hornbill_sunbird_0221) ",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--19b95b83-bac0-455f-882f-0209abddb76f.json b/mobile-attack/relationship/relationship--19b95b83-bac0-455f-882f-0209abddb76f.json
index 288ca41acb..a434f85fe2 100644
--- a/mobile-attack/relationship/relationship--19b95b83-bac0-455f-882f-0209abddb76f.json
+++ b/mobile-attack/relationship/relationship--19b95b83-bac0-455f-882f-0209abddb76f.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b3746ac3-bc0f-400a-80a2-63cabcb9736c",
+    "id": "bundle--5137f9cc-d534-4ae9-88aa-d73a1f8e4ec5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--19b95b83-bac0-455f-882f-0209abddb76f",
             "created": "2022-04-05T20:11:35.619Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:15.882Z",
             "description": "Applications that properly encrypt network traffic may evade some forms of AiTM behavior. ",
-            "modified": "2022-04-05T20:11:35.619Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
             "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--19df76ee-fa85-43cf-96ce-422d46f29a13.json b/mobile-attack/relationship/relationship--19df76ee-fa85-43cf-96ce-422d46f29a13.json
index c14b9099bc..08ace86c7c 100644
--- a/mobile-attack/relationship/relationship--19df76ee-fa85-43cf-96ce-422d46f29a13.json
+++ b/mobile-attack/relationship/relationship--19df76ee-fa85-43cf-96ce-422d46f29a13.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--0d1ac275-ba78-47e5-9eaa-f4889e0dfb80",
+    "id": "bundle--166c679c-65b5-48cf-a190-37e9c9924409",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:12:48.998Z",
+            "modified": "2025-04-16T21:47:16.079Z",
             "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) listens for the `BOOT_COMPLETED` broadcast intent in order to maintain persistence and activate its functionality at device boot time.(Citation: Lookout-PegasusAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--19f220fd-94e8-4c8f-971d-ad37d7eeee80.json b/mobile-attack/relationship/relationship--19f220fd-94e8-4c8f-971d-ad37d7eeee80.json
index c5701e0fd0..b9f57dbd8a 100644
--- a/mobile-attack/relationship/relationship--19f220fd-94e8-4c8f-971d-ad37d7eeee80.json
+++ b/mobile-attack/relationship/relationship--19f220fd-94e8-4c8f-971d-ad37d7eeee80.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--5c30bd14-8c3a-4c67-801a-3cb290fe2a82",
+    "id": "bundle--44641972-d016-4612-941e-11af09e84656",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--19f220fd-94e8-4c8f-971d-ad37d7eeee80",
             "created": "2022-03-31T19:51:41.431Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:16.319Z",
             "description": "iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.",
-            "modified": "2022-03-31T19:51:41.431Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1a2f6cdc-7c52-4f6e-9182-bc5b16a638dd.json b/mobile-attack/relationship/relationship--1a2f6cdc-7c52-4f6e-9182-bc5b16a638dd.json
index 038780bc46..fa7cde7a13 100644
--- a/mobile-attack/relationship/relationship--1a2f6cdc-7c52-4f6e-9182-bc5b16a638dd.json
+++ b/mobile-attack/relationship/relationship--1a2f6cdc-7c52-4f6e-9182-bc5b16a638dd.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ee7e64ff-df0a-48d6-a738-4ed1ef0cf76c",
+    "id": "bundle--21041e27-1c8e-4a2e-a2a9-40163da01ed4",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:49:47.110Z",
+            "modified": "2025-04-16T21:47:16.539Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can evade automated analysis environments by requiring a CAPTCHA on launch that will prevent the application from running if not passed. It also checks for indications that it is running in an emulator.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1a5bde32-aaa9-42d0-ab70-c9f11b0ae81e.json b/mobile-attack/relationship/relationship--1a5bde32-aaa9-42d0-ab70-c9f11b0ae81e.json
index ce64b32904..ac405fa60f 100644
--- a/mobile-attack/relationship/relationship--1a5bde32-aaa9-42d0-ab70-c9f11b0ae81e.json
+++ b/mobile-attack/relationship/relationship--1a5bde32-aaa9-42d0-ab70-c9f11b0ae81e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--803baa9b-4342-49e9-b24e-10ddb0a73a3b",
+    "id": "bundle--fe71d63b-2ba2-4d92-996f-6366ddf9868b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-29T15:07:37.877Z",
+            "modified": "2025-04-16T21:47:16.762Z",
             "description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s Android version has used public key encryption for C2 communication.(Citation: Lookout eSurv)",
             "relationship_type": "uses",
             "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
             "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1b633efc-762f-47f9-96c3-d08ba92e0e3e.json b/mobile-attack/relationship/relationship--1b633efc-762f-47f9-96c3-d08ba92e0e3e.json
index 7d9ad1c90a..81fe611a0f 100644
--- a/mobile-attack/relationship/relationship--1b633efc-762f-47f9-96c3-d08ba92e0e3e.json
+++ b/mobile-attack/relationship/relationship--1b633efc-762f-47f9-96c3-d08ba92e0e3e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--fdb3bbac-6394-4407-968a-5c8de7fc29f2",
+    "id": "bundle--096b590d-f88c-4e54-9b6f-46e058ae3beb",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--1b633efc-762f-47f9-96c3-d08ba92e0e3e",
             "created": "2022-04-01T17:05:56.046Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:16.966Z",
             "description": "On Android 11 and up, users are not prompted with the option to select \u201cAllow all the time\u201d and must navigate to the settings page to manually select this option. On iOS 14 and up, users can select whether to provide Precise Location for each installed application. ",
-            "modified": "2022-04-01T17:05:56.046Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1b6d332b-0ced-4bf1-b212-f1fccc850bee.json b/mobile-attack/relationship/relationship--1b6d332b-0ced-4bf1-b212-f1fccc850bee.json
new file mode 100644
index 0000000000..9bb5874452
--- /dev/null
+++ b/mobile-attack/relationship/relationship--1b6d332b-0ced-4bf1-b212-f1fccc850bee.json
@@ -0,0 +1,25 @@
+{
+    "type": "bundle",
+    "id": "bundle--5b0b0c79-6b96-4b3c-8032-a53ea89d6768",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--1b6d332b-0ced-4bf1-b212-f1fccc850bee",
+            "created": "2025-03-14T17:59:16.502Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:17.172Z",
+            "description": "The user can view a list of device administrators and applications that have registered Accessibility services in device settings. Applications that register an Accessibility service or request device administrator permissions should be scrutinized further for malicious behavior. ",
+            "relationship_type": "detects",
+            "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+            "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9.json b/mobile-attack/relationship/relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9.json
index f07a292313..71718de5c6 100644
--- a/mobile-attack/relationship/relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9.json
+++ b/mobile-attack/relationship/relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--0f82a6ab-7469-4258-9341-adbd444b3e90",
+    "id": "bundle--3611dc0f-b9bf-4ae8-8f33-e04166cb8d44",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9",
             "type": "relationship",
+            "id": "relationship--1b7be26d-cb1d-497b-94bf-a34f11ed66c9",
             "created": "2020-09-11T14:54:16.548Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Desert Scorpion",
-                    "url": "https://blog.lookout.com/desert-scorpion-google-play",
-                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
+                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/desert-scorpion-google-play"
                 }
             ],
-            "modified": "2020-09-11T14:54:16.548Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:17.395Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can obtain a list of installed applications.(Citation: Lookout Desert Scorpion)",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1b9b145c-ce80-4d0e-99f2-d756b806745b.json b/mobile-attack/relationship/relationship--1b9b145c-ce80-4d0e-99f2-d756b806745b.json
index ed8a2069e3..70532cf6b5 100644
--- a/mobile-attack/relationship/relationship--1b9b145c-ce80-4d0e-99f2-d756b806745b.json
+++ b/mobile-attack/relationship/relationship--1b9b145c-ce80-4d0e-99f2-d756b806745b.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--6608d7d2-dfbd-49a9-af8b-15d7fbf14c5f",
+    "id": "bundle--72b8ef2a-7957-456a-a88b-4fbe81e265a1",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--1b9b145c-ce80-4d0e-99f2-d756b806745b",
             "created": "2023-07-21T19:35:17.565Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:35:17.565Z",
+            "modified": "2025-04-16T21:47:17.613Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can access a device\u2019s microphone to record audio, as well as cell and VoIP application calls.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1bcd4b25-a1e0-4511-b0bf-3923a1e74c4e.json b/mobile-attack/relationship/relationship--1bcd4b25-a1e0-4511-b0bf-3923a1e74c4e.json
index 1e80d7822f..5ce90c9df1 100644
--- a/mobile-attack/relationship/relationship--1bcd4b25-a1e0-4511-b0bf-3923a1e74c4e.json
+++ b/mobile-attack/relationship/relationship--1bcd4b25-a1e0-4511-b0bf-3923a1e74c4e.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--69c49429-b6b3-4bcb-9369-9fb63f97250b",
+    "id": "bundle--d5c373a2-fc17-40b4-95b4-ba667f1be87f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--1bcd4b25-a1e0-4511-b0bf-3923a1e74c4e",
             "created": "2020-12-31T18:25:05.165Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "CYBERWARCON CHEMISTGAMES",
-                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w",
-                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."
+                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.",
+                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:17.824Z",
             "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has used HTTPS for C2 communication.(Citation: CYBERWARCON CHEMISTGAMES) ",
-            "modified": "2022-04-18T16:00:57.320Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341",
             "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1be8aca9-d5a6-4cc5-9fbe-7625f7ff8d6a.json b/mobile-attack/relationship/relationship--1be8aca9-d5a6-4cc5-9fbe-7625f7ff8d6a.json
index 88bd0089ff..9b83db7fb1 100644
--- a/mobile-attack/relationship/relationship--1be8aca9-d5a6-4cc5-9fbe-7625f7ff8d6a.json
+++ b/mobile-attack/relationship/relationship--1be8aca9-d5a6-4cc5-9fbe-7625f7ff8d6a.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--50c28473-b753-4933-a23b-dd6a176ba997",
+    "id": "bundle--432a01c8-221a-47af-8ace-5aa8810db66b",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--1be8aca9-d5a6-4cc5-9fbe-7625f7ff8d6a",
             "created": "2023-08-16T16:36:59.360Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:36:59.360Z",
+            "modified": "2025-04-16T21:47:18.039Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather cookies and device logs.(Citation: cyble_chameleon_0423) ",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1c180c0e-c789-4176-b568-789ada9487bb.json b/mobile-attack/relationship/relationship--1c180c0e-c789-4176-b568-789ada9487bb.json
index 2fa9f5f554..9be2151980 100644
--- a/mobile-attack/relationship/relationship--1c180c0e-c789-4176-b568-789ada9487bb.json
+++ b/mobile-attack/relationship/relationship--1c180c0e-c789-4176-b568-789ada9487bb.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--6e4c64c8-7db0-42d9-9c1e-8cee400d6c4e",
+    "id": "bundle--97a7e979-c375-491e-845f-1abb2a679da2",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--1c180c0e-c789-4176-b568-789ada9487bb",
             "type": "relationship",
+            "id": "relationship--1c180c0e-c789-4176-b568-789ada9487bb",
             "created": "2020-10-29T19:21:23.162Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "WeLiveSecurity AdDisplayAshas",
-                    "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/",
-                    "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020."
+                    "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.",
+                    "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"
                 }
             ],
-            "modified": "2020-10-29T19:21:23.162Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:18.283Z",
             "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can collect information about the device including device type, OS version, language, free storage space, battery status, device root, and if *developer mode* is enabled.(Citation: WeLiveSecurity AdDisplayAshas)",
             "relationship_type": "uses",
             "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9.json b/mobile-attack/relationship/relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9.json
index c484b00a7f..2b196da84b 100644
--- a/mobile-attack/relationship/relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9.json
+++ b/mobile-attack/relationship/relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--2faea36a-50ee-4639-96e2-b229f143e3d1",
+    "id": "bundle--ce8a3c2f-b720-4321-ad73-a2ad1d7f1ea4",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--1c42ee3a-c400-4de6-84aa-b254422af7b9",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "CheckPoint-Judy",
-                    "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/",
-                    "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018."
+                    "description": "CheckPoint. (2017, May 25). The Judy Malware: Possibly the largest malware campaign found on Google Play. Retrieved September 18, 2018.",
+                    "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:18.489Z",
             "description": "[Judy](https://attack.mitre.org/software/S0325) uses infected devices to generate fraudulent clicks on advertisements to generate revenue.(Citation: CheckPoint-Judy)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--172444ab-97fc-4d94-b142-179452bfb760",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1c67b72f-7389-4c21-9347-2b1bba07aaaf.json b/mobile-attack/relationship/relationship--1c67b72f-7389-4c21-9347-2b1bba07aaaf.json
index 584e8a3338..dd11b1fdb4 100644
--- a/mobile-attack/relationship/relationship--1c67b72f-7389-4c21-9347-2b1bba07aaaf.json
+++ b/mobile-attack/relationship/relationship--1c67b72f-7389-4c21-9347-2b1bba07aaaf.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--78ddcdab-78d2-4d6e-b384-82f3fcb97fc8",
+    "id": "bundle--75a5a904-5e0d-4495-b94f-1162d0ba5813",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:12:28.993Z",
+            "modified": "2025-04-16T21:47:18.704Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device IP address and SIM information.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73.json b/mobile-attack/relationship/relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73.json
index dbd1e5a30b..07e1ee7da8 100644
--- a/mobile-attack/relationship/relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73.json
+++ b/mobile-attack/relationship/relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--f65cf035-a7eb-49e2-bdcf-942b81916dc7",
+    "id": "bundle--f0950994-2ace-41fd-9c0a-4a849e93bdd1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73",
             "type": "relationship",
+            "id": "relationship--1c7d2d48-ea9a-448f-891f-66f635c95f73",
             "created": "2020-07-20T14:12:15.566Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Check Point-Joker",
-                    "url": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/",
-                    "description": "Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020."
+                    "description": "Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020.",
+                    "url": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/"
                 }
             ],
-            "modified": "2020-07-20T14:12:15.566Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:18.916Z",
             "description": "[Bread](https://attack.mitre.org/software/S0432) can collect device notifications.(Citation: Check Point-Joker)",
             "relationship_type": "uses",
             "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1cc71849-142f-4097-9546-7946b0b546a6.json b/mobile-attack/relationship/relationship--1cc71849-142f-4097-9546-7946b0b546a6.json
index 54dcb3a3bd..04f798d252 100644
--- a/mobile-attack/relationship/relationship--1cc71849-142f-4097-9546-7946b0b546a6.json
+++ b/mobile-attack/relationship/relationship--1cc71849-142f-4097-9546-7946b0b546a6.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--62360c81-eac4-4d58-89e2-6f2ef60b0311",
+    "id": "bundle--f1ecbbc0-9770-462f-8b4f-5dfab8957f0b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:29:22.884Z",
+            "modified": "2025-04-16T21:47:19.123Z",
             "description": "[Ginp](https://attack.mitre.org/software/S0423) can determine if it is running in an emulator.(Citation: ThreatFabric Ginp)",
             "relationship_type": "uses",
             "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1cca5e17-80ae-4b6e-8919-2768153aa966.json b/mobile-attack/relationship/relationship--1cca5e17-80ae-4b6e-8919-2768153aa966.json
index 56eb4b0661..731b5d3827 100644
--- a/mobile-attack/relationship/relationship--1cca5e17-80ae-4b6e-8919-2768153aa966.json
+++ b/mobile-attack/relationship/relationship--1cca5e17-80ae-4b6e-8919-2768153aa966.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--f6e3a426-cd2a-4030-a0b2-cda9ff26905b",
+    "id": "bundle--f9c8f5a4-3173-4cc5-880e-8ee74c998a02",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--1cca5e17-80ae-4b6e-8919-2768153aa966",
             "created": "2017-12-14T16:46:06.044Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "PaloAlto-Xbot",
-                    "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/",
-                    "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016."
+                    "description": "Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan \u201cXbot\u201d Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.",
+                    "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:19.378Z",
             "description": "[Xbot](https://attack.mitre.org/software/S0298) uses phishing pages mimicking Google Play's payment interface as well as bank login pages.(Citation: PaloAlto-Xbot)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1d027925-7d63-459c-b5a5-48ffb49ba1de.json b/mobile-attack/relationship/relationship--1d027925-7d63-459c-b5a5-48ffb49ba1de.json
index cab0ad8381..7cc793179a 100644
--- a/mobile-attack/relationship/relationship--1d027925-7d63-459c-b5a5-48ffb49ba1de.json
+++ b/mobile-attack/relationship/relationship--1d027925-7d63-459c-b5a5-48ffb49ba1de.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f2cc682f-1561-4fde-bcf4-d956f4ca75af",
+    "id": "bundle--304781c4-4a4b-478b-b794-83c3fba63028",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T15:30:59.104Z",
+            "modified": "2025-04-16T21:47:19.593Z",
             "description": "The user is prompted for approval when an application requests device administrator permissions.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
             "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1d2daf8f-ce51-47b5-b985-63ae4edfad4b.json b/mobile-attack/relationship/relationship--1d2daf8f-ce51-47b5-b985-63ae4edfad4b.json
index c9ca7e6103..c9c09b3a6a 100644
--- a/mobile-attack/relationship/relationship--1d2daf8f-ce51-47b5-b985-63ae4edfad4b.json
+++ b/mobile-attack/relationship/relationship--1d2daf8f-ce51-47b5-b985-63ae4edfad4b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--753059f4-86b7-4d8f-a902-073a182aae28",
+    "id": "bundle--0ee417de-2782-4591-8a59-bcf322c0ae85",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T22:46:12.263Z",
+            "modified": "2025-04-16T21:47:19.816Z",
             "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
             "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1d828f51-1c04-466c-beaf-2d4de741a544.json b/mobile-attack/relationship/relationship--1d828f51-1c04-466c-beaf-2d4de741a544.json
index 1bc32ae7b1..c8859b88a7 100644
--- a/mobile-attack/relationship/relationship--1d828f51-1c04-466c-beaf-2d4de741a544.json
+++ b/mobile-attack/relationship/relationship--1d828f51-1c04-466c-beaf-2d4de741a544.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--dc13dc36-86f3-47d9-adc4-9842451afa93",
+    "id": "bundle--eedcf2e1-c68d-4eb2-b8e7-515a93c09415",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:03:18.675Z",
+            "modified": "2025-04-16T21:47:20.018Z",
             "description": "[Bread](https://attack.mitre.org/software/S0432) can access SMS messages in order to complete carrier billing fraud.(Citation: Google Bread)",
             "relationship_type": "uses",
             "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1db350b2-1e8b-4d58-9086-eac41de1b110.json b/mobile-attack/relationship/relationship--1db350b2-1e8b-4d58-9086-eac41de1b110.json
index 1aa031091c..aca80b7a94 100644
--- a/mobile-attack/relationship/relationship--1db350b2-1e8b-4d58-9086-eac41de1b110.json
+++ b/mobile-attack/relationship/relationship--1db350b2-1e8b-4d58-9086-eac41de1b110.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--9df163ff-f2ee-44b2-aa09-46cba8616a1a",
+    "id": "bundle--5180d7f5-2b37-4422-b872-61e559faadd9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--1db350b2-1e8b-4d58-9086-eac41de1b110",
             "created": "2022-04-05T17:13:56.584Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:20.286Z",
             "description": "",
-            "modified": "2022-04-05T17:13:56.584Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
             "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1e286a4a-63cd-47df-a034-11a5d92daceb.json b/mobile-attack/relationship/relationship--1e286a4a-63cd-47df-a034-11a5d92daceb.json
index c616d92c3f..c129774ad2 100644
--- a/mobile-attack/relationship/relationship--1e286a4a-63cd-47df-a034-11a5d92daceb.json
+++ b/mobile-attack/relationship/relationship--1e286a4a-63cd-47df-a034-11a5d92daceb.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--44d5d124-7def-4815-9d39-0a1a6133b7af",
+    "id": "bundle--65370373-14a7-40d4-818b-48da2430aae7",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--1e286a4a-63cd-47df-a034-11a5d92daceb",
             "created": "2022-04-06T15:41:03.981Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:20.492Z",
             "description": "",
-            "modified": "2022-04-06T15:41:03.981Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5",
             "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1e29a9ce-ed11-44ae-b66e-8b90ee79de6a.json b/mobile-attack/relationship/relationship--1e29a9ce-ed11-44ae-b66e-8b90ee79de6a.json
index b855ec7d43..d935046ca8 100644
--- a/mobile-attack/relationship/relationship--1e29a9ce-ed11-44ae-b66e-8b90ee79de6a.json
+++ b/mobile-attack/relationship/relationship--1e29a9ce-ed11-44ae-b66e-8b90ee79de6a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--cd944bbd-c30b-461e-aa4d-1b334b23af0a",
+    "id": "bundle--0d96d0ed-8259-48de-ae8a-efbf0e3cceb5",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:42:04.769Z",
+            "modified": "2025-04-16T21:47:20.706Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) hides its icon from the application drawer after being launched for the first time.(Citation: Threat Fabric Cerberus)",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1e822ff0-b1e1-4d80-b1a2-956919511809.json b/mobile-attack/relationship/relationship--1e822ff0-b1e1-4d80-b1a2-956919511809.json
index 15447c80cc..429f31171b 100644
--- a/mobile-attack/relationship/relationship--1e822ff0-b1e1-4d80-b1a2-956919511809.json
+++ b/mobile-attack/relationship/relationship--1e822ff0-b1e1-4d80-b1a2-956919511809.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--fd868e6d-f457-4ed9-88f0-3f351a053b13",
+    "id": "bundle--b591204a-7a42-43ad-b869-b50a8cc9df1c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-17T13:09:31.942Z",
+            "modified": "2025-04-16T21:47:20.917Z",
             "description": "[AhRat](https://attack.mitre.org/software/S1095) can communicate with the C2 using HTTPS requests.(Citation: welivesecurity_ahrat_0523)",
             "relationship_type": "uses",
             "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e.json b/mobile-attack/relationship/relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e.json
index d7a59e5ce4..500cc9910b 100644
--- a/mobile-attack/relationship/relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e.json
+++ b/mobile-attack/relationship/relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e.json
@@ -1,30 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--88dccace-a099-401a-816a-04849e0ac3d1",
+    "id": "bundle--213ba3e4-5f2e-41a8-9b79-6a73dbb13d4e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e",
             "type": "relationship",
+            "id": "relationship--1ed5b4fa-b871-4efa-87ee-1c91dcaa421e",
             "created": "2019-09-03T19:45:48.496Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
-            "modified": "2019-10-14T16:47:53.226Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:21.132Z",
             "description": "[Exodus](https://attack.mitre.org/software/S0405) Two extracts information from Facebook, Facebook Messenger, Gmail, IMO, Skype, Telegram, Viber, WhatsApp, and WeChat.(Citation: SWB Exodus March 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1f027bab-76d9-4f5f-a73e-ea733a1ab223.json b/mobile-attack/relationship/relationship--1f027bab-76d9-4f5f-a73e-ea733a1ab223.json
index bc1637c208..f991c58fd5 100644
--- a/mobile-attack/relationship/relationship--1f027bab-76d9-4f5f-a73e-ea733a1ab223.json
+++ b/mobile-attack/relationship/relationship--1f027bab-76d9-4f5f-a73e-ea733a1ab223.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4831c76f-92eb-4f99-89c6-eddad0748cd3",
+    "id": "bundle--e6c857ca-02db-488c-92f3-f3d133744dec",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--1f027bab-76d9-4f5f-a73e-ea733a1ab223",
             "type": "relationship",
+            "id": "relationship--1f027bab-76d9-4f5f-a73e-ea733a1ab223",
             "created": "2020-11-20T16:37:28.610Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Symantec GoldenCup",
-                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans",
-                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."
+                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.",
+                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"
                 }
             ],
-            "modified": "2020-11-20T16:37:28.610Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:21.382Z",
             "description": "[Golden Cup](https://attack.mitre.org/software/S0535) has been distributed in two stages.(Citation: Symantec GoldenCup)",
             "relationship_type": "uses",
             "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1f31e348-a4ee-4874-891f-393c65a7640a.json b/mobile-attack/relationship/relationship--1f31e348-a4ee-4874-891f-393c65a7640a.json
index 89f1ca708e..910eed9ca3 100644
--- a/mobile-attack/relationship/relationship--1f31e348-a4ee-4874-891f-393c65a7640a.json
+++ b/mobile-attack/relationship/relationship--1f31e348-a4ee-4874-891f-393c65a7640a.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--2028a8d3-1bb4-4bd2-809c-735f9b6284ee",
+    "id": "bundle--55682368-3341-4af1-8889-9308defa8a67",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--1f31e348-a4ee-4874-891f-393c65a7640a",
             "created": "2023-07-21T19:34:13.200Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:34:13.200Z",
+            "modified": "2025-04-16T21:47:21.586Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can exfiltrate a device\u2019s contacts.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1f32e107-aef9-42f8-84d1-4c4fcd863b7f.json b/mobile-attack/relationship/relationship--1f32e107-aef9-42f8-84d1-4c4fcd863b7f.json
index 1b9575d8c7..0023290679 100644
--- a/mobile-attack/relationship/relationship--1f32e107-aef9-42f8-84d1-4c4fcd863b7f.json
+++ b/mobile-attack/relationship/relationship--1f32e107-aef9-42f8-84d1-4c4fcd863b7f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--625d1dc9-8c97-430e-a142-0db5cd4be7bc",
+    "id": "bundle--6d6b31c5-d26d-435b-895e-c8cc38e43ccb",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-31T22:07:21.417Z",
+            "modified": "2025-04-16T21:47:21.822Z",
             "description": "[FluBot](https://attack.mitre.org/software/S1067) can use Domain Generation Algorithms to connect to the C2 server.(Citation: proofpoint_flubot_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
             "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1f44936e-b84c-404f-a92e-6fb7e24b5435.json b/mobile-attack/relationship/relationship--1f44936e-b84c-404f-a92e-6fb7e24b5435.json
index 44073d4d10..29e396746a 100644
--- a/mobile-attack/relationship/relationship--1f44936e-b84c-404f-a92e-6fb7e24b5435.json
+++ b/mobile-attack/relationship/relationship--1f44936e-b84c-404f-a92e-6fb7e24b5435.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--9cda334e-68aa-42e7-96ea-33beb3b6998a",
+    "id": "bundle--3d6351a3-3968-4d88-affb-eeab3a03b02a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--1f44936e-b84c-404f-a92e-6fb7e24b5435",
             "created": "2022-04-05T19:51:08.770Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Android 12 Features",
-                    "url": "https://developer.android.com/about/versions/12/features",
-                    "description": "Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022."
+                    "description": "Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022.",
+                    "url": "https://developer.android.com/about/versions/12/features"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:22.046Z",
             "description": "The `HIDE_OVERLAY_WINDOWS` permission was introduced in Android 12 allowing apps to hide overlay windows of type `TYPE_APPLICATION_OVERLAY` drawn by other apps with the `SYSTEM_ALERT_WINDOW` permission, preventing other applications from creating overlay windows on top of the current application.(Citation: Android 12 Features)",
-            "modified": "2022-04-05T19:51:08.770Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1f7428d7-6f6e-40d0-aedb-cb0578875ff9.json b/mobile-attack/relationship/relationship--1f7428d7-6f6e-40d0-aedb-cb0578875ff9.json
index 48a4a19a13..e7b3796de8 100644
--- a/mobile-attack/relationship/relationship--1f7428d7-6f6e-40d0-aedb-cb0578875ff9.json
+++ b/mobile-attack/relationship/relationship--1f7428d7-6f6e-40d0-aedb-cb0578875ff9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d77635eb-d459-42e7-a307-e21419a9b026",
+    "id": "bundle--4366510b-f6c2-47de-99d0-6e0ced60a716",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:26:02.260Z",
+            "modified": "2025-04-16T21:47:22.266Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can hide its icon.(Citation: SecureList BusyGasper)",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1f7b7de2-10e8-4eec-9c8f-db44ac3f271b.json b/mobile-attack/relationship/relationship--1f7b7de2-10e8-4eec-9c8f-db44ac3f271b.json
index c48fcf3a46..bd95b452b2 100644
--- a/mobile-attack/relationship/relationship--1f7b7de2-10e8-4eec-9c8f-db44ac3f271b.json
+++ b/mobile-attack/relationship/relationship--1f7b7de2-10e8-4eec-9c8f-db44ac3f271b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--0f0e97c2-457f-4a9b-a1f4-2a44aaffd048",
+    "id": "bundle--6cbd4b95-be3b-47fd-ba4e-aecb10e3710d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:29:36.827Z",
+            "modified": "2025-04-16T21:47:22.473Z",
             "description": "[Ginp](https://attack.mitre.org/software/S0423) can collect SMS messages.(Citation: ThreatFabric Ginp)",
             "relationship_type": "uses",
             "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87.json b/mobile-attack/relationship/relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87.json
index 590195f729..282a1fc081 100644
--- a/mobile-attack/relationship/relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87.json
+++ b/mobile-attack/relationship/relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--7a51f09f-8735-48e4-ab2b-0f07b40c0a2f",
+    "id": "bundle--f2f675c9-52b4-430f-837d-6a8742672543",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87",
             "type": "relationship",
+            "id": "relationship--1f8b1ee1-e44b-4a37-a407-5cbceba35d87",
             "created": "2020-05-04T14:04:56.217Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Google Bread",
-                    "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
-                    "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
+                    "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.",
+                    "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"
                 }
             ],
-            "modified": "2020-05-04T15:40:21.305Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:22.700Z",
             "description": "[Bread](https://attack.mitre.org/software/S0432) has utilized JavaScript within WebViews that loaded a URL hosted on a Bread-controlled server which provided functions to run. [Bread](https://attack.mitre.org/software/S0432) downloads billing fraud execution steps at runtime.(Citation: Google Bread)",
             "relationship_type": "uses",
             "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1f8f0021-6992-476c-ba1c-232542dc1633.json b/mobile-attack/relationship/relationship--1f8f0021-6992-476c-ba1c-232542dc1633.json
index 54ff313e09..70e685476d 100644
--- a/mobile-attack/relationship/relationship--1f8f0021-6992-476c-ba1c-232542dc1633.json
+++ b/mobile-attack/relationship/relationship--1f8f0021-6992-476c-ba1c-232542dc1633.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--745eafd0-14ac-4362-9a64-cbe1ac1737a0",
+    "id": "bundle--85a17073-18b2-4d8c-9d31-c8fd2a3b6abd",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T22:13:53.253Z",
+            "modified": "2025-04-16T21:47:22.928Z",
             "description": "On Android, the user can manage which applications have permission to access SMS messages through the device settings screen, revoking the permission if necessary.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd.json b/mobile-attack/relationship/relationship--1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd.json
index 9009e07aab..dfc0666ea8 100644
--- a/mobile-attack/relationship/relationship--1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd.json
+++ b/mobile-attack/relationship/relationship--1fdad4b5-18a1-4fbf-81ce-861feaf2bbdd.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7458c992-55f6-4661-9e1c-232f4e252501",
+    "id": "bundle--0c837f21-5647-4002-8e68-18e97a833a88",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.102Z",
+            "modified": "2025-04-16T21:47:23.138Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) can exfiltrate files encrypted with the ransomware module from the device and can modify external storage.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis) ",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--1fdf9c43-0237-461f-86d4-1da843078744.json b/mobile-attack/relationship/relationship--1fdf9c43-0237-461f-86d4-1da843078744.json
index 5a71ee8257..8501cbce29 100644
--- a/mobile-attack/relationship/relationship--1fdf9c43-0237-461f-86d4-1da843078744.json
+++ b/mobile-attack/relationship/relationship--1fdf9c43-0237-461f-86d4-1da843078744.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--6a24989c-c35b-477c-a8dd-5b717e25638a",
+    "id": "bundle--5f5ad993-cfe0-4a97-96c1-f21a31e3ef13",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--1fdf9c43-0237-461f-86d4-1da843078744",
             "created": "2023-09-21T19:38:49.571Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-21T19:38:49.571Z",
+            "modified": "2025-04-16T21:47:23.359Z",
             "description": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
             "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--20310407-9b05-4d7b-9548-961f545e14e1.json b/mobile-attack/relationship/relationship--20310407-9b05-4d7b-9548-961f545e14e1.json
index 303379d410..0011a0ae8f 100644
--- a/mobile-attack/relationship/relationship--20310407-9b05-4d7b-9548-961f545e14e1.json
+++ b/mobile-attack/relationship/relationship--20310407-9b05-4d7b-9548-961f545e14e1.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--c36d0f74-130a-48e7-8fcc-a8f069851427",
+    "id": "bundle--19a4a9b5-48a2-4083-ab87-9715cd8202f4",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--20310407-9b05-4d7b-9548-961f545e14e1",
             "created": "2023-06-09T19:18:41.955Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-06-09T19:18:41.955Z",
+            "modified": "2025-04-16T21:47:23.574Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) uses an infrequent data upload schedule to avoid user detection and battery drain. It also can delete on-device data after being sent to the C2, and stores collected data in hidden folders on external storage.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6.json b/mobile-attack/relationship/relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6.json
index 80302592ec..6103459d1a 100644
--- a/mobile-attack/relationship/relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6.json
+++ b/mobile-attack/relationship/relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--d7caf515-9c8f-4cbe-836c-00f0298a1823",
+    "id": "bundle--99573f75-5713-4d40-8ae7-cd21405ee40d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6",
             "type": "relationship",
+            "id": "relationship--20376a7f-897a-4f5d-a87a-93e64200a5a6",
             "created": "2020-07-20T13:27:33.553Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos-WolfRAT",
-                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
-                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."
+                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.",
+                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"
                 }
             ],
-            "modified": "2020-08-10T21:57:54.518Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:23.816Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) sends the device\u2019s IMEI with each exfiltration request.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--204e30ed-5e69-400b-a814-b77e10596865.json b/mobile-attack/relationship/relationship--204e30ed-5e69-400b-a814-b77e10596865.json
index 2a26e7be6f..a995c75b9d 100644
--- a/mobile-attack/relationship/relationship--204e30ed-5e69-400b-a814-b77e10596865.json
+++ b/mobile-attack/relationship/relationship--204e30ed-5e69-400b-a814-b77e10596865.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--81d5b456-f917-4057-afbc-1be83a8d8e5d",
+    "id": "bundle--a3d60060-49a9-48ea-8f94-40d3e4490d42",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--204e30ed-5e69-400b-a814-b77e10596865",
             "created": "2022-04-06T15:50:42.481Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:24.029Z",
             "description": "",
-            "modified": "2022-04-06T15:50:42.481Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--f58cd69a-e548-478b-9248-8a9af881dc34",
             "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735.json b/mobile-attack/relationship/relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735.json
index d9ce05da13..a0fbc2d77e 100644
--- a/mobile-attack/relationship/relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735.json
+++ b/mobile-attack/relationship/relationship--2065382f-45ae-4b9a-a77c-027ecd6c1735.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3b3a34f1-f5fb-4ecd-a6c4-c4d3393cfebb",
+    "id": "bundle--d601c54f-135b-431b-a115-502ad1c97295",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:23:38.651Z",
+            "modified": "2025-04-16T21:47:24.296Z",
             "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect SMS, MMS, and Gmail messages.(Citation: TrendMicro-RCSAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--209aa948-393c-46b0-9488-ef93a6252438.json b/mobile-attack/relationship/relationship--209aa948-393c-46b0-9488-ef93a6252438.json
index 8102f08fee..c22f5dc32c 100644
--- a/mobile-attack/relationship/relationship--209aa948-393c-46b0-9488-ef93a6252438.json
+++ b/mobile-attack/relationship/relationship--209aa948-393c-46b0-9488-ef93a6252438.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--c6d51386-4769-4371-86c3-8056ed13629b",
+    "id": "bundle--dabf79c4-76db-4cac-b106-42eb8cabec81",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--209aa948-393c-46b0-9488-ef93a6252438",
             "created": "2022-03-30T20:07:19.296Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:24.513Z",
             "description": "",
-            "modified": "2022-03-30T20:07:19.296Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
             "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--20aaafe2-1f55-410f-9eb1-1fc979021fe0.json b/mobile-attack/relationship/relationship--20aaafe2-1f55-410f-9eb1-1fc979021fe0.json
index a43b8a16de..6e7c6782fd 100644
--- a/mobile-attack/relationship/relationship--20aaafe2-1f55-410f-9eb1-1fc979021fe0.json
+++ b/mobile-attack/relationship/relationship--20aaafe2-1f55-410f-9eb1-1fc979021fe0.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--283d5fd9-a008-4a0b-950a-f02dae23851c",
+    "id": "bundle--2f7e0dbb-fcd1-4534-8faf-414213f94ad3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:51:16.331Z",
+            "modified": "2025-04-16T21:47:24.722Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the contact list.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--20dcd886-56c4-421d-ba36-0f37a47a3f86.json b/mobile-attack/relationship/relationship--20dcd886-56c4-421d-ba36-0f37a47a3f86.json
index 04d8a295bd..86a090b307 100644
--- a/mobile-attack/relationship/relationship--20dcd886-56c4-421d-ba36-0f37a47a3f86.json
+++ b/mobile-attack/relationship/relationship--20dcd886-56c4-421d-ba36-0f37a47a3f86.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--3489c4d7-920e-4936-9cdf-dd0391348848",
+    "id": "bundle--e7155c50-56bf-4cbc-8d53-6d7047d4d7df",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--20dcd886-56c4-421d-ba36-0f37a47a3f86",
             "created": "2022-04-06T13:55:37.498Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:24.920Z",
             "description": "Users should be advised that applications generally do not require permission to send SMS messages.",
-            "modified": "2022-04-06T13:55:37.498Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--20e8cf98-b5c1-4ad8-bdba-a9bad0344bef.json b/mobile-attack/relationship/relationship--20e8cf98-b5c1-4ad8-bdba-a9bad0344bef.json
new file mode 100644
index 0000000000..689babb13d
--- /dev/null
+++ b/mobile-attack/relationship/relationship--20e8cf98-b5c1-4ad8-bdba-a9bad0344bef.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--fb60bcc4-8dd2-42d2-9b47-446d12becdd2",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--20e8cf98-b5c1-4ad8-bdba-a9bad0344bef",
+            "created": "2024-03-26T19:30:26.368Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:25.131Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) listens for the `BOOT_COMPLETED` broadcast to activate malware.(Citation: welivesecurity_apt-c-23) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2115228b-c61a-4ebb-829a-df7355635fbf.json b/mobile-attack/relationship/relationship--2115228b-c61a-4ebb-829a-df7355635fbf.json
index d852475485..84e901cef4 100644
--- a/mobile-attack/relationship/relationship--2115228b-c61a-4ebb-829a-df7355635fbf.json
+++ b/mobile-attack/relationship/relationship--2115228b-c61a-4ebb-829a-df7355635fbf.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--88a76a75-84ab-4845-b6c9-0d49bb22e294",
+    "id": "bundle--d694ac07-fe55-4571-89a6-d584d8af45ab",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:50:12.639Z",
+            "modified": "2025-04-16T21:47:25.365Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) can detect if the app is running on an emulator.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--212801c2-5d14-4381-b25a-340cda11a5ac.json b/mobile-attack/relationship/relationship--212801c2-5d14-4381-b25a-340cda11a5ac.json
index a66cd249e2..05d36b6f7d 100644
--- a/mobile-attack/relationship/relationship--212801c2-5d14-4381-b25a-340cda11a5ac.json
+++ b/mobile-attack/relationship/relationship--212801c2-5d14-4381-b25a-340cda11a5ac.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--51a54ac9-6e91-4614-8d16-eef9750682d4",
+    "id": "bundle--4de30d8c-44b3-4e32-ae46-40724d6ed03a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--212801c2-5d14-4381-b25a-340cda11a5ac",
             "created": "2020-12-18T20:14:47.310Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "WhiteOps TERRACOTTA",
-                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study",
-                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."
+                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.",
+                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:25.579Z",
             "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has displayed a form to collect user data after installation.(Citation: WhiteOps TERRACOTTA)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2167de58-8453-4ac3-977d-30a2b3526818.json b/mobile-attack/relationship/relationship--2167de58-8453-4ac3-977d-30a2b3526818.json
new file mode 100644
index 0000000000..c8cae58815
--- /dev/null
+++ b/mobile-attack/relationship/relationship--2167de58-8453-4ac3-977d-30a2b3526818.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--faa78c16-b3a9-406e-abfe-8c91d2da50bc",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--2167de58-8453-4ac3-977d-30a2b3526818",
+            "created": "2025-02-12T15:22:13.938Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Mphasis SS_SIM_Swap Apr2024",
+                    "description": "Mphasis. (2024, April 17). Scattered Spider conducts SIM swapping attacks. Retrieved February 3, 2025.",
+                    "url": "https://www.mphasis.com/content/dam/mphasis-com/global/en/home/services/cybersecurity/scattered-spider-conducts-sim-swapping-attacks-12.pdf"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:25.798Z",
+            "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used SIM swapping to maintain persistence on mobile carrier networks and SIM cards.(Citation: Mphasis SS_SIM_Swap Apr2024) ",
+            "relationship_type": "uses",
+            "source_ref": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b",
+            "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--21ab4328-7908-4fef-9636-d4d162e4a0cf.json b/mobile-attack/relationship/relationship--21ab4328-7908-4fef-9636-d4d162e4a0cf.json
index 6e9f0f80c4..61cf5bf546 100644
--- a/mobile-attack/relationship/relationship--21ab4328-7908-4fef-9636-d4d162e4a0cf.json
+++ b/mobile-attack/relationship/relationship--21ab4328-7908-4fef-9636-d4d162e4a0cf.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--2706de6d-e23b-4b6c-9f92-0e29f2c9ba28",
+    "id": "bundle--ab6ef6af-98c5-4ada-b28a-3f0d81daec9d",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--21ab4328-7908-4fef-9636-d4d162e4a0cf",
             "created": "2023-12-18T19:05:38.267Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T19:05:38.267Z",
+            "modified": "2025-04-16T21:47:26.003Z",
             "description": "[AhRat](https://attack.mitre.org/software/S1095) can find and exfiltrate files with certain extensions, such as .jpg, .mp4, .html, .docx, and .pdf.(Citation: welivesecurity_ahrat_0523)",
             "relationship_type": "uses",
             "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--21e179f2-49c9-4ec9-ac7a-b8eae8e15bd9.json b/mobile-attack/relationship/relationship--21e179f2-49c9-4ec9-ac7a-b8eae8e15bd9.json
index 2565ad5fdb..73fd4b56f8 100644
--- a/mobile-attack/relationship/relationship--21e179f2-49c9-4ec9-ac7a-b8eae8e15bd9.json
+++ b/mobile-attack/relationship/relationship--21e179f2-49c9-4ec9-ac7a-b8eae8e15bd9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--13b7555a-3e33-4081-839a-d2009a0a4f8a",
+    "id": "bundle--4f35f67a-8034-4493-bfd0-af23db8805df",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:36:07.297Z",
+            "modified": "2025-04-16T21:47:26.218Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect the device\u2019s call log.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--22041a01-75e7-4ff6-8768-ad45188c53c7.json b/mobile-attack/relationship/relationship--22041a01-75e7-4ff6-8768-ad45188c53c7.json
index 284e73b9b9..54da3d38e3 100644
--- a/mobile-attack/relationship/relationship--22041a01-75e7-4ff6-8768-ad45188c53c7.json
+++ b/mobile-attack/relationship/relationship--22041a01-75e7-4ff6-8768-ad45188c53c7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b3523e1f-c2d7-4cef-a742-6bfea893020b",
+    "id": "bundle--441b3f1b-688f-4b3e-bba2-f9e54a6d1ef4",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-01T22:03:00.755Z",
+            "modified": "2025-04-16T21:47:26.432Z",
             "description": "[TangleBot](https://attack.mitre.org/software/S1069) can obtain a list of installed applications.(Citation: cloudmark_tanglebot_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--22290cce-856a-46d5-9589-699f5dfc1429.json b/mobile-attack/relationship/relationship--22290cce-856a-46d5-9589-699f5dfc1429.json
index feaff00941..6438db5d80 100644
--- a/mobile-attack/relationship/relationship--22290cce-856a-46d5-9589-699f5dfc1429.json
+++ b/mobile-attack/relationship/relationship--22290cce-856a-46d5-9589-699f5dfc1429.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--9174f1fa-1240-4f4a-a9f9-787c595db263",
+    "id": "bundle--8ffb818d-2bbd-46bd-bdae-d8c1ffbd38be",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--22290cce-856a-46d5-9589-699f5dfc1429",
             "type": "relationship",
+            "id": "relationship--22290cce-856a-46d5-9589-699f5dfc1429",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"
                 }
             ],
-            "modified": "2020-07-20T13:49:03.687Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:26.652Z",
             "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) covertly records phone calls.(Citation: TrendMicro-XLoader)",
             "relationship_type": "uses",
             "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--22334426-e99f-4e97-b4dd-17e297da4118.json b/mobile-attack/relationship/relationship--22334426-e99f-4e97-b4dd-17e297da4118.json
index ff73242236..3b4d34660e 100644
--- a/mobile-attack/relationship/relationship--22334426-e99f-4e97-b4dd-17e297da4118.json
+++ b/mobile-attack/relationship/relationship--22334426-e99f-4e97-b4dd-17e297da4118.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c1cf4dd8-4bf1-4704-8b1b-6cbf46a121f8",
+    "id": "bundle--410a8273-6945-4404-abb4-2a61929bd18d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:23:54.777Z",
+            "modified": "2025-04-16T21:47:26.863Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has captured SMS and MMS messages.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--22512e29-4524-45d3-88b7-d9ca764f7b3d.json b/mobile-attack/relationship/relationship--22512e29-4524-45d3-88b7-d9ca764f7b3d.json
new file mode 100644
index 0000000000..0d5f0cf7a7
--- /dev/null
+++ b/mobile-attack/relationship/relationship--22512e29-4524-45d3-88b7-d9ca764f7b3d.json
@@ -0,0 +1,42 @@
+{
+    "type": "bundle",
+    "id": "bundle--24581837-c531-420d-b9e4-d4dce7806d14",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--22512e29-4524-45d3-88b7-d9ca764f7b3d",
+            "created": "2025-03-24T20:13:57.319Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:27.088Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has plugins for executing shell commands either from the C2 server or a library file called `zt.dylib`.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--22708018-defd-4690-8b0f-fe47e11cb5d6.json b/mobile-attack/relationship/relationship--22708018-defd-4690-8b0f-fe47e11cb5d6.json
index b59d7b6303..4f65e30544 100644
--- a/mobile-attack/relationship/relationship--22708018-defd-4690-8b0f-fe47e11cb5d6.json
+++ b/mobile-attack/relationship/relationship--22708018-defd-4690-8b0f-fe47e11cb5d6.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4180ab9c-c308-4e2c-ab12-77b4bf5d332e",
+    "id": "bundle--26d921a9-ac30-43f3-87d7-5a255bcd23a6",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--22708018-defd-4690-8b0f-fe47e11cb5d6",
             "type": "relationship",
+            "id": "relationship--22708018-defd-4690-8b0f-fe47e11cb5d6",
             "created": "2020-07-15T20:20:59.316Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "modified": "2020-07-15T20:20:59.316Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:27.331Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can capture all device notifications and hide notifications from the user.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2270d987-4698-4b59-9186-3d7637cf6599.json b/mobile-attack/relationship/relationship--2270d987-4698-4b59-9186-3d7637cf6599.json
new file mode 100644
index 0000000000..2ed6122399
--- /dev/null
+++ b/mobile-attack/relationship/relationship--2270d987-4698-4b59-9186-3d7637cf6599.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--ba7d614a-9656-43bc-9e2e-06745ef0ebbc",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--2270d987-4698-4b59-9186-3d7637cf6599",
+            "created": "2025-03-28T14:39:53.955Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:27.537Z",
+            "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has extracted the device\u2019s keychain.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f",
+            "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--22755928-b0e1-4004-a89e-5f5ea2504cf8.json b/mobile-attack/relationship/relationship--22755928-b0e1-4004-a89e-5f5ea2504cf8.json
index 9dd0b4498c..69b4fe3713 100644
--- a/mobile-attack/relationship/relationship--22755928-b0e1-4004-a89e-5f5ea2504cf8.json
+++ b/mobile-attack/relationship/relationship--22755928-b0e1-4004-a89e-5f5ea2504cf8.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--8730edb5-1ebd-478a-82d4-e891c78ceba7",
+    "id": "bundle--0a39fda5-1479-4065-b6e1-bfdb267589be",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--22755928-b0e1-4004-a89e-5f5ea2504cf8",
             "created": "2023-08-04T18:32:57.089Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T18:32:57.089Z",
+            "modified": "2025-04-16T21:47:27.770Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can record environmental and call audio.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--22773074-4a95-48e0-905f-688ce048b5ed.json b/mobile-attack/relationship/relationship--22773074-4a95-48e0-905f-688ce048b5ed.json
index 40a008853c..e108aa22a3 100644
--- a/mobile-attack/relationship/relationship--22773074-4a95-48e0-905f-688ce048b5ed.json
+++ b/mobile-attack/relationship/relationship--22773074-4a95-48e0-905f-688ce048b5ed.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--722df76d-12d3-4ee2-b4f8-d9e31419a1cd",
+    "id": "bundle--0dbc81ed-0775-4f17-ac82-32e111fda457",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:53:51.524Z",
+            "modified": "2025-04-16T21:47:27.991Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) can prevent the user from interacting with the UI by showing a WebView with a persistent cursor.(Citation: SecurityIntelligence TrickMo)",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--22e90a62-3f31-4190-98ee-eabede72eb07.json b/mobile-attack/relationship/relationship--22e90a62-3f31-4190-98ee-eabede72eb07.json
new file mode 100644
index 0000000000..5c361548bd
--- /dev/null
+++ b/mobile-attack/relationship/relationship--22e90a62-3f31-4190-98ee-eabede72eb07.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--6fb70bfb-680c-459b-b54b-6e48b7692c49",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--22e90a62-3f31-4190-98ee-eabede72eb07",
+            "created": "2025-03-28T14:59:44.638Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                },
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:28.240Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used 3DES and AES to encrypt C2 communication and data.(Citation: SecureList OpTriangulation 21Jun2023)(Citation: SecureList OpTriangulation 23Oct2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6.json b/mobile-attack/relationship/relationship--22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6.json
index d0e8359bb6..8b5463cb83 100644
--- a/mobile-attack/relationship/relationship--22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6.json
+++ b/mobile-attack/relationship/relationship--22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--cb660302-b8d6-47aa-9bfe-fb72caa687e4",
+    "id": "bundle--e419421c-a713-4bb1-ae61-56f751bcc5a5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6",
             "type": "relationship",
+            "id": "relationship--22f3d28b-ba0c-4aa3-99b4-60790ba9c7b6",
             "created": "2021-01-05T20:16:20.484Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Zscaler TikTok Spyware",
-                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware",
-                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."
+                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.",
+                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"
                 }
             ],
-            "modified": "2021-01-05T20:16:20.484Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:28.462Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can track the device\u2019s location.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--22f5308c-77ee-4198-be1c-54062aa6a613.json b/mobile-attack/relationship/relationship--22f5308c-77ee-4198-be1c-54062aa6a613.json
index 2191a23a3d..fd692e5ec9 100644
--- a/mobile-attack/relationship/relationship--22f5308c-77ee-4198-be1c-54062aa6a613.json
+++ b/mobile-attack/relationship/relationship--22f5308c-77ee-4198-be1c-54062aa6a613.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--246b91ef-5feb-4165-871a-47c03d1af881",
+    "id": "bundle--a5a2b47f-6f2b-4de1-8dc2-3c4f35b0b404",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:00:13.616Z",
+            "modified": "2025-04-16T21:47:28.701Z",
             "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has used HTTPS for C2 communication.(Citation: CYBERWARCON CHEMISTGAMES)",
             "relationship_type": "uses",
             "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14.json b/mobile-attack/relationship/relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14.json
index fdc0b8ec74..65ce199f1d 100644
--- a/mobile-attack/relationship/relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14.json
+++ b/mobile-attack/relationship/relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--528fdc9c-7be9-49ae-91c0-db824abf3fd0",
+    "id": "bundle--daadd18e-b98b-4aea-8ced-f67a1fe3e1a8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14",
             "type": "relationship",
+            "id": "relationship--2341fdfa-9699-4798-a35a-2cc4f150cd14",
             "created": "2019-07-10T15:35:43.610Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
+                    "source_name": "Lookout Dark Caracal Jan 2018",
                     "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
-                    "source_name": "Lookout Dark Caracal Jan 2018"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
                 }
             ],
-            "modified": "2019-08-09T18:06:11.693Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:28.911Z",
             "description": "[Pallas](https://attack.mitre.org/software/S0399) retrieves a list of all applications installed on the device.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--23522416-9493-4960-8408-f7befae7be60.json b/mobile-attack/relationship/relationship--23522416-9493-4960-8408-f7befae7be60.json
index c5a6c09add..2bbcfc45f1 100644
--- a/mobile-attack/relationship/relationship--23522416-9493-4960-8408-f7befae7be60.json
+++ b/mobile-attack/relationship/relationship--23522416-9493-4960-8408-f7befae7be60.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--c33ac97b-ba9b-4d11-88af-f572a3002834",
+    "id": "bundle--f890d428-beb6-4dfc-b601-8990bf5d93a4",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--23522416-9493-4960-8408-f7befae7be60",
             "created": "2024-02-20T23:59:14.650Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:59:14.650Z",
+            "modified": "2025-04-16T21:47:29.125Z",
             "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has collected the device\u2019s phone number and can check if the active network connection is metered.(Citation: WhiteOps TERRACOTTA)",
             "relationship_type": "uses",
             "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2359ad4b-b00b-4fd5-aef8-2d2be8bcf081.json b/mobile-attack/relationship/relationship--2359ad4b-b00b-4fd5-aef8-2d2be8bcf081.json
index 76827cb1aa..04568ada76 100644
--- a/mobile-attack/relationship/relationship--2359ad4b-b00b-4fd5-aef8-2d2be8bcf081.json
+++ b/mobile-attack/relationship/relationship--2359ad4b-b00b-4fd5-aef8-2d2be8bcf081.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--11af9a45-a631-44fa-be3c-4282e79c85f2",
+    "id": "bundle--0c9cba74-e1da-4c68-9290-cf40f49ce038",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "cyble_drinik_1022",
-                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.",
-                    "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:52:20.587Z",
+            "modified": "2025-04-16T21:47:29.381Z",
             "description": "[Drinik](https://attack.mitre.org/software/S1054) can use Accessibility Services to disable Google Play Protect.(Citation: cyble_drinik_1022)",
             "relationship_type": "uses",
             "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--23a67f24-a8eb-4e31-acf1-11cb5e9f88b2.json b/mobile-attack/relationship/relationship--23a67f24-a8eb-4e31-acf1-11cb5e9f88b2.json
index 4743d6e854..01bf0cb2d5 100644
--- a/mobile-attack/relationship/relationship--23a67f24-a8eb-4e31-acf1-11cb5e9f88b2.json
+++ b/mobile-attack/relationship/relationship--23a67f24-a8eb-4e31-acf1-11cb5e9f88b2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7271234d-395b-44ca-911c-3ed03c9db078",
+    "id": "bundle--918f4eb9-0722-4d25-a66b-a2c628358aa4",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:43:35.115Z",
+            "modified": "2025-04-16T21:47:29.580Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use Accessibility Services to detect which process is in the foreground.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--23cac1d7-27ca-4c78-bfa0-2d6023d21798.json b/mobile-attack/relationship/relationship--23cac1d7-27ca-4c78-bfa0-2d6023d21798.json
index deefe2ae0a..abe65044b1 100644
--- a/mobile-attack/relationship/relationship--23cac1d7-27ca-4c78-bfa0-2d6023d21798.json
+++ b/mobile-attack/relationship/relationship--23cac1d7-27ca-4c78-bfa0-2d6023d21798.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--b15ab19c-78d6-4852-8ca3-c333d85c8f45",
+    "id": "bundle--0668402b-2df4-4bd8-ac9a-c6a3fef5f053",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--23cac1d7-27ca-4c78-bfa0-2d6023d21798",
             "type": "relationship",
+            "id": "relationship--23cac1d7-27ca-4c78-bfa0-2d6023d21798",
             "created": "2020-10-29T19:01:13.854Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Microsoft MalLockerB",
-                    "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/",
-                    "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020."
+                    "description": "D. Venkatesan. (2020, October 8). Sophisticated new Android malware marks the latest evolution of mobile ransomware . Retrieved October 29, 2020.",
+                    "url": "https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/"
                 }
             ],
-            "modified": "2020-10-29T19:01:13.854Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:29.792Z",
             "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has employed both name mangling and meaningless variable names in source. [AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has stored encrypted payload code in the Assets directory, coupled with a custom decryption routine that assembles a .dex file by passing data through Android Intent objects. (Citation: Microsoft MalLockerB)",
             "relationship_type": "uses",
             "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--23ecc134-0623-45ec-b8b5-52516483bda1.json b/mobile-attack/relationship/relationship--23ecc134-0623-45ec-b8b5-52516483bda1.json
index 680fee117a..f8d33bb3e4 100644
--- a/mobile-attack/relationship/relationship--23ecc134-0623-45ec-b8b5-52516483bda1.json
+++ b/mobile-attack/relationship/relationship--23ecc134-0623-45ec-b8b5-52516483bda1.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--4b83dac7-a538-4fbd-acf7-d7335c39fbe6",
+    "id": "bundle--d9330d7e-d2e3-43f7-8cb5-f6ce128eeae6",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--23ecc134-0623-45ec-b8b5-52516483bda1",
             "created": "2023-04-14T14:10:04.452Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-14T14:10:04.452Z",
+            "modified": "2025-04-16T21:47:29.989Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) has used code abstraction and anti-emulation checks to potentially avoid running while under analysis.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--23fa0fcc-0193-45f2-9e0b-a5f68380015f.json b/mobile-attack/relationship/relationship--23fa0fcc-0193-45f2-9e0b-a5f68380015f.json
index 406e9c980e..e15cb62a5b 100644
--- a/mobile-attack/relationship/relationship--23fa0fcc-0193-45f2-9e0b-a5f68380015f.json
+++ b/mobile-attack/relationship/relationship--23fa0fcc-0193-45f2-9e0b-a5f68380015f.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--8166bbbd-25f1-4b08-9ed7-9a9e4932b07b",
+    "id": "bundle--2d3d44d6-0610-4562-913b-06eecd8c8702",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--23fa0fcc-0193-45f2-9e0b-a5f68380015f",
             "created": "2022-04-01T18:52:13.171Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:30.254Z",
             "description": "Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.",
-            "modified": "2022-04-01T18:52:13.171Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--242dc659-c205-4e9e-95f9-14fee66195af.json b/mobile-attack/relationship/relationship--242dc659-c205-4e9e-95f9-14fee66195af.json
index 3b90583599..2c31ab81c0 100644
--- a/mobile-attack/relationship/relationship--242dc659-c205-4e9e-95f9-14fee66195af.json
+++ b/mobile-attack/relationship/relationship--242dc659-c205-4e9e-95f9-14fee66195af.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--bed7b187-597e-41d3-bff3-4f598994f309",
+    "id": "bundle--d71d96d0-fc5a-455c-8318-ac4f7472025a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--242dc659-c205-4e9e-95f9-14fee66195af",
             "created": "2022-04-01T15:29:36.082Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:30.450Z",
             "description": "Configuration of per-app VPN policies instead of device-wide VPN can restrict access to internal enterprise resource access via VPN to only enterprise-approved applications",
-            "modified": "2022-04-01T15:29:36.082Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--243bafe0-206c-4a17-94a6-4ff0492ebc7a.json b/mobile-attack/relationship/relationship--243bafe0-206c-4a17-94a6-4ff0492ebc7a.json
new file mode 100644
index 0000000000..37749cbda1
--- /dev/null
+++ b/mobile-attack/relationship/relationship--243bafe0-206c-4a17-94a6-4ff0492ebc7a.json
@@ -0,0 +1,42 @@
+{
+    "type": "bundle",
+    "id": "bundle--0243f0b5-adc9-4c00-ae75-89788567108f",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--243bafe0-206c-4a17-94a6-4ff0492ebc7a",
+            "created": "2024-03-26T19:33:50.343Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "sophos_android_apt_spyware",
+                    "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"
+                },
+                {
+                    "source_name": "threatpost AndroidSpyware 2020",
+                    "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.",
+                    "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/"
+                },
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:30.665Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) can capture pictures and videos.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: threatpost AndroidSpyware 2020)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53.json b/mobile-attack/relationship/relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53.json
index ab43e9ea80..f0b678a6c2 100644
--- a/mobile-attack/relationship/relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53.json
+++ b/mobile-attack/relationship/relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--bcc4571d-3285-4bef-803a-eb1d49d52eaa",
+    "id": "bundle--4f756d75-d301-4957-8dc9-c16bd3b5714f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53",
             "type": "relationship",
+            "id": "relationship--24951cfe-d3ce-4802-86ff-028fc9cbbe53",
             "created": "2020-07-15T20:20:59.318Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "modified": "2020-07-15T20:20:59.318Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:30.890Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) uses foreground persistence to keep a service running. It shows the user a transparent notification to evade detection.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--24a7379e-a994-411b-b17c-add6c6c6fc07.json b/mobile-attack/relationship/relationship--24a7379e-a994-411b-b17c-add6c6c6fc07.json
index 06a1e5f0be..79a787a566 100644
--- a/mobile-attack/relationship/relationship--24a7379e-a994-411b-b17c-add6c6c6fc07.json
+++ b/mobile-attack/relationship/relationship--24a7379e-a994-411b-b17c-add6c6c6fc07.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a4ed6c69-96ed-4511-9a2b-bb2478419dfa",
+    "id": "bundle--a3068e02-23c5-4203-af22-4120d11e9977",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--24a7379e-a994-411b-b17c-add6c6c6fc07",
             "type": "relationship",
+            "id": "relationship--24a7379e-a994-411b-b17c-add6c6c6fc07",
             "created": "2020-12-24T21:45:56.949Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T21:45:56.949Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:31.109Z",
             "description": "[SilkBean](https://attack.mitre.org/software/S0549) has hidden malicious functionality in a second stage file and has encrypted C2 server information.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--24bcb2cd-1532-4e98-a485-a55e06d2577d.json b/mobile-attack/relationship/relationship--24bcb2cd-1532-4e98-a485-a55e06d2577d.json
index 9209c5d021..2ee9e226d1 100644
--- a/mobile-attack/relationship/relationship--24bcb2cd-1532-4e98-a485-a55e06d2577d.json
+++ b/mobile-attack/relationship/relationship--24bcb2cd-1532-4e98-a485-a55e06d2577d.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--06d45601-8f29-4eeb-835d-da2459b05c3e",
+    "id": "bundle--32d8eb40-7a8b-427a-985c-b1394ef9ee8c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--24bcb2cd-1532-4e98-a485-a55e06d2577d",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "",
-            "modified": "2022-04-06T15:41:16.865Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:31.332Z",
+            "description": "",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--6b846ad0-cc20-4db6-aa34-91561397c5e2",
             "target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--24de6f6e-86d3-4e4e-a965-3e0435205f48.json b/mobile-attack/relationship/relationship--24de6f6e-86d3-4e4e-a965-3e0435205f48.json
index 021fb50337..7fd77bff93 100644
--- a/mobile-attack/relationship/relationship--24de6f6e-86d3-4e4e-a965-3e0435205f48.json
+++ b/mobile-attack/relationship/relationship--24de6f6e-86d3-4e4e-a965-3e0435205f48.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ae2fb014-46cf-4ce5-9b72-637e24ff55c7",
+    "id": "bundle--e93fe555-ebe8-4afa-95ca-841df358a4b8",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:24:09.872Z",
+            "modified": "2025-04-16T21:47:31.538Z",
             "description": "[Dendroid](https://attack.mitre.org/software/S0301) can intercept SMS messages.(Citation: Lookout-Dendroid)",
             "relationship_type": "uses",
             "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--25466097-53c6-4dc7-8409-197758e88673.json b/mobile-attack/relationship/relationship--25466097-53c6-4dc7-8409-197758e88673.json
index 85104ed77e..3b5b823c25 100644
--- a/mobile-attack/relationship/relationship--25466097-53c6-4dc7-8409-197758e88673.json
+++ b/mobile-attack/relationship/relationship--25466097-53c6-4dc7-8409-197758e88673.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--337bbe3e-4e10-470d-9feb-ad4d35217a2e",
+    "id": "bundle--0912511b-1d83-4aad-a648-552827f5094a",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--25466097-53c6-4dc7-8409-197758e88673",
             "created": "2023-08-16T16:45:11.580Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:45:11.580Z",
+            "modified": "2025-04-16T21:47:31.749Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can download HTML overlay pages after installation.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--25655385-5b0d-4700-a59f-d5d043625b84.json b/mobile-attack/relationship/relationship--25655385-5b0d-4700-a59f-d5d043625b84.json
index 0fe6776000..6c4ce0905f 100644
--- a/mobile-attack/relationship/relationship--25655385-5b0d-4700-a59f-d5d043625b84.json
+++ b/mobile-attack/relationship/relationship--25655385-5b0d-4700-a59f-d5d043625b84.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b5c2db2f-0624-45bc-afa9-673a036a9ab0",
+    "id": "bundle--eb76a675-eebe-4570-99f9-ab2bdf0a6de6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:13:16.813Z",
+            "modified": "2025-04-16T21:47:31.953Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can use rooting exploits to silently give itself permissions or install additional malware.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--257f4f86-950f-4f5a-b38c-0de85753d2d3.json b/mobile-attack/relationship/relationship--257f4f86-950f-4f5a-b38c-0de85753d2d3.json
index d18d6fe7af..b32ca6cbe3 100644
--- a/mobile-attack/relationship/relationship--257f4f86-950f-4f5a-b38c-0de85753d2d3.json
+++ b/mobile-attack/relationship/relationship--257f4f86-950f-4f5a-b38c-0de85753d2d3.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--eb1e713d-fb17-4290-82e2-bab253be216d",
+    "id": "bundle--4cc68a9e-a1bb-47d3-b79b-df86fa8b6784",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--257f4f86-950f-4f5a-b38c-0de85753d2d3",
             "created": "2023-12-18T18:09:56.997Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -23,16 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:09:56.997Z",
+            "modified": "2025-04-16T21:47:32.267Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can uninstall itself and remove traces of infection.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--25cdb4f2-5b38-411c-bfb6-eca7ea4d4527.json b/mobile-attack/relationship/relationship--25cdb4f2-5b38-411c-bfb6-eca7ea4d4527.json
index ec92fdf5de..243c434ae1 100644
--- a/mobile-attack/relationship/relationship--25cdb4f2-5b38-411c-bfb6-eca7ea4d4527.json
+++ b/mobile-attack/relationship/relationship--25cdb4f2-5b38-411c-bfb6-eca7ea4d4527.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--489d74d8-f28b-4554-b9e5-88d7b2f3016a",
+    "id": "bundle--a01f08df-cb6b-485a-95c7-9bfd80439b07",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:57:56.616Z",
+            "modified": "2025-04-16T21:47:32.477Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve nearby cell tower and Wi-Fi network information.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--25de6cf6-38d5-4d1e-b3f1-6956a0ff0ac3.json b/mobile-attack/relationship/relationship--25de6cf6-38d5-4d1e-b3f1-6956a0ff0ac3.json
index 56a3e03f39..01ec296b72 100644
--- a/mobile-attack/relationship/relationship--25de6cf6-38d5-4d1e-b3f1-6956a0ff0ac3.json
+++ b/mobile-attack/relationship/relationship--25de6cf6-38d5-4d1e-b3f1-6956a0ff0ac3.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--37e22d85-1032-4703-84db-3cc39b9d9415",
+    "id": "bundle--ff31377d-be5b-4629-a263-4dbfafdc615e",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--25de6cf6-38d5-4d1e-b3f1-6956a0ff0ac3",
             "created": "2023-03-03T16:26:48.531Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-03T16:26:48.531Z",
+            "modified": "2025-04-16T21:47:32.711Z",
             "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected compromised device MAC addresses.(Citation: paloalto_yispecter_1015)",
             "relationship_type": "uses",
             "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2621a020-8d4f-4ca4-b874-0be336a8cafd.json b/mobile-attack/relationship/relationship--2621a020-8d4f-4ca4-b874-0be336a8cafd.json
index e1771256d0..f23c58036a 100644
--- a/mobile-attack/relationship/relationship--2621a020-8d4f-4ca4-b874-0be336a8cafd.json
+++ b/mobile-attack/relationship/relationship--2621a020-8d4f-4ca4-b874-0be336a8cafd.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d45f50c0-7d1c-4060-b508-2113e617d3e1",
+    "id": "bundle--0340488e-db26-4f4d-b2b6-5438178f347e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.103Z",
+            "modified": "2025-04-16T21:47:32.911Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) exfiltrates data encrypted (with RC4) by its ransomware module.(Citation: Cofense Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--268c12df-d3bc-46fa-99e9-32caab50b175.json b/mobile-attack/relationship/relationship--268c12df-d3bc-46fa-99e9-32caab50b175.json
index 478ba57ea2..86c824cedf 100644
--- a/mobile-attack/relationship/relationship--268c12df-d3bc-46fa-99e9-32caab50b175.json
+++ b/mobile-attack/relationship/relationship--268c12df-d3bc-46fa-99e9-32caab50b175.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--6b770dae-1287-4195-8240-48fc72d040c9",
+    "id": "bundle--f42cdc57-e4c5-45c0-9c27-f62c5c0281f2",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--268c12df-d3bc-46fa-99e9-32caab50b175",
             "created": "2022-03-30T15:52:09.759Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:33.130Z",
             "description": "Device attestation can often detect jailbroken or rooted devices.",
-            "modified": "2022-03-30T15:52:09.759Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--268c2962-a557-4782-a40b-eef430c87740.json b/mobile-attack/relationship/relationship--268c2962-a557-4782-a40b-eef430c87740.json
new file mode 100644
index 0000000000..b7fc9b8860
--- /dev/null
+++ b/mobile-attack/relationship/relationship--268c2962-a557-4782-a40b-eef430c87740.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--9752d2bd-0f28-4acb-bfc6-c91712d1a083",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--268c2962-a557-4782-a40b-eef430c87740",
+            "created": "2025-03-24T14:51:33.225Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "McAfee MoqHao 2019",
+                    "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.",
+                    "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:33.367Z",
+            "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has used the official icon of the Korean police application and  the package name \u201ckpo,\u201d which contain references related to the Korean police.(Citation: McAfee MoqHao 2019) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42",
+            "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--269d4409-e287-4ef3-b5f3-765ec03e503e.json b/mobile-attack/relationship/relationship--269d4409-e287-4ef3-b5f3-765ec03e503e.json
index 437eead3a1..8628da0b26 100644
--- a/mobile-attack/relationship/relationship--269d4409-e287-4ef3-b5f3-765ec03e503e.json
+++ b/mobile-attack/relationship/relationship--269d4409-e287-4ef3-b5f3-765ec03e503e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b633f120-8c3d-4613-b4ff-92e4eeee01c9",
+    "id": "bundle--f700888a-6827-4502-a490-d85872a0445c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:18:38.700Z",
+            "modified": "2025-04-16T21:47:33.578Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) grants itself permissions by injecting its hash into the kernel\u2019s trust cache.(Citation: Google Project Zero Insomnia)",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--26b1025b-5c08-4b6e-8c50-7d2baf29e7b7.json b/mobile-attack/relationship/relationship--26b1025b-5c08-4b6e-8c50-7d2baf29e7b7.json
index 295a070691..377af4cca5 100644
--- a/mobile-attack/relationship/relationship--26b1025b-5c08-4b6e-8c50-7d2baf29e7b7.json
+++ b/mobile-attack/relationship/relationship--26b1025b-5c08-4b6e-8c50-7d2baf29e7b7.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--48e7b1b1-33fb-4b51-8ff8-0a02df23a8c0",
+    "id": "bundle--00aa6436-a111-4db9-b9d8-ca0fb51fe6ab",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--26b1025b-5c08-4b6e-8c50-7d2baf29e7b7",
             "created": "2022-04-01T18:45:11.299Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:33.818Z",
             "description": "Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them.",
-            "modified": "2022-04-01T18:45:11.299Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--26bf27dc-f65d-477d-abbd-f4c3ce475c51.json b/mobile-attack/relationship/relationship--26bf27dc-f65d-477d-abbd-f4c3ce475c51.json
index 940b1f7e76..aefcd997f9 100644
--- a/mobile-attack/relationship/relationship--26bf27dc-f65d-477d-abbd-f4c3ce475c51.json
+++ b/mobile-attack/relationship/relationship--26bf27dc-f65d-477d-abbd-f4c3ce475c51.json
@@ -1,25 +1,24 @@
 {
     "type": "bundle",
-    "id": "bundle--c4ee9972-1b5e-4446-9e20-911ab590697c",
+    "id": "bundle--c49781ba-1a41-4983-8fe5-1a7339a6f526",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--26bf27dc-f65d-477d-abbd-f4c3ce475c51",
             "created": "2022-04-01T12:37:17.515Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:34.039Z",
             "description": "OS feature updates often enhance security and privacy around permissions. ",
-            "modified": "2022-04-01T12:37:17.515Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--26c2626b-92a0-4798-b9f3-00abf12a817b.json b/mobile-attack/relationship/relationship--26c2626b-92a0-4798-b9f3-00abf12a817b.json
new file mode 100644
index 0000000000..a0c49571f2
--- /dev/null
+++ b/mobile-attack/relationship/relationship--26c2626b-92a0-4798-b9f3-00abf12a817b.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--e056018b-4da1-4635-b5a0-1554c0a4dbbf",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--26c2626b-92a0-4798-b9f3-00abf12a817b",
+            "created": "2025-03-28T14:41:49.137Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:34.264Z",
+            "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has deleted an implant module or specified files.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f",
+            "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--27050442-e578-44b7-9534-ada78824befe.json b/mobile-attack/relationship/relationship--27050442-e578-44b7-9534-ada78824befe.json
index 8c1a99b262..d1f21db506 100644
--- a/mobile-attack/relationship/relationship--27050442-e578-44b7-9534-ada78824befe.json
+++ b/mobile-attack/relationship/relationship--27050442-e578-44b7-9534-ada78824befe.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--95ebca07-9b45-4fb2-9c7d-14ecf2704623",
+    "id": "bundle--2fa447c8-d8b3-48ce-bb40-6dfa08201059",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--27050442-e578-44b7-9534-ada78824befe",
             "created": "2023-02-06T19:45:09.612Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-06T19:45:09.612Z",
+            "modified": "2025-04-16T21:47:34.475Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can intercept and read SMS messages.(Citation: threatfabric_sova_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--271a311f-71bc-4558-a314-0edfbec44b64.json b/mobile-attack/relationship/relationship--271a311f-71bc-4558-a314-0edfbec44b64.json
index a6dc393d7c..cd7e2e63ef 100644
--- a/mobile-attack/relationship/relationship--271a311f-71bc-4558-a314-0edfbec44b64.json
+++ b/mobile-attack/relationship/relationship--271a311f-71bc-4558-a314-0edfbec44b64.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--21ba1ca6-39a7-4082-b71f-79f59432e347",
+    "id": "bundle--1bea4eb2-b5f3-4a8a-99bf-4fbcda15904e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--271a311f-71bc-4558-a314-0edfbec44b64",
             "type": "relationship",
+            "id": "relationship--271a311f-71bc-4558-a314-0edfbec44b64",
             "created": "2019-11-21T16:42:48.495Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList - ViceLeaker 2019",
-                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
-                    "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."
+                    "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.",
+                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"
                 }
             ],
-            "modified": "2019-11-21T16:42:48.495Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:34.690Z",
             "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) collects device information, including the device model and OS version.(Citation: SecureList - ViceLeaker 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--27247071-356b-4b5f-bc8f-6436a3fec095.json b/mobile-attack/relationship/relationship--27247071-356b-4b5f-bc8f-6436a3fec095.json
index c439132afe..cea33cef55 100644
--- a/mobile-attack/relationship/relationship--27247071-356b-4b5f-bc8f-6436a3fec095.json
+++ b/mobile-attack/relationship/relationship--27247071-356b-4b5f-bc8f-6436a3fec095.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--6bfb4bfc-f65e-457d-bad0-5257bedb7c90",
+    "id": "bundle--86704a74-4780-4123-89c3-6bb3195b6f6d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--27247071-356b-4b5f-bc8f-6436a3fec095",
             "type": "relationship",
+            "id": "relationship--27247071-356b-4b5f-bc8f-6436a3fec095",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:34.884Z",
             "description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's location.(Citation: Lookout-EnterpriseApps)",
             "relationship_type": "uses",
             "source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--27490b14-8044-408a-8c6a-6d8427eb78ff.json b/mobile-attack/relationship/relationship--27490b14-8044-408a-8c6a-6d8427eb78ff.json
index 0ee2b27b7c..cdc2968909 100644
--- a/mobile-attack/relationship/relationship--27490b14-8044-408a-8c6a-6d8427eb78ff.json
+++ b/mobile-attack/relationship/relationship--27490b14-8044-408a-8c6a-6d8427eb78ff.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--89fc2312-1c83-423b-ae92-fe92e38a2210",
+    "id": "bundle--b28fff01-55de-4042-8949-c52c21424c60",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T16:44:47.944Z",
+            "modified": "2025-04-16T21:47:35.083Z",
             "description": "The user can review which applications have location and sensitive phone information permissions in the operating system\u2019s settings menu. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--276bfd69-33cc-4665-8aa7-72bed65d01f9.json b/mobile-attack/relationship/relationship--276bfd69-33cc-4665-8aa7-72bed65d01f9.json
index 214f04501f..537b6fd492 100644
--- a/mobile-attack/relationship/relationship--276bfd69-33cc-4665-8aa7-72bed65d01f9.json
+++ b/mobile-attack/relationship/relationship--276bfd69-33cc-4665-8aa7-72bed65d01f9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--377ff906-3ddc-46be-88db-65700252c7d7",
+    "id": "bundle--a6fca0a6-be4c-4f85-ac1d-98ae946aa7c8",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:25:22.438Z",
+            "modified": "2025-04-16T21:47:35.312Z",
             "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request location permissions.(Citation: cloudmark_tanglebot_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2793d721-df10-4621-8387-f3342def59a1.json b/mobile-attack/relationship/relationship--2793d721-df10-4621-8387-f3342def59a1.json
index d0b062e5b5..f4caca8e82 100644
--- a/mobile-attack/relationship/relationship--2793d721-df10-4621-8387-f3342def59a1.json
+++ b/mobile-attack/relationship/relationship--2793d721-df10-4621-8387-f3342def59a1.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--7ffffa9e-cee9-4039-87c0-6b914f9f97cd",
+    "id": "bundle--d3c4df80-e48a-48c6-a1a3-e212028c56a6",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--2793d721-df10-4621-8387-f3342def59a1",
             "created": "2022-03-30T18:14:36.786Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:35.525Z",
             "description": "On iOS, the `allowEnterpriseAppTrust` and `allowEnterpriseAppTrustModification` configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. ",
-            "modified": "2022-03-30T18:14:36.786Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--279b016a-45c8-4961-88fa-48162e56c3fa.json b/mobile-attack/relationship/relationship--279b016a-45c8-4961-88fa-48162e56c3fa.json
index cd3eb2c030..5698995da5 100644
--- a/mobile-attack/relationship/relationship--279b016a-45c8-4961-88fa-48162e56c3fa.json
+++ b/mobile-attack/relationship/relationship--279b016a-45c8-4961-88fa-48162e56c3fa.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--2d4696be-c22c-46b8-bf63-b45750d82b6a",
+    "id": "bundle--83f0c987-6638-450d-b6eb-7110adeeec54",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--279b016a-45c8-4961-88fa-48162e56c3fa",
             "created": "2024-02-21T20:49:34.244Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T20:49:34.244Z",
-            "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect network information, such as IP address, SIM card info, and Wi-Fi info.(Citation: lookout_bouldspy_0423)",
+            "modified": "2025-04-16T21:47:35.752Z",
+            "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect network information, such as IP address, SIM card information, and Wi-Fi information.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea.json b/mobile-attack/relationship/relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea.json
index c35aad5672..0934313edb 100644
--- a/mobile-attack/relationship/relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea.json
+++ b/mobile-attack/relationship/relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--be8ba794-e46e-40de-8328-702f55c79383",
+    "id": "bundle--06b6b553-2048-4010-8af7-05bc4a1d5d3e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea",
             "type": "relationship",
+            "id": "relationship--27b8153c-130e-44a7-84a9-840f4c23e2ea",
             "created": "2020-07-15T20:20:59.377Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "modified": "2020-07-15T20:20:59.377Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:35.955Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can collect all accounts stored on the device.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c.json b/mobile-attack/relationship/relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c.json
index 17e00a638b..c35fd5c3f7 100644
--- a/mobile-attack/relationship/relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c.json
+++ b/mobile-attack/relationship/relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--db95af29-9daf-4a22-af7d-aa3cc315517c",
+    "id": "bundle--f0a3f93d-ac83-44d5-90f0-398ca49f6f0d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c",
             "type": "relationship",
+            "id": "relationship--27c8d474-f3f8-4a0e-a317-7e57b9de620c",
             "created": "2020-07-27T14:14:56.954Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Google Security Zen",
-                    "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
-                    "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
+                    "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.",
+                    "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"
                 }
             ],
-            "modified": "2020-08-10T22:18:20.777Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:36.152Z",
             "description": "[Zen](https://attack.mitre.org/software/S0494) can obtain root access via a rooting trojan in its infection chain.(Citation: Google Security Zen)",
             "relationship_type": "uses",
             "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--27f5dc22-6ab9-406f-9092-6cb610d777a6.json b/mobile-attack/relationship/relationship--27f5dc22-6ab9-406f-9092-6cb610d777a6.json
index e4fda027e0..dd4d675473 100644
--- a/mobile-attack/relationship/relationship--27f5dc22-6ab9-406f-9092-6cb610d777a6.json
+++ b/mobile-attack/relationship/relationship--27f5dc22-6ab9-406f-9092-6cb610d777a6.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--e04f009a-3813-4aa6-b6ce-edf72ff63f72",
+    "id": "bundle--ac94a7f8-ddc6-4b2f-9f9f-21bbd2fb44ca",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--27f5dc22-6ab9-406f-9092-6cb610d777a6",
             "created": "2022-04-01T14:59:53.782Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:36.352Z",
             "description": "Device attestation can often detect jailbroken devices.",
-            "modified": "2022-04-01T14:59:53.782Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
             "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--280aa15d-c7ff-4005-9861-9fc5c3bfe95a.json b/mobile-attack/relationship/relationship--280aa15d-c7ff-4005-9861-9fc5c3bfe95a.json
index c3cfa2ff1f..36513030b9 100644
--- a/mobile-attack/relationship/relationship--280aa15d-c7ff-4005-9861-9fc5c3bfe95a.json
+++ b/mobile-attack/relationship/relationship--280aa15d-c7ff-4005-9861-9fc5c3bfe95a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--26cc3797-793c-47cb-a793-6a9e4a843173",
+    "id": "bundle--18633c3f-bad3-48c9-9d04-8c342e7d79f0",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:22:26.702Z",
+            "modified": "2025-04-16T21:47:36.551Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) can run commands as root.(Citation: Palo Alto HenBox) ",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2836dc3d-cbea-493b-af31-5f1fa8279ec2.json b/mobile-attack/relationship/relationship--2836dc3d-cbea-493b-af31-5f1fa8279ec2.json
index 9c4d27f420..4246f586db 100644
--- a/mobile-attack/relationship/relationship--2836dc3d-cbea-493b-af31-5f1fa8279ec2.json
+++ b/mobile-attack/relationship/relationship--2836dc3d-cbea-493b-af31-5f1fa8279ec2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4bc017ae-cdbe-4ee1-97d2-399c8305480d",
+    "id": "bundle--71f0d7ae-e8cb-4b8f-8a1a-f31eedc36a91",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:00:28.299Z",
+            "modified": "2025-04-16T21:47:36.762Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) communicates with the C2 by sending JSON objects over unencrypted HTTP requests.(Citation: SecurityIntelligence TrickMo)",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--289f5e23-088a-4840-a2a6-bab30da2a64b.json b/mobile-attack/relationship/relationship--289f5e23-088a-4840-a2a6-bab30da2a64b.json
index 77158ee81f..f71201c37c 100644
--- a/mobile-attack/relationship/relationship--289f5e23-088a-4840-a2a6-bab30da2a64b.json
+++ b/mobile-attack/relationship/relationship--289f5e23-088a-4840-a2a6-bab30da2a64b.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--7a7010bf-bb28-469b-806f-9763ed5da588",
+    "id": "bundle--0027830a-1c93-4917-8002-f39096e99082",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--289f5e23-088a-4840-a2a6-bab30da2a64b",
             "created": "2022-04-01T16:51:04.584Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "GoogleIO2016",
-                    "url": "https://www.youtube.com/watch?v=XZzLjllizYs",
-                    "description": "Adrian Ludwig. (2016, May 19). What's new in Android security (M and N Version). Retrieved December 9, 2016."
+                    "description": "Adrian Ludwig. (2016, May 19). What's new in Android security (M and N Version). Retrieved December 9, 2016.",
+                    "url": "https://www.youtube.com/watch?v=XZzLjllizYs"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:36.985Z",
             "description": "Changes were introduced in Android 7 to make abuse of device administrator permissions more difficult.(Citation: GoogleIO2016)",
-            "modified": "2022-04-01T16:51:04.584Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2908f0f6-2408-41a1-aaab-cf3e7db06aad.json b/mobile-attack/relationship/relationship--2908f0f6-2408-41a1-aaab-cf3e7db06aad.json
index 6a76d20d21..51e70b0b19 100644
--- a/mobile-attack/relationship/relationship--2908f0f6-2408-41a1-aaab-cf3e7db06aad.json
+++ b/mobile-attack/relationship/relationship--2908f0f6-2408-41a1-aaab-cf3e7db06aad.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--aa9c56a0-ecbd-45b9-ab1e-314f69cdf6d3",
+    "id": "bundle--a79be0cb-2185-4415-a42d-6aee60c759f0",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:26:16.282Z",
+            "modified": "2025-04-16T21:47:37.218Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used exploits to root devices and install additional malware on the system partition.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--290a627d-172d-494d-a0cc-685f480a1034.json b/mobile-attack/relationship/relationship--290a627d-172d-494d-a0cc-685f480a1034.json
index 489fadd8c5..6881532b5a 100644
--- a/mobile-attack/relationship/relationship--290a627d-172d-494d-a0cc-685f480a1034.json
+++ b/mobile-attack/relationship/relationship--290a627d-172d-494d-a0cc-685f480a1034.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--46177ec5-a2d7-4f05-a5e9-161cf49ff0d5",
+    "id": "bundle--4a114035-d31d-4ec2-b162-d3233974cc3a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T16:16:09.250Z",
+            "modified": "2025-04-16T21:47:37.420Z",
             "description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects call logs.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ",
             "relationship_type": "uses",
             "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--290c9d3f-f59b-4e2b-9b7b-115014845c15.json b/mobile-attack/relationship/relationship--290c9d3f-f59b-4e2b-9b7b-115014845c15.json
index e55796996a..b935333b89 100644
--- a/mobile-attack/relationship/relationship--290c9d3f-f59b-4e2b-9b7b-115014845c15.json
+++ b/mobile-attack/relationship/relationship--290c9d3f-f59b-4e2b-9b7b-115014845c15.json
@@ -1,23 +1,23 @@
 {
     "type": "bundle",
-    "id": "bundle--409656e8-4d68-4d92-a105-cf5a9a2461cc",
+    "id": "bundle--b7ca3e64-1cfa-46d7-a674-17db8b70cf65",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--290c9d3f-f59b-4e2b-9b7b-115014845c15",
+            "created": "2021-09-24T14:47:34.447Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--290c9d3f-f59b-4e2b-9b7b-115014845c15",
-            "type": "relationship",
-            "created": "2021-09-24T14:47:34.447Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2021-10-04T20:08:48.439Z",
+            "modified": "2025-04-16T21:47:37.618Z",
             "description": "Device attestation can often detect rooted devices.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
             "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--29357289-362c-447c-b387-9a38b50d7296.json b/mobile-attack/relationship/relationship--29357289-362c-447c-b387-9a38b50d7296.json
index c58a839511..a03ecdfe50 100644
--- a/mobile-attack/relationship/relationship--29357289-362c-447c-b387-9a38b50d7296.json
+++ b/mobile-attack/relationship/relationship--29357289-362c-447c-b387-9a38b50d7296.json
@@ -1,38 +1,37 @@
 {
     "type": "bundle",
-    "id": "bundle--d251f60e-41fe-41fc-8bbf-b8e8f5b1f94c",
+    "id": "bundle--ae893943-ee34-4b02-9c56-db1200eb6765",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--29357289-362c-447c-b387-9a38b50d7296",
             "created": "2022-04-15T17:20:06.338Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Google Bread",
-                    "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
-                    "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
+                    "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.",
+                    "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"
                 },
                 {
                     "source_name": "Check Point-Joker",
-                    "url": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/",
-                    "description": "Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020."
+                    "description": "Hazum, A., Melnykov, B., Wernik, I.. (2020, July 9). New Joker variant hits Google Play with an old trick. Retrieved July 20, 2020.",
+                    "url": "https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:37.831Z",
             "description": "[Bread](https://attack.mitre.org/software/S0432) uses various tricks to obfuscate its strings including standard and custom encryption, programmatically building strings at runtime, and splitting unencrypted strings with repeated delimiters to break up keywords. [Bread](https://attack.mitre.org/software/S0432) has also abused Java and JavaScript features to obfuscate code. [Bread](https://attack.mitre.org/software/S0432) payloads have hidden code in native libraries and encrypted JAR files in the data section of an ELF file. [Bread](https://attack.mitre.org/software/S0432) has stored DEX payloads as base64-encoded strings in the Android manifest and internal Java classes.(Citation: Check Point-Joker)(Citation: Google Bread)",
-            "modified": "2022-04-15T17:20:06.338Z",
             "relationship_type": "uses",
             "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224.json b/mobile-attack/relationship/relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224.json
index abd8943cb5..50ae266b51 100644
--- a/mobile-attack/relationship/relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224.json
+++ b/mobile-attack/relationship/relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--f428d1e7-ff64-4a82-be75-97f19325245d",
+    "id": "bundle--d532927a-d903-49a0-8845-c03efc2335e7",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224",
             "type": "relationship",
+            "id": "relationship--295fab07-9f02-4504-9ae4-1a60c2e8c224",
             "created": "2019-09-03T20:08:00.670Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Talos Gustuff Apr 2019",
                     "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
-                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
-                    "source_name": "Talos Gustuff Apr 2019"
+                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"
                 }
             ],
-            "modified": "2019-10-10T15:19:47.960Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:38.047Z",
             "description": " [Gustuff](https://attack.mitre.org/software/S0406) can capture files and photos from the compromised device.(Citation: Talos Gustuff Apr 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--299931f0-4c60-4a9b-8a6a-4adb6362e590.json b/mobile-attack/relationship/relationship--299931f0-4c60-4a9b-8a6a-4adb6362e590.json
index a19416fe8e..f4f4b302c7 100644
--- a/mobile-attack/relationship/relationship--299931f0-4c60-4a9b-8a6a-4adb6362e590.json
+++ b/mobile-attack/relationship/relationship--299931f0-4c60-4a9b-8a6a-4adb6362e590.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8ed894a3-f05e-4a7b-89a4-63197b4567ba",
+    "id": "bundle--af390414-4be9-4e1d-b6c1-09140cc92340",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T16:57:05.633Z",
+            "modified": "2025-04-16T21:47:38.276Z",
             "description": "[Rotexy](https://attack.mitre.org/software/S0411) can access and upload the contacts list to the command and control server.(Citation: securelist rotexy 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2.json b/mobile-attack/relationship/relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2.json
index 3d3df92c35..465b16fe47 100644
--- a/mobile-attack/relationship/relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2.json
+++ b/mobile-attack/relationship/relationship--29dc105c-0b1b-4645-85ef-436c096bd3e2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3fcd3f2d-6145-48fe-b38b-a507bd1d9089",
+    "id": "bundle--767c8b4d-1067-41c4-9557-96e82fd40e10",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:24:38.256Z",
+            "modified": "2025-04-16T21:47:38.476Z",
             "description": "[RuMMS](https://attack.mitre.org/software/S0313) uploads incoming SMS messages to a remote command and control server.(Citation: FireEye-RuMMS)",
             "relationship_type": "uses",
             "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce.json b/mobile-attack/relationship/relationship--2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce.json
index ba82b7b6be..795085801e 100644
--- a/mobile-attack/relationship/relationship--2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce.json
+++ b/mobile-attack/relationship/relationship--2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--92ce7247-443e-4f6f-b84e-fb4c90eac517",
+    "id": "bundle--6b10d492-9298-4be4-bce7-92de729656dd",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce",
             "type": "relationship",
+            "id": "relationship--2a1d27a5-8149-4a6c-bbb7-6db83ce3a7ce",
             "created": "2020-12-18T20:14:47.339Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "WhiteOps TERRACOTTA",
-                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study",
-                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."
+                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.",
+                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"
                 }
             ],
-            "modified": "2020-12-18T20:14:47.339Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:38.691Z",
             "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has used timer events in React Native to initiate the foreground service.(Citation: WhiteOps TERRACOTTA)",
             "relationship_type": "uses",
             "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
             "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2a472430-c30e-4877-8933-2e75f1de9a01.json b/mobile-attack/relationship/relationship--2a472430-c30e-4877-8933-2e75f1de9a01.json
index ce09e1b1d6..6541ea4010 100644
--- a/mobile-attack/relationship/relationship--2a472430-c30e-4877-8933-2e75f1de9a01.json
+++ b/mobile-attack/relationship/relationship--2a472430-c30e-4877-8933-2e75f1de9a01.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--591f9d20-c3d6-4519-8bbf-d72487dbfba9",
+    "id": "bundle--32925fb0-2dae-4346-8a7d-53ce58102546",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--2a472430-c30e-4877-8933-2e75f1de9a01",
             "created": "2022-03-30T14:00:45.120Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:38.892Z",
             "description": "",
-            "modified": "2022-03-30T14:00:45.120Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--e083305c-49e7-4c87-aae8-9689213bffbe",
             "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2a5d081f-ba41-4dbe-873b-34b0efee1d92.json b/mobile-attack/relationship/relationship--2a5d081f-ba41-4dbe-873b-34b0efee1d92.json
index 3c9e4ce761..af5a06f296 100644
--- a/mobile-attack/relationship/relationship--2a5d081f-ba41-4dbe-873b-34b0efee1d92.json
+++ b/mobile-attack/relationship/relationship--2a5d081f-ba41-4dbe-873b-34b0efee1d92.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--de3cad82-3003-45a3-838e-ca3fb21a5dde",
+    "id": "bundle--0cc116a6-97bd-450c-bda9-997b9376e868",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--2a5d081f-ba41-4dbe-873b-34b0efee1d92",
             "created": "2024-02-21T21:08:13.038Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T21:08:13.038Z",
+            "modified": "2025-04-16T21:47:39.087Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device network configuration information such as IMSI, IMEI, and Wi-Fi connection state.(Citation: SecurityIntelligence TrickMo)",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2a5f4f05-bd60-4571-bcce-f3b764a5b5a0.json b/mobile-attack/relationship/relationship--2a5f4f05-bd60-4571-bcce-f3b764a5b5a0.json
index adfc08d406..778d530fab 100644
--- a/mobile-attack/relationship/relationship--2a5f4f05-bd60-4571-bcce-f3b764a5b5a0.json
+++ b/mobile-attack/relationship/relationship--2a5f4f05-bd60-4571-bcce-f3b764a5b5a0.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--aa54dbba-dadf-4995-989c-1ff392256a3c",
+    "id": "bundle--ec789fa5-5672-42db-a786-f5c3bb511192",
     "spec_version": "2.0",
     "objects": [
         {
@@ -14,20 +14,24 @@
                     "source_name": "proofpoint_flubot_0421",
                     "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.",
                     "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"
+                },
+                {
+                    "source_name": "Europol FluBot Jun2022",
+                    "description": "Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.",
+                    "url": "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-31T22:08:11.662Z",
-            "description": "[FluBot](https://attack.mitre.org/software/S1067) can retrieve the contacts list from an infected device.(Citation: proofpoint_flubot_0421)",
+            "modified": "2025-04-16T21:47:39.299Z",
+            "description": "[FluBot](https://attack.mitre.org/software/S1067) has used the contact list to infect more devices.(Citation: proofpoint_flubot_0421)(Citation: Europol FluBot Jun2022) ",
             "relationship_type": "uses",
             "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2ac32eb8-ff7e-468a-8bbd-f5af82e0102a.json b/mobile-attack/relationship/relationship--2ac32eb8-ff7e-468a-8bbd-f5af82e0102a.json
new file mode 100644
index 0000000000..53bf4658cc
--- /dev/null
+++ b/mobile-attack/relationship/relationship--2ac32eb8-ff7e-468a-8bbd-f5af82e0102a.json
@@ -0,0 +1,47 @@
+{
+    "type": "bundle",
+    "id": "bundle--6c48ad83-e4f6-414f-ba72-ee9250fe36eb",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--2ac32eb8-ff7e-468a-8bbd-f5af82e0102a",
+            "created": "2025-03-24T20:13:08.333Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Shoshin_Kaspersky LightSpy 2020",
+                    "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.",
+                    "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:39.505Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s KeyChain data.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2acc0c1a-af30-4410-976b-31148df5378d.json b/mobile-attack/relationship/relationship--2acc0c1a-af30-4410-976b-31148df5378d.json
index 414d222054..ea3aa42870 100644
--- a/mobile-attack/relationship/relationship--2acc0c1a-af30-4410-976b-31148df5378d.json
+++ b/mobile-attack/relationship/relationship--2acc0c1a-af30-4410-976b-31148df5378d.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--8df10c6e-230d-4b01-8b92-34c4d5bc4da3",
+    "id": "bundle--2c735a97-575b-4d3d-b115-5c162fd7f62c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--2acc0c1a-af30-4410-976b-31148df5378d",
             "created": "2022-03-28T19:39:42.538Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:39.720Z",
             "description": "",
-            "modified": "2022-03-28T19:39:42.538Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da",
             "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2ae97bcd-0481-415c-8337-12d3a30e6911.json b/mobile-attack/relationship/relationship--2ae97bcd-0481-415c-8337-12d3a30e6911.json
index 2968a7bf05..11146d2112 100644
--- a/mobile-attack/relationship/relationship--2ae97bcd-0481-415c-8337-12d3a30e6911.json
+++ b/mobile-attack/relationship/relationship--2ae97bcd-0481-415c-8337-12d3a30e6911.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--31c3f8ce-5971-4867-9be3-f6327f63ec98",
+    "id": "bundle--b4c0c9f4-dfc8-487e-b072-d364f3181cd8",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--2ae97bcd-0481-415c-8337-12d3a30e6911",
             "created": "2024-02-20T23:58:31.474Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
                     "source_name": "Wandera-RedDrop",
-                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
-                    "url": "https://www.wandera.com/reddrop-malware/"
+                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:58:31.474Z",
+            "modified": "2025-04-16T21:47:39.927Z",
             "description": "[RedDrop](https://attack.mitre.org/software/S0326) collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.(Citation: Wandera-RedDrop)",
             "relationship_type": "uses",
             "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2af26be3-f910-4700-ab14-9d14532601cc.json b/mobile-attack/relationship/relationship--2af26be3-f910-4700-ab14-9d14532601cc.json
index c82174e8da..0ac9857998 100644
--- a/mobile-attack/relationship/relationship--2af26be3-f910-4700-ab14-9d14532601cc.json
+++ b/mobile-attack/relationship/relationship--2af26be3-f910-4700-ab14-9d14532601cc.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--17877a22-2d7c-4985-a847-db502c62b972",
+    "id": "bundle--4a079a86-98db-45f2-bc3a-a90c2e82ff7e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:25:51.814Z",
+            "modified": "2025-04-16T21:47:40.142Z",
             "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can access the device\u2019s call log.(Citation: kaspersky_fakecalls_0422)",
             "relationship_type": "uses",
             "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2b065fcf-7ed1-4f88-8910-2eb46bde9ab7.json b/mobile-attack/relationship/relationship--2b065fcf-7ed1-4f88-8910-2eb46bde9ab7.json
index 5a9b2cfad2..b19fd425da 100644
--- a/mobile-attack/relationship/relationship--2b065fcf-7ed1-4f88-8910-2eb46bde9ab7.json
+++ b/mobile-attack/relationship/relationship--2b065fcf-7ed1-4f88-8910-2eb46bde9ab7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c9bd4798-517c-4b4f-bc10-cdac9a4d0db8",
+    "id": "bundle--3eab1198-f2c7-4a07-9c91-f9f6f9c41a21",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "cyble_drinik_1022",
-                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.",
-                    "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:52:35.805Z",
+            "modified": "2025-04-16T21:47:40.386Z",
             "description": "[Drinik](https://attack.mitre.org/software/S1054) can send stolen data back to the C2 server.(Citation: cyble_drinik_1022)",
             "relationship_type": "uses",
             "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2b0f4c1d-8d99-4e80-8555-d9a454d5cab7.json b/mobile-attack/relationship/relationship--2b0f4c1d-8d99-4e80-8555-d9a454d5cab7.json
index 8df94a6349..d6b6afe70e 100644
--- a/mobile-attack/relationship/relationship--2b0f4c1d-8d99-4e80-8555-d9a454d5cab7.json
+++ b/mobile-attack/relationship/relationship--2b0f4c1d-8d99-4e80-8555-d9a454d5cab7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c74b440b-3392-40c6-8c28-1712610cfb3e",
+    "id": "bundle--d46b5240-ae2e-4066-84aa-9205807580e9",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T16:44:31.916Z",
+            "modified": "2025-04-16T21:47:40.646Z",
             "description": "Application vetting services could look for the Android permission `android.permission.QUERY_ALL_PACKAGES`, and apply extra scrutiny to applications that request it. On iOS, application vetting services could look for usage of the private API `LSApplicationWorkspace` and apply extra scrutiny to applications that employ it.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2b9a3dc1-5842-458a-97ed-3a1339d10c22.json b/mobile-attack/relationship/relationship--2b9a3dc1-5842-458a-97ed-3a1339d10c22.json
index 46a67536d6..03d610f944 100644
--- a/mobile-attack/relationship/relationship--2b9a3dc1-5842-458a-97ed-3a1339d10c22.json
+++ b/mobile-attack/relationship/relationship--2b9a3dc1-5842-458a-97ed-3a1339d10c22.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--26c904d4-28b7-4f4c-9c4f-342348f0ab09",
+    "id": "bundle--e136f582-f6ac-4a22-b51b-fc3921a7a04b",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--2b9a3dc1-5842-458a-97ed-3a1339d10c22",
             "created": "2024-03-26T19:04:29.823Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
                     "source_name": "fb_arid_viper",
-                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
+                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T19:04:29.823Z",
+            "modified": "2025-04-16T21:47:40.847Z",
             "description": "[Phenakite](https://attack.mitre.org/software/S1126) can read SMS messages.(Citation: fb_arid_viper) ",
             "relationship_type": "uses",
             "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2bbd620d-6deb-4f81-a95b-98a7a74878e9.json b/mobile-attack/relationship/relationship--2bbd620d-6deb-4f81-a95b-98a7a74878e9.json
index 54515f4487..e5d05c602c 100644
--- a/mobile-attack/relationship/relationship--2bbd620d-6deb-4f81-a95b-98a7a74878e9.json
+++ b/mobile-attack/relationship/relationship--2bbd620d-6deb-4f81-a95b-98a7a74878e9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2626d978-93fc-4b13-bc07-2f5db2e45b9b",
+    "id": "bundle--462b2dc3-cc04-49ec-bc99-2567ba86e153",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T17:20:06.469Z",
+            "modified": "2025-04-16T21:47:41.067Z",
             "description": "Network traffic analysis could reveal patterns of compromise if devices attempt to access unusual targets or resources. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
             "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2be3d0a4-2e24-4d04-859e-37d24835ff16.json b/mobile-attack/relationship/relationship--2be3d0a4-2e24-4d04-859e-37d24835ff16.json
index a8ba11bcc0..e46cb46ea7 100644
--- a/mobile-attack/relationship/relationship--2be3d0a4-2e24-4d04-859e-37d24835ff16.json
+++ b/mobile-attack/relationship/relationship--2be3d0a4-2e24-4d04-859e-37d24835ff16.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ad8ccda6-df65-4067-9ebe-2e9439214560",
+    "id": "bundle--0f3e36d6-d661-4807-8f23-5989660592c5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--2be3d0a4-2e24-4d04-859e-37d24835ff16",
             "type": "relationship",
+            "id": "relationship--2be3d0a4-2e24-4d04-859e-37d24835ff16",
             "created": "2021-02-17T20:43:52.420Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout FrozenCell",
-                    "url": "https://blog.lookout.com/frozencell-mobile-threat",
-                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."
+                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.",
+                    "url": "https://blog.lookout.com/frozencell-mobile-threat"
                 }
             ],
-            "modified": "2021-02-17T20:43:52.420Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:41.267Z",
             "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has retrieved device images for exfiltration.(Citation: Lookout FrozenCell)",
             "relationship_type": "uses",
             "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc.json b/mobile-attack/relationship/relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc.json
index 7fdd59d829..8ab97f1989 100644
--- a/mobile-attack/relationship/relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc.json
+++ b/mobile-attack/relationship/relationship--2bedbf86-2ef0-45bf-950d-b9d072c03bdc.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e8e25e7d-137b-4b5c-b588-b628949a4343",
+    "id": "bundle--4c17dbc9-f40a-4946-b684-c9fe30df3e76",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:37:02.853Z",
+            "modified": "2025-04-16T21:47:41.465Z",
             "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole call logs.(Citation: Kaspersky-WUC)",
             "relationship_type": "uses",
             "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2c5b36b4-5381-4d9e-9ce5-cd7cd19041b1.json b/mobile-attack/relationship/relationship--2c5b36b4-5381-4d9e-9ce5-cd7cd19041b1.json
index 2038551cc2..9f53bcdd5a 100644
--- a/mobile-attack/relationship/relationship--2c5b36b4-5381-4d9e-9ce5-cd7cd19041b1.json
+++ b/mobile-attack/relationship/relationship--2c5b36b4-5381-4d9e-9ce5-cd7cd19041b1.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--bf6bee95-35ef-4e35-94bb-2caeba951f54",
+    "id": "bundle--527896d3-279e-4443-b83f-f2104ccc4872",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:35:47.258Z",
+            "modified": "2025-04-16T21:47:41.690Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can delete files from the device.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd.json b/mobile-attack/relationship/relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd.json
index 2caf56cf9b..60e8135521 100644
--- a/mobile-attack/relationship/relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd.json
+++ b/mobile-attack/relationship/relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--9d65ba44-a777-4971-a9ab-e1062e4007cd",
+    "id": "bundle--c762af62-6586-45d5-9ac3-6f2c282915f9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd",
             "type": "relationship",
+            "id": "relationship--2c9ad579-0c29-4f2a-80f3-242dc6b0bafd",
             "created": "2020-09-11T14:54:16.644Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Desert Scorpion",
-                    "url": "https://blog.lookout.com/desert-scorpion-google-play",
-                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
+                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/desert-scorpion-google-play"
                 }
             ],
-            "modified": "2020-09-11T14:54:16.644Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:41.899Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can list files stored on external storage.(Citation: Lookout Desert Scorpion)",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2ca6ff09-827d-4e2e-a60d-daa30f113b57.json b/mobile-attack/relationship/relationship--2ca6ff09-827d-4e2e-a60d-daa30f113b57.json
index 92ebd7f33c..a27d905874 100644
--- a/mobile-attack/relationship/relationship--2ca6ff09-827d-4e2e-a60d-daa30f113b57.json
+++ b/mobile-attack/relationship/relationship--2ca6ff09-827d-4e2e-a60d-daa30f113b57.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--6bf0a909-94d7-47c1-9c3b-c74b3c1a9875",
+    "id": "bundle--c4159a36-4848-4b3d-80d5-294dffe8cd06",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--2ca6ff09-827d-4e2e-a60d-daa30f113b57",
             "created": "2024-03-26T18:41:48.583Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
                     "source_name": "checkpoint_hamas_android_malware",
-                    "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20240226125457/https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"
+                    "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T18:41:48.583Z",
+            "modified": "2025-04-16T21:47:42.099Z",
             "description": "[APT-C-23](https://attack.mitre.org/groups/G1028) can collect the victim\u2019s phone number, device information, IMSI, etc.(Citation: checkpoint_hamas_android_malware) ",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2caddf52-2bc2-4f75-90bb-0f292952ada6.json b/mobile-attack/relationship/relationship--2caddf52-2bc2-4f75-90bb-0f292952ada6.json
index 9d4f9f5711..70b5a0f5f1 100644
--- a/mobile-attack/relationship/relationship--2caddf52-2bc2-4f75-90bb-0f292952ada6.json
+++ b/mobile-attack/relationship/relationship--2caddf52-2bc2-4f75-90bb-0f292952ada6.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8b4b33a4-48b4-4d29-b807-bb3264e09050",
+    "id": "bundle--6ceb74e9-147e-4835-b333-8fb349673dc4",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:13:32.345Z",
+            "modified": "2025-04-16T21:47:42.315Z",
             "description": "[TianySpy](https://attack.mitre.org/software/S1056) can utilize WebViews to display fake authentication pages that capture user credentials.(Citation: trendmicro_tianyspy_0122) ",
             "relationship_type": "uses",
             "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2cb834dd-d7cf-46f3-a19b-bdbfb5bfee07.json b/mobile-attack/relationship/relationship--2cb834dd-d7cf-46f3-a19b-bdbfb5bfee07.json
index 26efef4542..605c3a6378 100644
--- a/mobile-attack/relationship/relationship--2cb834dd-d7cf-46f3-a19b-bdbfb5bfee07.json
+++ b/mobile-attack/relationship/relationship--2cb834dd-d7cf-46f3-a19b-bdbfb5bfee07.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ca6d1420-7780-4781-8cb9-a8b91f2e6457",
+    "id": "bundle--bddd8ee8-d682-4ea7-bde0-78c90121def4",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T15:02:50.786Z",
+            "modified": "2025-04-16T21:47:42.533Z",
             "description": "The user can see persistent notifications in their notification drawer and can subsequently uninstall applications that do not belong.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
             "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2cdd5474-620c-499e-8b9c-835505febc2c.json b/mobile-attack/relationship/relationship--2cdd5474-620c-499e-8b9c-835505febc2c.json
index 03251f5a99..1fb8661ec1 100644
--- a/mobile-attack/relationship/relationship--2cdd5474-620c-499e-8b9c-835505febc2c.json
+++ b/mobile-attack/relationship/relationship--2cdd5474-620c-499e-8b9c-835505febc2c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--66c79eed-ee1b-430b-8a7d-bc038c561627",
+    "id": "bundle--9867e7ce-ad36-4a8d-b189-ae7ec79fc025",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:00:45.438Z",
+            "modified": "2025-04-16T21:47:42.754Z",
             "description": "[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)",
             "relationship_type": "uses",
             "source_ref": "malware--d89c132d-7752-4c7f-9372-954a71522985",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2ce1e63a-2e9b-4cac-9469-3fb78bf4640f.json b/mobile-attack/relationship/relationship--2ce1e63a-2e9b-4cac-9469-3fb78bf4640f.json
index 51100437ec..d50114bc81 100644
--- a/mobile-attack/relationship/relationship--2ce1e63a-2e9b-4cac-9469-3fb78bf4640f.json
+++ b/mobile-attack/relationship/relationship--2ce1e63a-2e9b-4cac-9469-3fb78bf4640f.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--74277f2c-4f2b-40fc-8387-a3bad527b629",
+    "id": "bundle--207b06f4-e1cc-4de4-a12a-0838d56f1302",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--2ce1e63a-2e9b-4cac-9469-3fb78bf4640f",
             "created": "2023-08-16T16:38:15.526Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:38:15.527Z",
+            "modified": "2025-04-16T21:47:42.965Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can perform system checks to verify if the device is rooted or has ADB enabled and can avoid execution if found.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2d1b46d5-cc2e-4312-adf2-43fb130a506b.json b/mobile-attack/relationship/relationship--2d1b46d5-cc2e-4312-adf2-43fb130a506b.json
index 2ee9c38b5c..0005fd5395 100644
--- a/mobile-attack/relationship/relationship--2d1b46d5-cc2e-4312-adf2-43fb130a506b.json
+++ b/mobile-attack/relationship/relationship--2d1b46d5-cc2e-4312-adf2-43fb130a506b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--49fab557-10fa-4a09-a7e9-0ff660249673",
+    "id": "bundle--011c8b4d-4743-4251-82ee-1462f0b044c0",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:22:40.300Z",
+            "modified": "2025-04-16T21:47:43.165Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) can run arbitrary shell commands.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2d3198ff-a481-47ec-ae64-13d7be706929.json b/mobile-attack/relationship/relationship--2d3198ff-a481-47ec-ae64-13d7be706929.json
index 7fef642637..6374f903ad 100644
--- a/mobile-attack/relationship/relationship--2d3198ff-a481-47ec-ae64-13d7be706929.json
+++ b/mobile-attack/relationship/relationship--2d3198ff-a481-47ec-ae64-13d7be706929.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--92e33524-dd79-4bd9-b62e-45152155fcfb",
+    "id": "bundle--75122d13-943d-4229-b3bc-fddfdd298417",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--2d3198ff-a481-47ec-ae64-13d7be706929",
             "created": "2023-02-28T21:41:47.503Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-28T21:41:47.503Z",
+            "modified": "2025-04-16T21:47:43.373Z",
             "description": "[TangleBot](https://attack.mitre.org/software/S1069) can record video from the device camera.(Citation: cloudmark_tanglebot_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c.json b/mobile-attack/relationship/relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c.json
index 2f7753a20e..25bdf3474a 100644
--- a/mobile-attack/relationship/relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c.json
+++ b/mobile-attack/relationship/relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--6a95d762-79ef-4e07-bb76-01fc284cdf72",
+    "id": "bundle--7593ee30-61fc-4cfe-af9a-4474472cc08d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c",
             "type": "relationship",
+            "id": "relationship--2de76a24-ec87-4808-b0d3-b84d318ac22c",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:43.571Z",
             "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) can read and write data in the user\u2019s clipboard.(Citation: PaloAlto-XcodeGhost)",
             "relationship_type": "uses",
             "source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
             "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2e08820f-a81d-480e-9e60-f14db3e49080.json b/mobile-attack/relationship/relationship--2e08820f-a81d-480e-9e60-f14db3e49080.json
index e5b117129e..c514477808 100644
--- a/mobile-attack/relationship/relationship--2e08820f-a81d-480e-9e60-f14db3e49080.json
+++ b/mobile-attack/relationship/relationship--2e08820f-a81d-480e-9e60-f14db3e49080.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--c2296b45-2285-4b78-905a-e3753cda1f58",
+    "id": "bundle--e97dd452-8032-497f-91c0-34365f8e53be",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--2e08820f-a81d-480e-9e60-f14db3e49080",
             "type": "relationship",
+            "id": "relationship--2e08820f-a81d-480e-9e60-f14db3e49080",
             "created": "2019-09-04T14:28:15.909Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Lookout-Monokle",
                     "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
-                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
-                    "source_name": "Lookout-Monokle"
+                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
                 }
             ],
-            "modified": "2019-09-04T14:32:12.568Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:43.810Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can take photos and videos.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8.json b/mobile-attack/relationship/relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8.json
index 2f1a38f99b..34813b2ede 100644
--- a/mobile-attack/relationship/relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8.json
+++ b/mobile-attack/relationship/relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--0b69a938-1738-4868-9920-cda0b95ffa90",
+    "id": "bundle--b2e79b29-3ff5-4624-bac3-12df34704766",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8",
             "type": "relationship",
+            "id": "relationship--2e2d1ffa-f6df-4d3c-b99b-f7b8baff53e8",
             "created": "2019-09-04T15:38:56.994Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "FlexiSpy-Features",
-                    "url": "https://www.flexispy.com/en/features-overview.htm",
-                    "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019."
+                    "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.",
+                    "url": "https://www.flexispy.com/en/features-overview.htm"
                 }
             ],
-            "modified": "2019-09-10T14:59:26.171Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:44.008Z",
             "description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can take screenshots of other applications.(Citation: FlexiSpy-Features) ",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2e3a5d0d-a80a-4606-8be2-208302e995d1.json b/mobile-attack/relationship/relationship--2e3a5d0d-a80a-4606-8be2-208302e995d1.json
index 0f8b00b888..3dcf0d8da7 100644
--- a/mobile-attack/relationship/relationship--2e3a5d0d-a80a-4606-8be2-208302e995d1.json
+++ b/mobile-attack/relationship/relationship--2e3a5d0d-a80a-4606-8be2-208302e995d1.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3730174f-2fed-4951-98f7-5ea61ba40df7",
+    "id": "bundle--0abc4d21-bc1e-4157-bb04-034debafcc34",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:16:17.615Z",
+            "modified": "2025-04-16T21:47:44.220Z",
             "description": "[SilkBean](https://attack.mitre.org/software/S0549) has attempted to trick users into enabling installation of applications from unknown sources.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
             "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2e55d0cf-afe6-41f1-8ad3-0d1a910ad010.json b/mobile-attack/relationship/relationship--2e55d0cf-afe6-41f1-8ad3-0d1a910ad010.json
index 8c8385cfeb..08695ae6a1 100644
--- a/mobile-attack/relationship/relationship--2e55d0cf-afe6-41f1-8ad3-0d1a910ad010.json
+++ b/mobile-attack/relationship/relationship--2e55d0cf-afe6-41f1-8ad3-0d1a910ad010.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--d8559706-ea82-48bb-9465-57d6a048be87",
+    "id": "bundle--6b7576f3-aab1-4e36-baf8-7576ef78ea7c",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--2e55d0cf-afe6-41f1-8ad3-0d1a910ad010",
             "created": "2023-12-18T18:08:09.656Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -23,16 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:08:09.656Z",
+            "modified": "2025-04-16T21:47:44.433Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can capture and send real-time screen output.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e.json b/mobile-attack/relationship/relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e.json
index d80a3afbb7..f95f7df698 100644
--- a/mobile-attack/relationship/relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e.json
+++ b/mobile-attack/relationship/relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a23db027-441f-4c2a-a909-66fa2b3ff601",
+    "id": "bundle--cd8efd95-0ef6-4361-86c8-b29edd0c5b20",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e",
             "type": "relationship",
+            "id": "relationship--2e59d381-eac6-41c6-a5e6-f9617c10259e",
             "created": "2020-06-02T14:32:31.888Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Volexity Insomnia",
-                    "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/",
-                    "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."
+                    "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.",
+                    "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/"
                 }
             ],
-            "modified": "2020-06-02T14:32:31.888Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:44.649Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) obfuscates various pieces of information within the application.(Citation: Volexity Insomnia) ",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2e6d507e-afbb-4fa5-b459-2b060ab52db3.json b/mobile-attack/relationship/relationship--2e6d507e-afbb-4fa5-b459-2b060ab52db3.json
index aac8e88e89..9746183445 100644
--- a/mobile-attack/relationship/relationship--2e6d507e-afbb-4fa5-b459-2b060ab52db3.json
+++ b/mobile-attack/relationship/relationship--2e6d507e-afbb-4fa5-b459-2b060ab52db3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--26f4595b-186d-430c-b150-b146bc63e02f",
+    "id": "bundle--08c5a2e0-cc02-4c6a-ac32-19ca2a8b874a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:50:29.535Z",
+            "modified": "2025-04-16T21:47:44.858Z",
             "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) checks whether its call stack has been modified, an indication that it is running in an analysis environment, and if so, does not decrypt its obfuscated strings(Citation: WhiteOps TERRACOTTA).",
             "relationship_type": "uses",
             "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2e797961-356f-4763-bdb2-0ebc2ad4c8b0.json b/mobile-attack/relationship/relationship--2e797961-356f-4763-bdb2-0ebc2ad4c8b0.json
index 0e71bb263c..64f422275f 100644
--- a/mobile-attack/relationship/relationship--2e797961-356f-4763-bdb2-0ebc2ad4c8b0.json
+++ b/mobile-attack/relationship/relationship--2e797961-356f-4763-bdb2-0ebc2ad4c8b0.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--52418232-3980-4732-91d3-e28835ae2a19",
+    "id": "bundle--be37105b-04da-4eb7-a4e0-58601ee537d6",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--2e797961-356f-4763-bdb2-0ebc2ad4c8b0",
             "created": "2019-09-04T20:01:42.722Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Enterprise policies should block access to the Android Debug Bridge (ADB) by preventing users from enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development). An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features. ",
-            "modified": "2022-04-01T13:32:19.919Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:45.076Z",
+            "description": "Enterprise policies should block access to the Android Debug Bridge (ADB) by preventing users from enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development). An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features. ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2e7f8995-93ae-41bb-9baf-53178341d93e.json b/mobile-attack/relationship/relationship--2e7f8995-93ae-41bb-9baf-53178341d93e.json
index 616966945b..41728fc0ab 100644
--- a/mobile-attack/relationship/relationship--2e7f8995-93ae-41bb-9baf-53178341d93e.json
+++ b/mobile-attack/relationship/relationship--2e7f8995-93ae-41bb-9baf-53178341d93e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--43b8ff0b-ad5d-4148-923f-c7668799c660",
+    "id": "bundle--409f28bd-0b99-4168-a72a-1008493d344e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:06:00.885Z",
+            "modified": "2025-04-16T21:47:45.304Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has deployed anti-analysis capabilities during their Operation BULL campaign.(Citation: BlackBerry Bahamut)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2e826926-fd5b-407c-adbc-e998058728d3.json b/mobile-attack/relationship/relationship--2e826926-fd5b-407c-adbc-e998058728d3.json
index 831a2e4345..0ca71910c1 100644
--- a/mobile-attack/relationship/relationship--2e826926-fd5b-407c-adbc-e998058728d3.json
+++ b/mobile-attack/relationship/relationship--2e826926-fd5b-407c-adbc-e998058728d3.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--c55836f3-da5c-41e4-8c76-9069e4faa8a6",
+    "id": "bundle--dab84c4b-d4a0-41b9-bd74-6af7f9c60eab",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--2e826926-fd5b-407c-adbc-e998058728d3",
             "type": "relationship",
+            "id": "relationship--2e826926-fd5b-407c-adbc-e998058728d3",
             "created": "2019-09-04T15:38:56.786Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "CyberMerchants-FlexiSpy",
-                    "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html",
-                    "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."
+                    "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.",
+                    "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"
                 }
             ],
-            "modified": "2019-09-10T14:59:26.139Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:45.506Z",
             "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record both incoming and outgoing phone calls, as well as microphone audio.(Citation: CyberMerchants-FlexiSpy)",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2e913583-123a-47af-8872-98fc12ab4a6a.json b/mobile-attack/relationship/relationship--2e913583-123a-47af-8872-98fc12ab4a6a.json
index 13d0927259..cbacb4d836 100644
--- a/mobile-attack/relationship/relationship--2e913583-123a-47af-8872-98fc12ab4a6a.json
+++ b/mobile-attack/relationship/relationship--2e913583-123a-47af-8872-98fc12ab4a6a.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--15b056e8-059e-4df7-8ff6-0f1d7f65834f",
+    "id": "bundle--55f14477-cdfd-4b26-8eb7-505f65583e09",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--2e913583-123a-47af-8872-98fc12ab4a6a",
             "type": "relationship",
+            "id": "relationship--2e913583-123a-47af-8872-98fc12ab4a6a",
             "created": "2020-11-24T17:55:12.846Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos GPlayed",
-                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html",
-                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."
+                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.",
+                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"
                 }
             ],
-            "modified": "2020-11-24T17:55:12.846Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:45.715Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) can send SMS messages.(Citation: Talos GPlayed)",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2ebd5c4c-af03-4874-a6fd-1e58d51cc055.json b/mobile-attack/relationship/relationship--2ebd5c4c-af03-4874-a6fd-1e58d51cc055.json
index 1cbca6eb49..8555224741 100644
--- a/mobile-attack/relationship/relationship--2ebd5c4c-af03-4874-a6fd-1e58d51cc055.json
+++ b/mobile-attack/relationship/relationship--2ebd5c4c-af03-4874-a6fd-1e58d51cc055.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--0eacf423-d55f-4db1-99e2-573e3b8ededf",
+    "id": "bundle--a48469fe-bfc4-4dc2-bc7b-4124dcc3e997",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:28:20.439Z",
+            "modified": "2025-04-16T21:47:45.926Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can collect SMS messages.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2f1e5d77-0054-4f8a-8e01-7c0318278a76.json b/mobile-attack/relationship/relationship--2f1e5d77-0054-4f8a-8e01-7c0318278a76.json
index db947a8545..332131fed8 100644
--- a/mobile-attack/relationship/relationship--2f1e5d77-0054-4f8a-8e01-7c0318278a76.json
+++ b/mobile-attack/relationship/relationship--2f1e5d77-0054-4f8a-8e01-7c0318278a76.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--fc1b5256-216b-4002-82b0-27610f62f020",
+    "id": "bundle--d3ffc0a4-13ce-42f2-b74c-6fa301301969",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--2f1e5d77-0054-4f8a-8e01-7c0318278a76",
             "created": "2019-10-18T14:50:57.472Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Security updates frequently contain patches for known exploits.",
-            "modified": "2022-03-25T14:12:54.498Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:46.131Z",
+            "description": "Security updates frequently contain patches for known exploits.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2f2ae4a3-1ed9-4c90-86dc-d12c3a860349.json b/mobile-attack/relationship/relationship--2f2ae4a3-1ed9-4c90-86dc-d12c3a860349.json
new file mode 100644
index 0000000000..bbbca14415
--- /dev/null
+++ b/mobile-attack/relationship/relationship--2f2ae4a3-1ed9-4c90-86dc-d12c3a860349.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--798c0c90-a59c-4c03-8bd0-941765eee232",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--2f2ae4a3-1ed9-4c90-86dc-d12c3a860349",
+            "created": "2025-03-24T17:58:36.182Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Shoshin_Kaspersky LightSpy 2020",
+                    "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.",
+                    "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:46.369Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has compromised iPhones running iOS 12.1 and 12.2 without any user interaction.(Citation: Shoshin_Kaspersky LightSpy 2020) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2f41ab75-3490-4642-8111-9d4d43b88df7.json b/mobile-attack/relationship/relationship--2f41ab75-3490-4642-8111-9d4d43b88df7.json
index 0848cb773d..d06502742c 100644
--- a/mobile-attack/relationship/relationship--2f41ab75-3490-4642-8111-9d4d43b88df7.json
+++ b/mobile-attack/relationship/relationship--2f41ab75-3490-4642-8111-9d4d43b88df7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--db9b0849-2558-4786-9073-ebdb81419392",
+    "id": "bundle--3d7c39d2-6023-4d13-bb31-aa9b9cdc6e4b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-22T20:40:40.079Z",
+            "modified": "2025-04-16T21:47:46.575Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can take screenshots and abuse accessibility services to scrape BlackBerry Messenger and WhatsApp messages, contacts, and notifications(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2f55e452-f8b3-402b-a193-d261dac9f327.json b/mobile-attack/relationship/relationship--2f55e452-f8b3-402b-a193-d261dac9f327.json
index 26894485f3..df2c81a424 100644
--- a/mobile-attack/relationship/relationship--2f55e452-f8b3-402b-a193-d261dac9f327.json
+++ b/mobile-attack/relationship/relationship--2f55e452-f8b3-402b-a193-d261dac9f327.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--7c27ab10-d9f5-4d96-be86-e9f2da4ea6c1",
+    "id": "bundle--ee868e65-0e19-480c-908a-408a4ef6cf64",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--2f55e452-f8b3-402b-a193-d261dac9f327",
             "created": "2022-04-01T18:53:48.715Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:46.799Z",
             "description": "",
-            "modified": "2022-04-01T18:53:48.715Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
             "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3.json b/mobile-attack/relationship/relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3.json
index 2a3689acd4..70322d3516 100644
--- a/mobile-attack/relationship/relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3.json
+++ b/mobile-attack/relationship/relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--08120325-7661-4ea9-aaba-4c11f2ac0203",
+    "id": "bundle--ebdc9ca5-5cf0-49a5-ab7f-d9292deaec52",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3",
             "type": "relationship",
+            "id": "relationship--2f8b5252-551c-4a0d-8e72-8da4050757f3",
             "created": "2021-04-19T14:29:46.530Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2021-04-19T14:29:46.530Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:46.994Z",
             "description": " [SilkBean](https://attack.mitre.org/software/S0549) can send SMS messages.(Citation: Lookout Uyghur Campaign) ",
             "relationship_type": "uses",
             "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2f9b95b2-0ef4-40b8-a230-86f273000dc7.json b/mobile-attack/relationship/relationship--2f9b95b2-0ef4-40b8-a230-86f273000dc7.json
index e4f22990dd..3130cdc470 100644
--- a/mobile-attack/relationship/relationship--2f9b95b2-0ef4-40b8-a230-86f273000dc7.json
+++ b/mobile-attack/relationship/relationship--2f9b95b2-0ef4-40b8-a230-86f273000dc7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2d74c4cb-9175-4aee-89cd-cc57184fd772",
+    "id": "bundle--206f0e23-b7f8-4bc0-8281-54c87e23c8af",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T15:34:52.478Z",
+            "modified": "2025-04-16T21:47:47.221Z",
             "description": "The user can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2f9c31d2-2e6c-4e95-9058-c9a8def46865.json b/mobile-attack/relationship/relationship--2f9c31d2-2e6c-4e95-9058-c9a8def46865.json
index b568abb270..73bff09fa3 100644
--- a/mobile-attack/relationship/relationship--2f9c31d2-2e6c-4e95-9058-c9a8def46865.json
+++ b/mobile-attack/relationship/relationship--2f9c31d2-2e6c-4e95-9058-c9a8def46865.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--4f77126e-bbc8-4bf5-adb5-59588eda158f",
+    "id": "bundle--e3209bf7-ef20-4a91-89d4-19d40f1d13f0",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--2f9c31d2-2e6c-4e95-9058-c9a8def46865",
             "created": "2023-09-28T17:21:02.298Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:21:02.298Z",
+            "modified": "2025-04-16T21:47:47.418Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can take photos using the device cameras.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2fcc6291-9a68-45c2-a5c5-94b1973ed3d2.json b/mobile-attack/relationship/relationship--2fcc6291-9a68-45c2-a5c5-94b1973ed3d2.json
index bb19ca905c..8d73a15719 100644
--- a/mobile-attack/relationship/relationship--2fcc6291-9a68-45c2-a5c5-94b1973ed3d2.json
+++ b/mobile-attack/relationship/relationship--2fcc6291-9a68-45c2-a5c5-94b1973ed3d2.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--c425ac9a-668a-4423-92ee-f5e9f8bf4fe2",
+    "id": "bundle--1d18a060-59e0-4c0b-ac3e-9e99bb419e41",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--2fcc6291-9a68-45c2-a5c5-94b1973ed3d2",
             "created": "2022-04-01T13:27:29.919Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:47.620Z",
             "description": "",
-            "modified": "2022-04-01T13:27:29.920Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--e8b4e1ec-8e3b-484c-9038-4459b1ed8060",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--2fdcc49e-1875-4618-b3c5-c0ecfab97386.json b/mobile-attack/relationship/relationship--2fdcc49e-1875-4618-b3c5-c0ecfab97386.json
index ff2cfba07d..6ac654d34f 100644
--- a/mobile-attack/relationship/relationship--2fdcc49e-1875-4618-b3c5-c0ecfab97386.json
+++ b/mobile-attack/relationship/relationship--2fdcc49e-1875-4618-b3c5-c0ecfab97386.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--fd6a59aa-ae84-4987-8dd6-c7a2f5dc0366",
+    "id": "bundle--ac963505-a069-4d19-9ee8-0c6c62e1615f",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--2fdcc49e-1875-4618-b3c5-c0ecfab97386",
             "created": "2023-08-04T19:02:39.950Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T19:02:39.950Z",
+            "modified": "2025-04-16T21:47:47.816Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) has impersonated chat applications such as Fruit Chat, Cucu Chat, and Kako Chat.(Citation: lookout_hornbill_sunbird_0221) ",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--300c824d-5586-411b-b274-8941a99a98fb.json b/mobile-attack/relationship/relationship--300c824d-5586-411b-b274-8941a99a98fb.json
index 321bac42ec..b39d904b43 100644
--- a/mobile-attack/relationship/relationship--300c824d-5586-411b-b274-8941a99a98fb.json
+++ b/mobile-attack/relationship/relationship--300c824d-5586-411b-b274-8941a99a98fb.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--f275ec97-d842-4ff7-92c3-9c4ef0444f50",
+    "id": "bundle--f0570d12-3b04-4f2d-865b-843fbb8e8f12",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--300c824d-5586-411b-b274-8941a99a98fb",
             "created": "2022-03-30T14:06:01.859Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:48.013Z",
             "description": "Device attestation can often detect jailbroken or rooted devices.",
-            "modified": "2022-03-30T14:06:01.859Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
             "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3020bb16-fb1f-46f9-9e1c-3b3317af6b96.json b/mobile-attack/relationship/relationship--3020bb16-fb1f-46f9-9e1c-3b3317af6b96.json
index 31f954bd74..a01bb73af3 100644
--- a/mobile-attack/relationship/relationship--3020bb16-fb1f-46f9-9e1c-3b3317af6b96.json
+++ b/mobile-attack/relationship/relationship--3020bb16-fb1f-46f9-9e1c-3b3317af6b96.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b4292256-559d-4a99-8475-97954cf94aa2",
+    "id": "bundle--db0eaed8-46ff-4089-8988-f56ca4b115da",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T20:30:47.733Z",
+            "modified": "2025-04-16T21:47:48.220Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect file lists on the victim device.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3057267c-fdd5-41d8-a9d8-76c0a87b28fa.json b/mobile-attack/relationship/relationship--3057267c-fdd5-41d8-a9d8-76c0a87b28fa.json
index e1fd6dd2f8..34deffc928 100644
--- a/mobile-attack/relationship/relationship--3057267c-fdd5-41d8-a9d8-76c0a87b28fa.json
+++ b/mobile-attack/relationship/relationship--3057267c-fdd5-41d8-a9d8-76c0a87b28fa.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--39b38d6b-f4df-451c-8417-cbf637aae1d5",
+    "id": "bundle--eacaade9-cb13-4391-b8b1-40f9995559f3",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--3057267c-fdd5-41d8-a9d8-76c0a87b28fa",
             "created": "2023-08-07T17:12:44.013Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T17:12:44.013Z",
+            "modified": "2025-04-16T21:47:48.434Z",
             "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
             "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--30990c1a-ed7d-4552-a1aa-c5934ffa5761.json b/mobile-attack/relationship/relationship--30990c1a-ed7d-4552-a1aa-c5934ffa5761.json
index 23928abdc8..5d944c243b 100644
--- a/mobile-attack/relationship/relationship--30990c1a-ed7d-4552-a1aa-c5934ffa5761.json
+++ b/mobile-attack/relationship/relationship--30990c1a-ed7d-4552-a1aa-c5934ffa5761.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b132093c-4bb7-4af7-b28c-ebe99894dacc",
+    "id": "bundle--031c64dc-4088-4484-9193-e911836691ad",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--30990c1a-ed7d-4552-a1aa-c5934ffa5761",
             "created": "2023-12-05T22:17:17.084Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-05T22:17:17.084Z",
+            "modified": "2025-04-16T21:47:48.660Z",
             "description": "Security updates frequently contain patches for known software vulnerabilities.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--30ab9ce7-5369-402a-94ee-f8452642acb9.json b/mobile-attack/relationship/relationship--30ab9ce7-5369-402a-94ee-f8452642acb9.json
index f1340e1d79..8ad907e706 100644
--- a/mobile-attack/relationship/relationship--30ab9ce7-5369-402a-94ee-f8452642acb9.json
+++ b/mobile-attack/relationship/relationship--30ab9ce7-5369-402a-94ee-f8452642acb9.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--8016300e-5906-4399-8761-19ef4a25d67d",
+    "id": "bundle--ef533ac3-4a11-4246-bef3-3ac8d6552fae",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--30ab9ce7-5369-402a-94ee-f8452642acb9",
             "created": "2022-03-30T19:50:37.739Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:48.873Z",
             "description": "",
-            "modified": "2022-03-30T19:50:37.739Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--8e27551a-5080-4148-a584-c64348212e4f",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3115a062-e7d0-4eac-9d78-9a9c797e7546.json b/mobile-attack/relationship/relationship--3115a062-e7d0-4eac-9d78-9a9c797e7546.json
index 4a0545e4c3..1d8ef88b4f 100644
--- a/mobile-attack/relationship/relationship--3115a062-e7d0-4eac-9d78-9a9c797e7546.json
+++ b/mobile-attack/relationship/relationship--3115a062-e7d0-4eac-9d78-9a9c797e7546.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--db7d485a-dd66-41ca-b74d-312beba670a8",
+    "id": "bundle--89afd4bb-5260-4c71-b41a-3b28c1d2e019",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--3115a062-e7d0-4eac-9d78-9a9c797e7546",
             "created": "2023-07-21T19:53:45.997Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:53:45.997Z",
+            "modified": "2025-04-16T21:47:49.081Z",
             "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can request camera permissions.(Citation: kaspersky_fakecalls_0422)",
             "relationship_type": "uses",
             "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff.json b/mobile-attack/relationship/relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff.json
index 0f2a838d3c..81e74bb57c 100644
--- a/mobile-attack/relationship/relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff.json
+++ b/mobile-attack/relationship/relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--779d2f90-4938-463c-bd2b-8d9786b5b020",
+    "id": "bundle--bdfe9deb-0dbd-46ad-bb31-502bc26cc488",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff",
             "type": "relationship",
+            "id": "relationship--312950f2-80d2-4941-bfce-b97b2cb7a1ff",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
+                    "source_name": "Lookout Dark Caracal Jan 2018",
                     "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
-                    "source_name": "Lookout Dark Caracal Jan 2018"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
                 }
             ],
-            "modified": "2019-07-16T15:35:21.063Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:49.314Z",
             "description": "(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12",
             "target_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--31330d32-50c8-4499-91fb-e1dcffa9ea8f.json b/mobile-attack/relationship/relationship--31330d32-50c8-4499-91fb-e1dcffa9ea8f.json
index 8cffc17990..6868f7b1ea 100644
--- a/mobile-attack/relationship/relationship--31330d32-50c8-4499-91fb-e1dcffa9ea8f.json
+++ b/mobile-attack/relationship/relationship--31330d32-50c8-4499-91fb-e1dcffa9ea8f.json
@@ -1,38 +1,37 @@
 {
     "type": "bundle",
-    "id": "bundle--c21779bb-993e-4da5-9d44-3c43e5910bb0",
+    "id": "bundle--c743dfd3-3111-4b49-ab81-a0b55ddb6db1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--31330d32-50c8-4499-91fb-e1dcffa9ea8f",
             "created": "2022-03-30T18:14:04.881Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Symantec-iOSProfile2",
-                    "url": "https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles",
-                    "description": "Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018."
+                    "description": "Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018.",
+                    "url": "https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles"
                 },
                 {
                     "source_name": "Android-TrustedCA",
-                    "url": "https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html",
-                    "description": "Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018."
+                    "description": "Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018.",
+                    "url": "https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:49.513Z",
             "description": "Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.(Citation: Symantec-iOSProfile2)(Citation: Android-TrustedCA)",
-            "modified": "2022-03-30T18:14:04.881Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--319d46b5-de41-4f23-9001-2fa75f954720.json b/mobile-attack/relationship/relationship--319d46b5-de41-4f23-9001-2fa75f954720.json
index f5b919b679..3a8a898d49 100644
--- a/mobile-attack/relationship/relationship--319d46b5-de41-4f23-9001-2fa75f954720.json
+++ b/mobile-attack/relationship/relationship--319d46b5-de41-4f23-9001-2fa75f954720.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--1769c39a-8a96-4b2b-8708-7f30fe539c84",
+    "id": "bundle--1e8a0249-2596-473f-9203-4df21cf028e3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:01:14.020Z",
+            "modified": "2025-04-16T21:47:49.730Z",
             "description": "[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)",
             "relationship_type": "uses",
             "source_ref": "malware--a1867c56-8c86-455a-96ad-b0d5f7e2bc17",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--322d0123-ea4c-4562-a718-672952c83d05.json b/mobile-attack/relationship/relationship--322d0123-ea4c-4562-a718-672952c83d05.json
index a8a536046c..65bc87625a 100644
--- a/mobile-attack/relationship/relationship--322d0123-ea4c-4562-a718-672952c83d05.json
+++ b/mobile-attack/relationship/relationship--322d0123-ea4c-4562-a718-672952c83d05.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4d1009de-6834-4820-babb-c580e7bf2529",
+    "id": "bundle--24cccf9f-25f4-44f5-b040-5ac92404cd6b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T15:35:51.271Z",
+            "modified": "2025-04-16T21:47:49.939Z",
             "description": "Application vetting services could look for misuse of dynamic libraries.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3230c032-17e0-49f7-b948-c157049aafe2.json b/mobile-attack/relationship/relationship--3230c032-17e0-49f7-b948-c157049aafe2.json
index fdadd52c48..68f2b96623 100644
--- a/mobile-attack/relationship/relationship--3230c032-17e0-49f7-b948-c157049aafe2.json
+++ b/mobile-attack/relationship/relationship--3230c032-17e0-49f7-b948-c157049aafe2.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--3c1d24d4-7376-46f0-bd02-f835f2922b82",
+    "id": "bundle--54293a53-0a2a-4db1-a7de-02a7a648fe0a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--3230c032-17e0-49f7-b948-c157049aafe2",
             "created": "2017-10-25T14:48:53.742Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Users should ensure bootloaders are locked to prevent arbitrary operating system code from being flashed onto the device.",
-            "modified": "2022-04-01T15:34:50.556Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:50.156Z",
+            "description": "Users should ensure bootloaders are locked to prevent arbitrary operating system code from being flashed onto the device.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
             "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3272111a-f31d-47d5-a266-1749255b5016.json b/mobile-attack/relationship/relationship--3272111a-f31d-47d5-a266-1749255b5016.json
index dadcdbe8d0..92adc1f5db 100644
--- a/mobile-attack/relationship/relationship--3272111a-f31d-47d5-a266-1749255b5016.json
+++ b/mobile-attack/relationship/relationship--3272111a-f31d-47d5-a266-1749255b5016.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--46bd2533-f861-4ab4-9c81-0cf59d29a738",
+    "id": "bundle--506d56a5-3d84-47b7-a4db-6ac5c1203f61",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--3272111a-f31d-47d5-a266-1749255b5016",
             "created": "2019-09-23T13:36:08.335Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "securelist rotexy 2018",
-                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
-                    "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019."
+                    "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
+                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:50.370Z",
             "description": "[Rotexy](https://attack.mitre.org/software/S0411) can be controlled through SMS messages.(Citation: securelist rotexy 2018)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--327d0102-2113-4e12-be68-504db097a6fd.json b/mobile-attack/relationship/relationship--327d0102-2113-4e12-be68-504db097a6fd.json
index 6b88a76707..87206410a8 100644
--- a/mobile-attack/relationship/relationship--327d0102-2113-4e12-be68-504db097a6fd.json
+++ b/mobile-attack/relationship/relationship--327d0102-2113-4e12-be68-504db097a6fd.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--0726c029-920b-4f5f-841c-d911cfcaa8e1",
+    "id": "bundle--a838409c-cce7-45ed-bca0-3da63d020ccd",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:01:31.230Z",
+            "modified": "2025-04-16T21:47:50.562Z",
             "description": "[Riltok](https://attack.mitre.org/software/S0403) communicates with the command and control server using HTTP requests.(Citation: Kaspersky Riltok June 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--32958f57-ad9b-4fe1-abf3-6f92df895014.json b/mobile-attack/relationship/relationship--32958f57-ad9b-4fe1-abf3-6f92df895014.json
index ccd8df48bd..98ad591316 100644
--- a/mobile-attack/relationship/relationship--32958f57-ad9b-4fe1-abf3-6f92df895014.json
+++ b/mobile-attack/relationship/relationship--32958f57-ad9b-4fe1-abf3-6f92df895014.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e95965a2-63d8-41d6-a40f-82ec6499b4f9",
+    "id": "bundle--6f46a9c5-1fed-4610-828b-dcd05cda0d92",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--32958f57-ad9b-4fe1-abf3-6f92df895014",
             "type": "relationship",
+            "id": "relationship--32958f57-ad9b-4fe1-abf3-6f92df895014",
             "created": "2019-08-05T13:22:03.917Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
+                    "source_name": "Lookout Dark Caracal Jan 2018",
                     "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
-                    "source_name": "Lookout Dark Caracal Jan 2018"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
                 }
             ],
-            "modified": "2019-08-09T18:06:11.873Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:50.774Z",
             "description": "[Pallas](https://attack.mitre.org/software/S0399) stores domain information and URL paths as hardcoded AES-encrypted, base64-encoded strings.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--32be51e2-f74d-441f-aa0d-952697a76494.json b/mobile-attack/relationship/relationship--32be51e2-f74d-441f-aa0d-952697a76494.json
index 095fac0579..4f2b4b2499 100644
--- a/mobile-attack/relationship/relationship--32be51e2-f74d-441f-aa0d-952697a76494.json
+++ b/mobile-attack/relationship/relationship--32be51e2-f74d-441f-aa0d-952697a76494.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--6bd53aa4-e879-42d3-9033-1ffb22aeb224",
+    "id": "bundle--860a7635-b99b-48e2-bcf2-f9fd57b9b87f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--32be51e2-f74d-441f-aa0d-952697a76494",
             "type": "relationship",
+            "id": "relationship--32be51e2-f74d-441f-aa0d-952697a76494",
             "created": "2019-09-04T15:38:56.774Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "FortiGuard-FlexiSpy",
-                    "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf",
-                    "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019."
+                    "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.",
+                    "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf"
                 }
             ],
-            "modified": "2019-10-14T18:08:28.599Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:50.977Z",
             "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) uses a `FileObserver` object to monitor the Skype and WeChat database file and shared preferences to retrieve chat messages, account information, and profile pictures of the account owner and chat participants. [FlexiSpy](https://attack.mitre.org/software/S0408) can also spy on popular applications, including Facebook, Hangouts, Hike, Instagram, Kik, Line, QQ, Snapchat, Telegram, Tinder, Viber, and WhatsApp.(Citation: FortiGuard-FlexiSpy)",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--33316f49-f1fb-453a-9ba7-d6889982a010.json b/mobile-attack/relationship/relationship--33316f49-f1fb-453a-9ba7-d6889982a010.json
index f0470aa400..36f1a357bb 100644
--- a/mobile-attack/relationship/relationship--33316f49-f1fb-453a-9ba7-d6889982a010.json
+++ b/mobile-attack/relationship/relationship--33316f49-f1fb-453a-9ba7-d6889982a010.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--9883ed48-5075-4b2d-9eaa-7213c118be88",
+    "id": "bundle--3a86dbbb-98ad-4be7-bf5e-524262a39e55",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--33316f49-f1fb-453a-9ba7-d6889982a010",
             "type": "relationship",
+            "id": "relationship--33316f49-f1fb-453a-9ba7-d6889982a010",
             "created": "2020-07-20T13:27:33.459Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos-WolfRAT",
-                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
-                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."
+                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.",
+                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"
                 }
             ],
-            "modified": "2020-08-10T21:57:54.516Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:51.209Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can obtain a list of installed applications.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3364dd33-c012-4aaf-852b-86e63bd724ac.json b/mobile-attack/relationship/relationship--3364dd33-c012-4aaf-852b-86e63bd724ac.json
index 66a749ee2c..ace4d9c450 100644
--- a/mobile-attack/relationship/relationship--3364dd33-c012-4aaf-852b-86e63bd724ac.json
+++ b/mobile-attack/relationship/relationship--3364dd33-c012-4aaf-852b-86e63bd724ac.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2f1e69bc-6856-4e7d-b0ba-bca087f43caf",
+    "id": "bundle--ff2a1ebe-3609-4adf-b6bc-f9e2ae451afc",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-11T22:06:53.022Z",
+            "modified": "2025-04-16T21:47:51.409Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can gather session cookies from infected devices. [S.O.V.A.](https://attack.mitre.org/software/S1062) can also abuse Accessibility Services to steal Google Authenticator tokens.(Citation: threatfabric_sova_0921)(Citation: cleafy_sova_1122)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--33857221-2543-4a7f-8255-b0d140d70ad7.json b/mobile-attack/relationship/relationship--33857221-2543-4a7f-8255-b0d140d70ad7.json
index 35c825c4f2..f3c81ffa19 100644
--- a/mobile-attack/relationship/relationship--33857221-2543-4a7f-8255-b0d140d70ad7.json
+++ b/mobile-attack/relationship/relationship--33857221-2543-4a7f-8255-b0d140d70ad7.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--cde34217-9fe8-4eec-93a6-8d312efe4859",
+    "id": "bundle--6f448bde-6e2d-41fc-bf8d-77641ac374db",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--33857221-2543-4a7f-8255-b0d140d70ad7",
             "type": "relationship",
+            "id": "relationship--33857221-2543-4a7f-8255-b0d140d70ad7",
             "created": "2020-07-20T13:27:33.461Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos-WolfRAT",
-                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
-                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."
+                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.",
+                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"
                 }
             ],
-            "modified": "2020-08-10T21:57:54.686Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:51.609Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can record call audio.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--34351abd-1f58-420a-a893-ad822839815d.json b/mobile-attack/relationship/relationship--34351abd-1f58-420a-a893-ad822839815d.json
index de9776ae5d..aeb495c8ca 100644
--- a/mobile-attack/relationship/relationship--34351abd-1f58-420a-a893-ad822839815d.json
+++ b/mobile-attack/relationship/relationship--34351abd-1f58-420a-a893-ad822839815d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ad270ab7-abec-4619-9884-321793f935ca",
+    "id": "bundle--63bfb8d7-3ea5-43b6-9c98-4158006692b3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:33:36.294Z",
+            "modified": "2025-04-16T21:47:51.819Z",
             "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures call logs.(Citation: Lookout-Pegasus)",
             "relationship_type": "uses",
             "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--346b7e4a-dbd1-486b-ba26-55ae2ac613d0.json b/mobile-attack/relationship/relationship--346b7e4a-dbd1-486b-ba26-55ae2ac613d0.json
index 43dfd736c0..743cc24d61 100644
--- a/mobile-attack/relationship/relationship--346b7e4a-dbd1-486b-ba26-55ae2ac613d0.json
+++ b/mobile-attack/relationship/relationship--346b7e4a-dbd1-486b-ba26-55ae2ac613d0.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--419bbe02-8789-45b3-a99c-12ad6678bef4",
+    "id": "bundle--2bd4605a-97d9-42ae-874d-be2d3943fa61",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--346b7e4a-dbd1-486b-ba26-55ae2ac613d0",
             "type": "relationship",
+            "id": "relationship--346b7e4a-dbd1-486b-ba26-55ae2ac613d0",
             "created": "2020-12-14T14:52:03.396Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Sophos Red Alert 2.0",
-                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/",
-                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."
+                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.",
+                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"
                 }
             ],
-            "modified": "2020-12-16T20:52:21.426Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:52.021Z",
             "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can download additional overlay templates.(Citation: Sophos Red Alert 2.0)",
             "relationship_type": "uses",
             "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--348d1acd-3f37-4523-95cd-ae002c02c975.json b/mobile-attack/relationship/relationship--348d1acd-3f37-4523-95cd-ae002c02c975.json
index 761a8e8eb0..e04c712cc8 100644
--- a/mobile-attack/relationship/relationship--348d1acd-3f37-4523-95cd-ae002c02c975.json
+++ b/mobile-attack/relationship/relationship--348d1acd-3f37-4523-95cd-ae002c02c975.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--5598b069-18e5-4028-96e2-95fa290ba3f0",
+    "id": "bundle--25669a08-49bb-490a-87fc-06d54224c971",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--348d1acd-3f37-4523-95cd-ae002c02c975",
             "created": "2023-08-23T22:17:46.116Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-23T22:17:46.116Z",
+            "modified": "2025-04-16T21:47:53.093Z",
             "description": "Users should be wary of iMessages from unknown senders. Additionally, users should be instructed not to open unrecognized links or other attachments in text messages.  ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3498d304-48e3-4fe4-a3ab-fc261104f413.json b/mobile-attack/relationship/relationship--3498d304-48e3-4fe4-a3ab-fc261104f413.json
index 9defa0cbdc..89c7791ef4 100644
--- a/mobile-attack/relationship/relationship--3498d304-48e3-4fe4-a3ab-fc261104f413.json
+++ b/mobile-attack/relationship/relationship--3498d304-48e3-4fe4-a3ab-fc261104f413.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a19df121-19b0-4a3e-8502-dfd37ce1f40b",
+    "id": "bundle--658348a8-22d1-4666-b8b4-a9afdd313cc4",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--3498d304-48e3-4fe4-a3ab-fc261104f413",
             "type": "relationship",
+            "id": "relationship--3498d304-48e3-4fe4-a3ab-fc261104f413",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
+                    "source_name": "Lookout-StealthMango",
                     "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
-                    "source_name": "Lookout-StealthMango"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
                 }
             ],
-            "modified": "2019-08-09T17:59:49.094Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:53.321Z",
             "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can record audio using the device microphone.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--349c2f82-1166-4dab-88d0-cfe920804b70.json b/mobile-attack/relationship/relationship--349c2f82-1166-4dab-88d0-cfe920804b70.json
index bc318687f0..5ee0246a6a 100644
--- a/mobile-attack/relationship/relationship--349c2f82-1166-4dab-88d0-cfe920804b70.json
+++ b/mobile-attack/relationship/relationship--349c2f82-1166-4dab-88d0-cfe920804b70.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--44790f38-0c79-4f6c-93fb-80d752a464ca",
+    "id": "bundle--f5ee6b1d-bd98-419c-a1a3-da723d7f414d",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--349c2f82-1166-4dab-88d0-cfe920804b70",
             "created": "2023-12-18T19:06:41.939Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T19:06:41.939Z",
+            "modified": "2025-04-16T21:47:53.524Z",
             "description": "[AhRat](https://attack.mitre.org/software/S1095) can exfiltrate collected data to the C2, such as audio recordings and files.(Citation: welivesecurity_ahrat_0523)",
             "relationship_type": "uses",
             "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--34a8a945-cc6c-474b-8db1-ffe8b5ecf99f.json b/mobile-attack/relationship/relationship--34a8a945-cc6c-474b-8db1-ffe8b5ecf99f.json
index 2eda75cbd7..ea114b5ba2 100644
--- a/mobile-attack/relationship/relationship--34a8a945-cc6c-474b-8db1-ffe8b5ecf99f.json
+++ b/mobile-attack/relationship/relationship--34a8a945-cc6c-474b-8db1-ffe8b5ecf99f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5e9bbcea-f133-41a8-add3-be9898dcdc30",
+    "id": "bundle--8e85a250-232d-49eb-885b-5e8b7a9053f3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:44:53.855Z",
+            "modified": "2025-04-16T21:47:53.723Z",
             "description": "[SimBad](https://attack.mitre.org/software/S0419) registers for the `BOOT_COMPLETED` and `USER_PRESENT` broadcast intents, which allows the software to perform actions after the device is booted and when the user is using the device, respectively.(Citation: CheckPoint SimBad 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--34b6abb0-d199-46bb-af21-b65560e75658.json b/mobile-attack/relationship/relationship--34b6abb0-d199-46bb-af21-b65560e75658.json
index 332b65a313..f51cecc9b0 100644
--- a/mobile-attack/relationship/relationship--34b6abb0-d199-46bb-af21-b65560e75658.json
+++ b/mobile-attack/relationship/relationship--34b6abb0-d199-46bb-af21-b65560e75658.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b16caf73-9c03-4a94-8bde-df1d9a0b711d",
+    "id": "bundle--4ba642b8-91ac-4873-857c-6d59f4ec6405",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--34b6abb0-d199-46bb-af21-b65560e75658",
             "created": "2022-04-01T19:06:40.361Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:53.934Z",
             "description": "",
-            "modified": "2022-04-01T19:06:40.361Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
             "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--34dd5c26-eec9-4288-8e53-677271d490b2.json b/mobile-attack/relationship/relationship--34dd5c26-eec9-4288-8e53-677271d490b2.json
index 29548fdf7c..9e300ef64e 100644
--- a/mobile-attack/relationship/relationship--34dd5c26-eec9-4288-8e53-677271d490b2.json
+++ b/mobile-attack/relationship/relationship--34dd5c26-eec9-4288-8e53-677271d490b2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--08fd1b89-9d1d-4df4-aa3d-7d86e80e2ea2",
+    "id": "bundle--9a6efe5f-d6f0-4da1-a394-63b32e6e5b65",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:43:57.834Z",
+            "modified": "2025-04-16T21:47:54.146Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use accessibility event logging to steal data in text fields.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--34f9aed0-48a7-4815-8456-5541a7b8210f.json b/mobile-attack/relationship/relationship--34f9aed0-48a7-4815-8456-5541a7b8210f.json
index 06372ebc1e..82964576e2 100644
--- a/mobile-attack/relationship/relationship--34f9aed0-48a7-4815-8456-5541a7b8210f.json
+++ b/mobile-attack/relationship/relationship--34f9aed0-48a7-4815-8456-5541a7b8210f.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--176a35ae-ef70-47ea-8539-3359dbcf61c8",
+    "id": "bundle--584f2f91-5820-495e-9265-5f6d86f4adff",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--34f9aed0-48a7-4815-8456-5541a7b8210f",
             "created": "2019-09-04T14:28:16.487Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Lookout-Monokle",
-                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
-                    "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019."
+                    "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
+                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:54.362Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can record the user's keystrokes.(Citation: Lookout-Monokle)",
-            "modified": "2022-04-15T17:34:52.414Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--352fabc8-48fe-4190-92b3-49b00348bb22.json b/mobile-attack/relationship/relationship--352fabc8-48fe-4190-92b3-49b00348bb22.json
index 99fc8b9992..fe6a766ba8 100644
--- a/mobile-attack/relationship/relationship--352fabc8-48fe-4190-92b3-49b00348bb22.json
+++ b/mobile-attack/relationship/relationship--352fabc8-48fe-4190-92b3-49b00348bb22.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--8e976e16-622f-40ba-9457-8ddb38c3a815",
+    "id": "bundle--7f68e48a-a33a-44bd-89bb-56bf511750a0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--352fabc8-48fe-4190-92b3-49b00348bb22",
             "created": "2019-03-11T15:13:40.454Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "TrendMicro-Anserver",
-                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/",
-                    "description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017."
+                    "description": "Karl Dominguez. (2011, October 2). Android Malware Uses Blog Posts as C&C. Retrieved February 6, 2017.",
+                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:54.565Z",
             "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) uses encrypted content within a blog site for part of its command and control. Specifically, the encrypted content contains URLs for other servers to be used for other aspects of command and control.(Citation: TrendMicro-Anserver)",
-            "modified": "2022-04-18T19:04:48.388Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
             "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--35453bbb-c9b3-4421-8452-95efdd290d21.json b/mobile-attack/relationship/relationship--35453bbb-c9b3-4421-8452-95efdd290d21.json
index c0337ca649..31fcaa0129 100644
--- a/mobile-attack/relationship/relationship--35453bbb-c9b3-4421-8452-95efdd290d21.json
+++ b/mobile-attack/relationship/relationship--35453bbb-c9b3-4421-8452-95efdd290d21.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--eec4bef9-f20b-4187-a19f-783bec1ff08d",
+    "id": "bundle--751f5f40-7f9e-4a66-85f7-e2ecd9775a4e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--35453bbb-c9b3-4421-8452-95efdd290d21",
             "type": "relationship",
+            "id": "relationship--35453bbb-c9b3-4421-8452-95efdd290d21",
             "created": "2021-01-20T16:01:19.323Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Zimperium z9",
-                    "url": "https://blog.zimperium.com/how-zimperiums-z9-detected-unknown-mobile-malware-overlooked-by-the-av-industry/",
-                    "description": "zLabs. (2019, November 12).  How Zimperium\u2019s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021."
+                    "description": "zLabs. (2019, November 12).  How Zimperium\u2019s z9 Detected Unknown Mobile Malware Overlooked by the AV Industry . Retrieved January 20, 2021.",
+                    "url": "https://blog.zimperium.com/how-zimperiums-z9-detected-unknown-mobile-malware-overlooked-by-the-av-industry/"
                 }
             ],
-            "modified": "2021-01-20T16:01:19.323Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:54.779Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) can collect a list of running processes.(Citation: Zimperium z9)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3565140f-1570-494d-9d6f-91c9203ece69.json b/mobile-attack/relationship/relationship--3565140f-1570-494d-9d6f-91c9203ece69.json
index 94173c33fa..8b2b15357a 100644
--- a/mobile-attack/relationship/relationship--3565140f-1570-494d-9d6f-91c9203ece69.json
+++ b/mobile-attack/relationship/relationship--3565140f-1570-494d-9d6f-91c9203ece69.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--26fe0478-e02d-4b2a-8eb2-1e1d273f85df",
+    "id": "bundle--89b6f250-d046-40c6-b66b-09bd4a087bd9",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T17:14:40.565Z",
+            "modified": "2025-04-16T21:47:54.977Z",
             "description": "Usage of insecure or malicious third-party libraries could be detected by application vetting services. Malicious software development tools could be detected by enterprises that deploy endpoint protection software on computers that are used to develop mobile apps. Application vetting could detect the usage of insecure or malicious third-party libraries.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--35927c96-7645-4ef3-b3da-e44822386a10.json b/mobile-attack/relationship/relationship--35927c96-7645-4ef3-b3da-e44822386a10.json
index 5b894c00ca..615c941eee 100644
--- a/mobile-attack/relationship/relationship--35927c96-7645-4ef3-b3da-e44822386a10.json
+++ b/mobile-attack/relationship/relationship--35927c96-7645-4ef3-b3da-e44822386a10.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2018fb64-6347-4354-b45d-90c59938ff38",
+    "id": "bundle--fa0b9e9b-8b47-4c5b-bca7-54544a53ee17",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:47:19.403Z",
+            "modified": "2025-04-16T21:47:55.178Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) contains domain generation algorithms to use as backups in case the hardcoded C2 domains are unavailable.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3598ab6e-9271-40ca-9771-b9a6bbce497c.json b/mobile-attack/relationship/relationship--3598ab6e-9271-40ca-9771-b9a6bbce497c.json
index 034427863e..04c6b00bf7 100644
--- a/mobile-attack/relationship/relationship--3598ab6e-9271-40ca-9771-b9a6bbce497c.json
+++ b/mobile-attack/relationship/relationship--3598ab6e-9271-40ca-9771-b9a6bbce497c.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--20ffccf2-d848-4772-9ea0-db846c6b75f2",
+    "id": "bundle--7aefbcac-b028-4a9b-ba25-ee3641b21b4e",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--3598ab6e-9271-40ca-9771-b9a6bbce497c",
             "created": "2023-08-16T16:44:09.459Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:44:09.459Z",
+            "modified": "2025-04-16T21:47:55.381Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can use HTTP to communicate with the C2 server.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--35a12ae8-562d-4e24-979e-ef970dde0b94.json b/mobile-attack/relationship/relationship--35a12ae8-562d-4e24-979e-ef970dde0b94.json
index 544b079294..b5c27c12cb 100644
--- a/mobile-attack/relationship/relationship--35a12ae8-562d-4e24-979e-ef970dde0b94.json
+++ b/mobile-attack/relationship/relationship--35a12ae8-562d-4e24-979e-ef970dde0b94.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--5fd3d9b2-44be-4286-aba2-27378171b5c3",
+    "id": "bundle--5e589a51-89ef-42da-abc2-f47afc861a47",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--35a12ae8-562d-4e24-979e-ef970dde0b94",
             "created": "2022-04-15T17:52:24.125Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:55.587Z",
             "description": "",
-            "modified": "2022-04-15T17:52:24.125Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--3b0b604f-10db-41a0-b54c-493124d455b9",
             "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f.json b/mobile-attack/relationship/relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f.json
index e50a373571..e2402d642a 100644
--- a/mobile-attack/relationship/relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f.json
+++ b/mobile-attack/relationship/relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--f515d5b1-753f-4a24-8f67-1b6a0ce85270",
+    "id": "bundle--53db284f-539b-4055-bcd3-9b426cdc61d8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--35c67a18-7e8d-4bd5-9fe1-35b1ac3f401f",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Wandera-RedDrop",
-                    "url": "https://www.wandera.com/reddrop-malware/",
-                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018."
+                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:55.823Z",
             "description": "[RedDrop](https://attack.mitre.org/software/S0326) tricks the user into sending SMS messages to premium services and then deletes those messages.(Citation: Wandera-RedDrop)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3616bacc-6f6e-41f2-832c-cdbbae9622f3.json b/mobile-attack/relationship/relationship--3616bacc-6f6e-41f2-832c-cdbbae9622f3.json
index 662b2070ea..91fb4edc83 100644
--- a/mobile-attack/relationship/relationship--3616bacc-6f6e-41f2-832c-cdbbae9622f3.json
+++ b/mobile-attack/relationship/relationship--3616bacc-6f6e-41f2-832c-cdbbae9622f3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--1341be24-a898-43ac-be56-622cec2d6d31",
+    "id": "bundle--32f45bae-3100-4e7d-9dee-6b689816cc0a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:21:42.102Z",
+            "modified": "2025-04-16T21:47:56.023Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) can read SMS messages.(Citation: Talos GPlayed)",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--36268322-9f5e-4749-8760-6430178a3d68.json b/mobile-attack/relationship/relationship--36268322-9f5e-4749-8760-6430178a3d68.json
index 041837107d..796c06fdee 100644
--- a/mobile-attack/relationship/relationship--36268322-9f5e-4749-8760-6430178a3d68.json
+++ b/mobile-attack/relationship/relationship--36268322-9f5e-4749-8760-6430178a3d68.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--957b21d9-f944-4f01-84b5-998d0347b467",
+    "id": "bundle--c3e1ad5d-6c78-4ed0-ad2e-e5ac8aa152f6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:25:08.956Z",
+            "modified": "2025-04-16T21:47:56.223Z",
             "description": "[EventBot](https://attack.mitre.org/software/S0478) can intercept SMS messages.(Citation: Cybereason EventBot)",
             "relationship_type": "uses",
             "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--36298fd6-d909-4490-8a04-095aef9ffafe.json b/mobile-attack/relationship/relationship--36298fd6-d909-4490-8a04-095aef9ffafe.json
index a818c24e08..0c2d17424d 100644
--- a/mobile-attack/relationship/relationship--36298fd6-d909-4490-8a04-095aef9ffafe.json
+++ b/mobile-attack/relationship/relationship--36298fd6-d909-4490-8a04-095aef9ffafe.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--00826dd9-379b-49dd-8bba-7a8a9fde7e8a",
+    "id": "bundle--a255dd91-fc3b-434a-80bd-c9af478fc411",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--36298fd6-d909-4490-8a04-095aef9ffafe",
             "type": "relationship",
+            "id": "relationship--36298fd6-d909-4490-8a04-095aef9ffafe",
             "created": "2020-11-20T15:54:07.747Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Symantec GoldenCup",
-                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans",
-                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."
+                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.",
+                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"
                 }
             ],
-            "modified": "2020-11-20T15:54:07.747Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:56.428Z",
             "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can record audio from the microphone and phone calls.(Citation: Symantec GoldenCup) ",
             "relationship_type": "uses",
             "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96.json b/mobile-attack/relationship/relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96.json
index e06fbdbe45..3d9a41feec 100644
--- a/mobile-attack/relationship/relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96.json
+++ b/mobile-attack/relationship/relationship--3644d1dd-8d9f-4a89-a618-c6b22c2a1a96.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--82ac2925-29a5-4026-b655-4b4a5e37f749",
+    "id": "bundle--9c67ea50-37d2-4bdb-bb3e-7e73f8ade9ac",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "Wandera-RedDrop",
-                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
-                    "url": "https://www.wandera.com/reddrop-malware/"
+                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:01:48.463Z",
+            "modified": "2025-04-16T21:47:56.649Z",
             "description": "[RedDrop](https://attack.mitre.org/software/S0326) uses HTTP requests for C2 communication.(Citation: Wandera-RedDrop)",
             "relationship_type": "uses",
             "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--36c71b5d-e453-488c-ae63-8fb063924c27.json b/mobile-attack/relationship/relationship--36c71b5d-e453-488c-ae63-8fb063924c27.json
index a9823b56ff..3a7d7e74a9 100644
--- a/mobile-attack/relationship/relationship--36c71b5d-e453-488c-ae63-8fb063924c27.json
+++ b/mobile-attack/relationship/relationship--36c71b5d-e453-488c-ae63-8fb063924c27.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--497913a9-bde8-469a-9f16-f025f485aa55",
+    "id": "bundle--0e43e7c9-c9ac-4b15-86fe-09a9414928e0",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--36c71b5d-e453-488c-ae63-8fb063924c27",
             "created": "2023-08-10T21:57:51.879Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T21:57:51.879Z",
+            "modified": "2025-04-16T21:47:56.853Z",
             "description": "The user can review available call logs for irregularities, such as missing or unrecognized calls.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
             "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--370bf74f-7499-4d66-9626-a61926af8f84.json b/mobile-attack/relationship/relationship--370bf74f-7499-4d66-9626-a61926af8f84.json
index b56abfde19..f31963ece0 100644
--- a/mobile-attack/relationship/relationship--370bf74f-7499-4d66-9626-a61926af8f84.json
+++ b/mobile-attack/relationship/relationship--370bf74f-7499-4d66-9626-a61926af8f84.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b360b737-9e8e-47b5-b234-eac09d039aa3",
+    "id": "bundle--528d4b77-0965-4074-bb7b-659eba0241e4",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--370bf74f-7499-4d66-9626-a61926af8f84",
             "created": "2023-09-21T22:32:19.683Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-21T22:32:19.683Z",
+            "modified": "2025-04-16T21:47:57.068Z",
             "description": "Application vetting services may detect when an application requests permissions after an application update.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10.json b/mobile-attack/relationship/relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10.json
index 1b4a2de505..992456e97a 100644
--- a/mobile-attack/relationship/relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10.json
+++ b/mobile-attack/relationship/relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--6439b568-1946-4eba-a3c1-d1631ee798b6",
+    "id": "bundle--82562c52-41fd-4dc1-8e55-8147325ebe31",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10",
             "type": "relationship",
+            "id": "relationship--37123a8d-5c03-459c-bd0b-c17e2ee75a10",
             "created": "2020-06-26T15:32:25.074Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Threat Fabric Cerberus",
-                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
-                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
+                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
                 }
             ],
-            "modified": "2020-06-26T15:32:25.074Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:57.285Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) can update the malicious payload module on command.(Citation: Threat Fabric Cerberus)",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631.json b/mobile-attack/relationship/relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631.json
index 54a081f30d..7df2454fe4 100644
--- a/mobile-attack/relationship/relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631.json
+++ b/mobile-attack/relationship/relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--0190226d-81e8-4a69-b8a8-008c6c1ca510",
+    "id": "bundle--dd0d9a70-ff95-4995-aea5-3066000e0c2e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631",
             "type": "relationship",
+            "id": "relationship--373223d8-f18c-4151-8fe0-7d40c0c6e631",
             "created": "2020-11-24T17:55:12.885Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos GPlayed",
-                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html",
-                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."
+                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.",
+                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"
                 }
             ],
-            "modified": "2020-11-24T17:55:12.885Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:57.491Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) has used timers to enable Wi-Fi, ping the C2 server, register the device with the C2, and register wake locks on the system.(Citation: Talos GPlayed)",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c.json b/mobile-attack/relationship/relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c.json
index 2f0dbd60f5..f8edb2eb5a 100644
--- a/mobile-attack/relationship/relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c.json
+++ b/mobile-attack/relationship/relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--cb13a03e-871a-4dcb-adac-0f983a8b6334",
+    "id": "bundle--ac40872e-a762-4bbc-a797-73331c48c4b5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c",
             "type": "relationship",
+            "id": "relationship--373f33be-9b40-44f5-bfd3-db2a9f5fa72c",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "http://thehackernews.com/2014/01/first-widely-distributed-android.html"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:57.712Z",
             "description": "[OldBoot](https://attack.mitre.org/software/S0285) uses escalated privileges to modify the init script on the device's boot partition to maintain persistence.(Citation: HackerNews-OldBoot)",
             "relationship_type": "uses",
             "source_ref": "malware--2074b2ad-612e-4758-adce-7901c1b49bbc",
             "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3752c235-0576-47dc-b05d-d3eaeaccfecc.json b/mobile-attack/relationship/relationship--3752c235-0576-47dc-b05d-d3eaeaccfecc.json
index f2634a641e..8014380217 100644
--- a/mobile-attack/relationship/relationship--3752c235-0576-47dc-b05d-d3eaeaccfecc.json
+++ b/mobile-attack/relationship/relationship--3752c235-0576-47dc-b05d-d3eaeaccfecc.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--b2b0ec8b-66be-4721-86cd-3b76b207f10f",
+    "id": "bundle--f5e98846-20e0-4b2f-9106-a2e43c26bd67",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--3752c235-0576-47dc-b05d-d3eaeaccfecc",
             "type": "relationship",
+            "id": "relationship--3752c235-0576-47dc-b05d-d3eaeaccfecc",
             "created": "2020-12-24T21:55:56.688Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T21:55:56.688Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:57.924Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has captured audio and can record phone calls.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--37d14338-b629-4b54-b734-446789b79f6f.json b/mobile-attack/relationship/relationship--37d14338-b629-4b54-b734-446789b79f6f.json
index 79a4c13239..28f537e348 100644
--- a/mobile-attack/relationship/relationship--37d14338-b629-4b54-b734-446789b79f6f.json
+++ b/mobile-attack/relationship/relationship--37d14338-b629-4b54-b734-446789b79f6f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3c0d8746-22ca-4e8c-b4c9-c192ca383fc7",
+    "id": "bundle--4434293b-74a9-47fb-8fe2-16129671acdf",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:57.641Z",
+            "modified": "2025-04-16T21:47:58.138Z",
             "description": "[EventBot](https://attack.mitre.org/software/S0478) has used icons from popular applications.(Citation: Cybereason EventBot)",
             "relationship_type": "uses",
             "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--37fd2f2a-e4f4-4d39-8698-d17305fb2517.json b/mobile-attack/relationship/relationship--37fd2f2a-e4f4-4d39-8698-d17305fb2517.json
index 8ea8f581ef..af85a6a8df 100644
--- a/mobile-attack/relationship/relationship--37fd2f2a-e4f4-4d39-8698-d17305fb2517.json
+++ b/mobile-attack/relationship/relationship--37fd2f2a-e4f4-4d39-8698-d17305fb2517.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ea9cfd19-48f7-425a-a6ab-9a961c64e6fe",
+    "id": "bundle--7eecc504-16da-4bd0-a53c-e239c66c6ff7",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-15T19:17:24.158Z",
+            "modified": "2025-04-16T21:47:58.369Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can communicate over port 7242 using HTTP.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3832d2cf-0568-451d-aac9-6fb809fc423d.json b/mobile-attack/relationship/relationship--3832d2cf-0568-451d-aac9-6fb809fc423d.json
index ad6972cbec..a895b9e976 100644
--- a/mobile-attack/relationship/relationship--3832d2cf-0568-451d-aac9-6fb809fc423d.json
+++ b/mobile-attack/relationship/relationship--3832d2cf-0568-451d-aac9-6fb809fc423d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ce46ccac-9789-4acf-8d3e-91cd583921da",
+    "id": "bundle--9e698633-2059-462d-a35b-7b12eeb929fd",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-23T17:31:35.855Z",
+            "modified": "2025-04-16T21:47:58.568Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has hidden multimedia files from the user.(Citation: Cyfirma Bahamut)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--383e5b12-061e-45c6-911b-b37187dd9254.json b/mobile-attack/relationship/relationship--383e5b12-061e-45c6-911b-b37187dd9254.json
index f271320114..141659a1ef 100644
--- a/mobile-attack/relationship/relationship--383e5b12-061e-45c6-911b-b37187dd9254.json
+++ b/mobile-attack/relationship/relationship--383e5b12-061e-45c6-911b-b37187dd9254.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ae694671-c59c-4057-b49e-a50798f43a2c",
+    "id": "bundle--26a8a550-fb0d-4b7e-b58b-7fb349152f20",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--383e5b12-061e-45c6-911b-b37187dd9254",
             "type": "relationship",
+            "id": "relationship--383e5b12-061e-45c6-911b-b37187dd9254",
             "created": "2021-02-08T16:36:20.701Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "BlackBerry Bahamut",
-                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf",
-                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."
+                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.",
+                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"
                 }
             ],
-            "modified": "2021-05-24T13:16:56.399Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:58.813Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included file enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3841024e-1047-40fa-9e25-ac6d5c14612a.json b/mobile-attack/relationship/relationship--3841024e-1047-40fa-9e25-ac6d5c14612a.json
index f7b9dd8e4b..6299f1145c 100644
--- a/mobile-attack/relationship/relationship--3841024e-1047-40fa-9e25-ac6d5c14612a.json
+++ b/mobile-attack/relationship/relationship--3841024e-1047-40fa-9e25-ac6d5c14612a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--065da39d-80c9-4ec4-8174-6ba73174c741",
+    "id": "bundle--ee6b75a7-690b-457c-b5d5-d7d4c8c5df52",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:25:52.302Z",
+            "modified": "2025-04-16T21:47:59.011Z",
             "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view device contacts.(Citation: cloudmark_tanglebot_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3857f790-6ea1-4f37-8d90-90904f175d63.json b/mobile-attack/relationship/relationship--3857f790-6ea1-4f37-8d90-90904f175d63.json
index f891ed0054..4d973cca66 100644
--- a/mobile-attack/relationship/relationship--3857f790-6ea1-4f37-8d90-90904f175d63.json
+++ b/mobile-attack/relationship/relationship--3857f790-6ea1-4f37-8d90-90904f175d63.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--43e8c313-657c-4f2b-bf09-96673d27b794",
+    "id": "bundle--d31db751-c999-4de7-ac14-679422c90363",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:48:17.771Z",
+            "modified": "2025-04-16T21:47:59.227Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) has C2 commands that can uninstall the app from the infected device.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--38634e49-f19e-41bc-bb6d-e711f0cabd91.json b/mobile-attack/relationship/relationship--38634e49-f19e-41bc-bb6d-e711f0cabd91.json
index 3291b93f5d..3024489370 100644
--- a/mobile-attack/relationship/relationship--38634e49-f19e-41bc-bb6d-e711f0cabd91.json
+++ b/mobile-attack/relationship/relationship--38634e49-f19e-41bc-bb6d-e711f0cabd91.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--94e27561-c820-4836-954a-ba35350cec72",
+    "id": "bundle--3f69c935-b0f4-4ee3-a6e0-d7cee4042f53",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:42:27.975Z",
+            "modified": "2025-04-16T21:47:59.426Z",
             "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) can hide its icon and create a shortcut based on the C2 server response.(Citation: WeLiveSecurity AdDisplayAshas)",
             "relationship_type": "uses",
             "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--386b0a9f-9951-4717-8bce-30c8fbe05050.json b/mobile-attack/relationship/relationship--386b0a9f-9951-4717-8bce-30c8fbe05050.json
index 1983d6ae45..fb10b1fe0a 100644
--- a/mobile-attack/relationship/relationship--386b0a9f-9951-4717-8bce-30c8fbe05050.json
+++ b/mobile-attack/relationship/relationship--386b0a9f-9951-4717-8bce-30c8fbe05050.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--1e9a6923-2f81-4cac-9371-6c52cc9ef399",
+    "id": "bundle--58c08c0b-e5a7-42e2-b9d1-cd038a56c2d7",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--386b0a9f-9951-4717-8bce-30c8fbe05050",
             "type": "relationship",
+            "id": "relationship--386b0a9f-9951-4717-8bce-30c8fbe05050",
             "created": "2020-06-26T15:32:24.955Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Threat Fabric Cerberus",
-                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
-                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
+                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
                 }
             ],
-            "modified": "2020-06-26T15:32:24.955Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:47:59.665Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) uses standard payload and string obfuscation techniques.(Citation: Threat Fabric Cerberus)",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3874eaf6-aa14-4d8e-ad44-7ad227ecda1b.json b/mobile-attack/relationship/relationship--3874eaf6-aa14-4d8e-ad44-7ad227ecda1b.json
index 97045f7461..8d9dd3fb99 100644
--- a/mobile-attack/relationship/relationship--3874eaf6-aa14-4d8e-ad44-7ad227ecda1b.json
+++ b/mobile-attack/relationship/relationship--3874eaf6-aa14-4d8e-ad44-7ad227ecda1b.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b9da9220-5d4a-4763-916d-6f2768dbd195",
+    "id": "bundle--de2b8d3a-d053-4206-b8e8-cdccca4fdc6f",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--3874eaf6-aa14-4d8e-ad44-7ad227ecda1b",
             "created": "2024-02-23T19:53:28.913Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-23T19:53:28.913Z",
+            "modified": "2025-04-16T21:47:59.870Z",
             "description": "",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3",
             "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--38962b26-7cbe-4761-8b4f-50a022167c4d.json b/mobile-attack/relationship/relationship--38962b26-7cbe-4761-8b4f-50a022167c4d.json
index 8e26ea30c0..59877f6f90 100644
--- a/mobile-attack/relationship/relationship--38962b26-7cbe-4761-8b4f-50a022167c4d.json
+++ b/mobile-attack/relationship/relationship--38962b26-7cbe-4761-8b4f-50a022167c4d.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--db2dbbfe-a7cf-4fb8-a6af-afd7d061e926",
+    "id": "bundle--b64ae45e-b12d-44e7-80b2-39ad464a04e8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--38962b26-7cbe-4761-8b4f-50a022167c4d",
             "created": "2019-09-03T20:08:00.708Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Talos Gustuff Apr 2019",
-                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
-                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."
+                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
+                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:00.073Z",
             "description": "[Gustuff](https://attack.mitre.org/software/S0406) checks for antivirus software contained in a predefined list.(Citation: Talos Gustuff Apr 2019)",
-            "modified": "2022-04-15T16:55:56.825Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
             "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--38cb6365-40ba-47c6-a5e4-1a9be665f951.json b/mobile-attack/relationship/relationship--38cb6365-40ba-47c6-a5e4-1a9be665f951.json
index 0cacf6e70a..ea91f8f83c 100644
--- a/mobile-attack/relationship/relationship--38cb6365-40ba-47c6-a5e4-1a9be665f951.json
+++ b/mobile-attack/relationship/relationship--38cb6365-40ba-47c6-a5e4-1a9be665f951.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--fefb6fa6-6e3a-469e-bdb4-93e55d4dd187",
+    "id": "bundle--870be64f-be2d-4ef5-a2a5-7129adb11017",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-01T16:50:04.964Z",
+            "modified": "2025-04-16T21:48:00.312Z",
             "description": "[TianySpy](https://attack.mitre.org/software/S1056) has encrypted C2 details, email addresses, and passwords.(Citation: trendmicro_tianyspy_0122) ",
             "relationship_type": "uses",
             "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--38ec048f-7f6e-4bbd-9455-1b1e54968af4.json b/mobile-attack/relationship/relationship--38ec048f-7f6e-4bbd-9455-1b1e54968af4.json
index 773ae551cf..49c53d60ce 100644
--- a/mobile-attack/relationship/relationship--38ec048f-7f6e-4bbd-9455-1b1e54968af4.json
+++ b/mobile-attack/relationship/relationship--38ec048f-7f6e-4bbd-9455-1b1e54968af4.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--7a410f9a-7c78-4aa3-8c6a-c44c5706c79f",
+    "id": "bundle--e87a4eca-fc74-4c00-b6a0-f3f728bbefb3",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--38ec048f-7f6e-4bbd-9455-1b1e54968af4",
             "created": "2023-03-30T15:18:37.934Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-30T15:18:37.934Z",
+            "modified": "2025-04-16T21:48:00.521Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can take screenshots and abuse the Android Screen Cast feature to capture screen data.(Citation: cleafy_sova_1122)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--38f37e3f-1d4b-4f04-b176-1cae6d22931e.json b/mobile-attack/relationship/relationship--38f37e3f-1d4b-4f04-b176-1cae6d22931e.json
index 3d3e4d45bc..7fb8db8b08 100644
--- a/mobile-attack/relationship/relationship--38f37e3f-1d4b-4f04-b176-1cae6d22931e.json
+++ b/mobile-attack/relationship/relationship--38f37e3f-1d4b-4f04-b176-1cae6d22931e.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e26fafc9-3f2c-424a-90e4-c0ca89cdc8b8",
+    "id": "bundle--c69d6c8f-ede5-435f-a598-273b68eb3bca",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--38f37e3f-1d4b-4f04-b176-1cae6d22931e",
             "type": "relationship",
+            "id": "relationship--38f37e3f-1d4b-4f04-b176-1cae6d22931e",
             "created": "2020-12-14T14:52:03.310Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Sophos Red Alert 2.0",
-                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/",
-                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."
+                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.",
+                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"
                 }
             ],
-            "modified": "2020-12-14T14:52:03.310Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:00.719Z",
             "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can send SMS messages.(Citation: Sophos Red Alert 2.0)",
             "relationship_type": "uses",
             "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--38f96449-dfb1-49db-b0d0-f257c3ee2c5d.json b/mobile-attack/relationship/relationship--38f96449-dfb1-49db-b0d0-f257c3ee2c5d.json
index a5c2da8a3d..1f8ceda1e5 100644
--- a/mobile-attack/relationship/relationship--38f96449-dfb1-49db-b0d0-f257c3ee2c5d.json
+++ b/mobile-attack/relationship/relationship--38f96449-dfb1-49db-b0d0-f257c3ee2c5d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--eca2644c-ffff-48a2-a83e-e6ace435d497",
+    "id": "bundle--43045c7f-3bc6-4f7d-8c50-91e72fb931f1",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:25:21.998Z",
+            "modified": "2025-04-16T21:48:00.926Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can retrieve SMS messages.(Citation: Lookout Desert Scorpion)",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--393300c4-6852-466d-a163-1d51330fe055.json b/mobile-attack/relationship/relationship--393300c4-6852-466d-a163-1d51330fe055.json
index 054f7e6ed0..c8dc300432 100644
--- a/mobile-attack/relationship/relationship--393300c4-6852-466d-a163-1d51330fe055.json
+++ b/mobile-attack/relationship/relationship--393300c4-6852-466d-a163-1d51330fe055.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--673bb4e5-d329-4943-bafc-9250856f3d0e",
+    "id": "bundle--b871c7ae-672c-4943-8b64-7c38e35aefbc",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T15:40:52.983Z",
+            "modified": "2025-04-16T21:48:01.130Z",
             "description": "Mobile security products can potentially detect jailbroken devices.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
             "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--395cb6b2-0848-43c7-ac4a-617e103fb66a.json b/mobile-attack/relationship/relationship--395cb6b2-0848-43c7-ac4a-617e103fb66a.json
index fea04f2fcf..65615e67ec 100644
--- a/mobile-attack/relationship/relationship--395cb6b2-0848-43c7-ac4a-617e103fb66a.json
+++ b/mobile-attack/relationship/relationship--395cb6b2-0848-43c7-ac4a-617e103fb66a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--90e33eb1-25d5-4e92-acde-0a3544782312",
+    "id": "bundle--009cf4a0-2673-41b7-945e-b6fa30bf2002",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:02:09.253Z",
+            "modified": "2025-04-16T21:48:01.358Z",
             "description": "[Golden Cup](https://attack.mitre.org/software/S0535) has communicated with the C2 using MQTT and HTTP.(Citation: Symantec GoldenCup)",
             "relationship_type": "uses",
             "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3997b2a1-2b70-4eeb-aa8f-1053bb3744c2.json b/mobile-attack/relationship/relationship--3997b2a1-2b70-4eeb-aa8f-1053bb3744c2.json
index b6daf1327e..963856ac24 100644
--- a/mobile-attack/relationship/relationship--3997b2a1-2b70-4eeb-aa8f-1053bb3744c2.json
+++ b/mobile-attack/relationship/relationship--3997b2a1-2b70-4eeb-aa8f-1053bb3744c2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--9b9fd2ad-f6a9-4a68-8dd8-9eb24ad42559",
+    "id": "bundle--f338d0f9-b6c2-46eb-8d84-e8acb0fae3c9",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T17:04:24.775Z",
+            "modified": "2025-04-16T21:48:01.559Z",
             "description": "Application vetting services could potentially detect the usage of APIs intended for artifact hiding.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--39b854c1-5906-4d14-a0bc-1242c3eaa5b0.json b/mobile-attack/relationship/relationship--39b854c1-5906-4d14-a0bc-1242c3eaa5b0.json
index 479cf6f249..acd23b62d6 100644
--- a/mobile-attack/relationship/relationship--39b854c1-5906-4d14-a0bc-1242c3eaa5b0.json
+++ b/mobile-attack/relationship/relationship--39b854c1-5906-4d14-a0bc-1242c3eaa5b0.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--7c567ff8-0487-4d45-abee-b92b1d6acf9c",
+    "id": "bundle--81d66ea5-fef8-4234-9c4c-3a74d16858e9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--39b854c1-5906-4d14-a0bc-1242c3eaa5b0",
             "created": "2022-04-11T20:05:56.540Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:01.767Z",
             "description": "",
-            "modified": "2022-04-11T20:05:56.540Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08",
             "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3a18f41d-876c-403a-80cc-47ef57ae630d.json b/mobile-attack/relationship/relationship--3a18f41d-876c-403a-80cc-47ef57ae630d.json
index d6602d90f5..07a6ff8c7d 100644
--- a/mobile-attack/relationship/relationship--3a18f41d-876c-403a-80cc-47ef57ae630d.json
+++ b/mobile-attack/relationship/relationship--3a18f41d-876c-403a-80cc-47ef57ae630d.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--4e19df90-f5f2-48d6-bf41-38dda37c120f",
+    "id": "bundle--7379c8e1-a426-420f-9ef1-584e1e3ccebf",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--3a18f41d-876c-403a-80cc-47ef57ae630d",
             "created": "2023-09-25T19:53:56.034Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-25T19:53:56.034Z",
+            "modified": "2025-04-16T21:48:01.976Z",
             "description": "Remote access software typically requires many privileged permissions, such as accessibility services or device administrator. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
             "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3a282967-0536-474d-8831-30cd60b818a9.json b/mobile-attack/relationship/relationship--3a282967-0536-474d-8831-30cd60b818a9.json
index d228767fda..28caf4e1d1 100644
--- a/mobile-attack/relationship/relationship--3a282967-0536-474d-8831-30cd60b818a9.json
+++ b/mobile-attack/relationship/relationship--3a282967-0536-474d-8831-30cd60b818a9.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--bae46b4a-ea9c-4155-b151-bbe91a9dcf36",
+    "id": "bundle--90c28aa1-9f03-43b4-8fb0-8058ac93359d",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--3a282967-0536-474d-8831-30cd60b818a9",
             "created": "2023-09-28T17:20:38.294Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:20:38.294Z",
+            "modified": "2025-04-16T21:48:02.214Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can initiate phone calls.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3a5dee7b-92a2-4382-aa02-2c14d0b82010.json b/mobile-attack/relationship/relationship--3a5dee7b-92a2-4382-aa02-2c14d0b82010.json
index e649f0b6cc..f92c3c88af 100644
--- a/mobile-attack/relationship/relationship--3a5dee7b-92a2-4382-aa02-2c14d0b82010.json
+++ b/mobile-attack/relationship/relationship--3a5dee7b-92a2-4382-aa02-2c14d0b82010.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--590d2500-031b-4d66-ab50-c784bcad02e8",
+    "id": "bundle--2788ed56-7b7b-4ede-a6c7-0de76af53e9f",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--3a5dee7b-92a2-4382-aa02-2c14d0b82010",
             "created": "2024-02-20T23:51:50.439Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:51:50.439Z",
+            "modified": "2025-04-16T21:48:02.417Z",
             "description": "[Exodus](https://attack.mitre.org/software/S0405) One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.(Citation: SWB Exodus March 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3a7d4872-2bfb-4df3-ad53-91c8229b9b41.json b/mobile-attack/relationship/relationship--3a7d4872-2bfb-4df3-ad53-91c8229b9b41.json
index 3b932a4f1d..858c0df6bc 100644
--- a/mobile-attack/relationship/relationship--3a7d4872-2bfb-4df3-ad53-91c8229b9b41.json
+++ b/mobile-attack/relationship/relationship--3a7d4872-2bfb-4df3-ad53-91c8229b9b41.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c7c2db4a-dbeb-4af4-8bad-7c00eda86bdf",
+    "id": "bundle--4219160f-d214-4e71-9755-9fee39819069",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T20:30:56.849Z",
+            "modified": "2025-04-16T21:48:02.628Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to obfuscate code and strings to evade detection.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3a8fea40-69ba-4cfe-b577-c3112a60887a.json b/mobile-attack/relationship/relationship--3a8fea40-69ba-4cfe-b577-c3112a60887a.json
index fe965832a3..b650441aac 100644
--- a/mobile-attack/relationship/relationship--3a8fea40-69ba-4cfe-b577-c3112a60887a.json
+++ b/mobile-attack/relationship/relationship--3a8fea40-69ba-4cfe-b577-c3112a60887a.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--41f259a7-8557-4670-9fd5-2cde68508415",
+    "id": "bundle--09a69d67-d9df-48cd-be47-3926a28b5d78",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--3a8fea40-69ba-4cfe-b577-c3112a60887a",
             "created": "2022-04-01T14:51:51.593Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:02.864Z",
             "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to notifications. ",
-            "modified": "2022-04-01T14:51:51.593Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3abc80ad-4ea0-4e91-a170-f040469c2083.json b/mobile-attack/relationship/relationship--3abc80ad-4ea0-4e91-a170-f040469c2083.json
index e7475832dc..d2821f4c79 100644
--- a/mobile-attack/relationship/relationship--3abc80ad-4ea0-4e91-a170-f040469c2083.json
+++ b/mobile-attack/relationship/relationship--3abc80ad-4ea0-4e91-a170-f040469c2083.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--02280146-cc1f-4393-9553-29cd0a1a5278",
+    "id": "bundle--51e7ddb7-7009-4a77-9e52-cfd20ad82ee1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--3abc80ad-4ea0-4e91-a170-f040469c2083",
             "type": "relationship",
+            "id": "relationship--3abc80ad-4ea0-4e91-a170-f040469c2083",
             "created": "2020-07-20T13:27:33.483Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos-WolfRAT",
-                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
-                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."
+                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.",
+                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"
                 }
             ],
-            "modified": "2020-08-10T21:57:54.688Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:03.071Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can take photos and videos.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3abcd7f4-5f6d-4b5d-9b37-eee68751dcbd.json b/mobile-attack/relationship/relationship--3abcd7f4-5f6d-4b5d-9b37-eee68751dcbd.json
index 2f85ad8045..b2a5d7ff0d 100644
--- a/mobile-attack/relationship/relationship--3abcd7f4-5f6d-4b5d-9b37-eee68751dcbd.json
+++ b/mobile-attack/relationship/relationship--3abcd7f4-5f6d-4b5d-9b37-eee68751dcbd.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--c72ff381-ee12-4217-8c04-5d395aa1610d",
+    "id": "bundle--06b03d6f-92d7-40f2-a939-5b6ef9ad968a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--3abcd7f4-5f6d-4b5d-9b37-eee68751dcbd",
             "created": "2022-04-01T15:02:43.475Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:03.283Z",
             "description": "",
-            "modified": "2022-04-01T15:02:43.475Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--27f483c6-6666-44fa-8532-ffd5fc7dab38",
             "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3acbaa64-fb6e-4c26-ada4-1aab88798265.json b/mobile-attack/relationship/relationship--3acbaa64-fb6e-4c26-ada4-1aab88798265.json
index c961d7f966..703060790b 100644
--- a/mobile-attack/relationship/relationship--3acbaa64-fb6e-4c26-ada4-1aab88798265.json
+++ b/mobile-attack/relationship/relationship--3acbaa64-fb6e-4c26-ada4-1aab88798265.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--97285a8a-6acd-4a2e-b3bf-bc9b6cb17efd",
+    "id": "bundle--ea8942ea-58c9-4d4f-8cea-6ce3891ac9f0",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:15:42.930Z",
+            "modified": "2025-04-16T21:48:03.481Z",
             "description": "[SilkBean](https://attack.mitre.org/software/S0549) has used HTTPS for C2 communication.(Citation: Lookout Uyghur Campaign) ",
             "relationship_type": "uses",
             "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3ae62d66-6405-413f-86e3-ccdb66fac7ba.json b/mobile-attack/relationship/relationship--3ae62d66-6405-413f-86e3-ccdb66fac7ba.json
index 31264e65cb..29c8de152c 100644
--- a/mobile-attack/relationship/relationship--3ae62d66-6405-413f-86e3-ccdb66fac7ba.json
+++ b/mobile-attack/relationship/relationship--3ae62d66-6405-413f-86e3-ccdb66fac7ba.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b1318102-b42a-4992-9af5-64624b70bbf6",
+    "id": "bundle--f36fc381-715f-4d8d-8fa2-fd6bf4a346ae",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--3ae62d66-6405-413f-86e3-ccdb66fac7ba",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "",
-            "modified": "2022-04-06T15:41:33.829Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:03.690Z",
+            "description": "",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--e30cc912-7ea1-4683-9219-543b86cbdec9",
             "target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2.json b/mobile-attack/relationship/relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2.json
index 009aa9f765..857dc844db 100644
--- a/mobile-attack/relationship/relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2.json
+++ b/mobile-attack/relationship/relationship--3b0cb886-dabc-4622-b91f-3851e2a71bf2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5935093f-f964-48e1-bf73-91122b47b4f1",
+    "id": "bundle--2dd3ce65-1b97-4b53-9d3b-ca964789dbdb",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:02:40.717Z",
+            "modified": "2025-04-16T21:48:03.895Z",
             "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) used HTTP uploads to a URL as a command and control mechanism.(Citation: Kaspersky-WUC)",
             "relationship_type": "uses",
             "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3b24a287-36e1-49b9-811d-c0080147ff57.json b/mobile-attack/relationship/relationship--3b24a287-36e1-49b9-811d-c0080147ff57.json
index 3f8282c461..656c9f4898 100644
--- a/mobile-attack/relationship/relationship--3b24a287-36e1-49b9-811d-c0080147ff57.json
+++ b/mobile-attack/relationship/relationship--3b24a287-36e1-49b9-811d-c0080147ff57.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2e2cf342-120f-4a0f-8cc5-39cea2d19cfc",
+    "id": "bundle--d5b7fd70-ad6e-4d80-bf0f-2f36068da23c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T22:45:47.105Z",
+            "modified": "2025-04-16T21:48:04.098Z",
             "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
             "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3bcd5bc8-4998-4f71-85d6-27f0cb22e895.json b/mobile-attack/relationship/relationship--3bcd5bc8-4998-4f71-85d6-27f0cb22e895.json
new file mode 100644
index 0000000000..6f4aad336c
--- /dev/null
+++ b/mobile-attack/relationship/relationship--3bcd5bc8-4998-4f71-85d6-27f0cb22e895.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--57430e8d-963f-4029-b65b-aa106df9232e",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--3bcd5bc8-4998-4f71-85d6-27f0cb22e895",
+            "created": "2025-03-28T15:08:46.377Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                },
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:04.323Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors monitored the device\u2019s geolocation.(Citation: SecureList OpTriangulation 21Jun2023)(Citation: SecureList OpTriangulation 23Oct2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3be6ad82-722d-4699-8e3a-c1ea60018244.json b/mobile-attack/relationship/relationship--3be6ad82-722d-4699-8e3a-c1ea60018244.json
index 2fb4a26c94..c8866a8588 100644
--- a/mobile-attack/relationship/relationship--3be6ad82-722d-4699-8e3a-c1ea60018244.json
+++ b/mobile-attack/relationship/relationship--3be6ad82-722d-4699-8e3a-c1ea60018244.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--521c2588-68c8-498e-9df1-32b565ef944f",
+    "id": "bundle--80814dc4-e221-4715-a832-18c5363f8dd4",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:29:15.000Z",
+            "modified": "2025-04-16T21:48:04.537Z",
             "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
             "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3bf4b093-a1a3-48da-9236-bce9514765eb.json b/mobile-attack/relationship/relationship--3bf4b093-a1a3-48da-9236-bce9514765eb.json
index 3453b6a46b..622387432c 100644
--- a/mobile-attack/relationship/relationship--3bf4b093-a1a3-48da-9236-bce9514765eb.json
+++ b/mobile-attack/relationship/relationship--3bf4b093-a1a3-48da-9236-bce9514765eb.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--126d6d4e-100e-4643-867f-e0e8d85c608a",
+    "id": "bundle--219cba69-004e-4a42-a947-c48dc259b2e2",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--3bf4b093-a1a3-48da-9236-bce9514765eb",
             "created": "2022-04-05T19:46:05.853Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Samsung Keyboards",
-                    "url": "https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-",
-                    "description": "Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved September 1, 2019."
+                    "description": "Samsung. (2019, August 16). 3rd party keyboards must be whitelisted.. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20201112021547/https://support.samsungknox.com/hc/en-us/articles/360001485027-3rd-party-keyboards-must-be-whitelisted-"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:04.757Z",
             "description": "When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.(Citation: Samsung Keyboards)",
-            "modified": "2022-04-05T19:46:05.853Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3bf5a566-986b-478c-b2da-e57caf261378.json b/mobile-attack/relationship/relationship--3bf5a566-986b-478c-b2da-e57caf261378.json
index dfd94abdd9..d0268da73e 100644
--- a/mobile-attack/relationship/relationship--3bf5a566-986b-478c-b2da-e57caf261378.json
+++ b/mobile-attack/relationship/relationship--3bf5a566-986b-478c-b2da-e57caf261378.json
@@ -1,30 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--fc28df94-c77c-40f3-bdc5-c7076eeea535",
+    "id": "bundle--e3178d31-52b9-423e-a16e-8c235c3e973b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--3bf5a566-986b-478c-b2da-e57caf261378",
             "type": "relationship",
+            "id": "relationship--3bf5a566-986b-478c-b2da-e57caf261378",
             "created": "2019-09-03T19:45:48.515Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
-            "modified": "2019-09-11T13:25:19.216Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:04.965Z",
             "description": " [Exodus](https://attack.mitre.org/software/S0405) Two attempts to elevate privileges by using a modified version of the DirtyCow exploit.(Citation: SWB Exodus March 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3c0b0763-78d2-4d6e-8e57-b4f27af7e414.json b/mobile-attack/relationship/relationship--3c0b0763-78d2-4d6e-8e57-b4f27af7e414.json
index 9ed878ef53..2d2e440c33 100644
--- a/mobile-attack/relationship/relationship--3c0b0763-78d2-4d6e-8e57-b4f27af7e414.json
+++ b/mobile-attack/relationship/relationship--3c0b0763-78d2-4d6e-8e57-b4f27af7e414.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--247eec04-90cb-41f5-a9a4-5f8b9bf8885b",
+    "id": "bundle--4a7162a4-444c-4b91-af68-360f428754e0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--3c0b0763-78d2-4d6e-8e57-b4f27af7e414",
             "created": "2019-10-18T14:50:57.521Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. ",
-            "modified": "2022-03-30T20:08:17.127Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:05.169Z",
+            "description": "Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3c291ee5-1782-4e5b-8131-5188c7388f45.json b/mobile-attack/relationship/relationship--3c291ee5-1782-4e5b-8131-5188c7388f45.json
index 3fc464342b..ebbe5680e7 100644
--- a/mobile-attack/relationship/relationship--3c291ee5-1782-4e5b-8131-5188c7388f45.json
+++ b/mobile-attack/relationship/relationship--3c291ee5-1782-4e5b-8131-5188c7388f45.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--2e531555-c4af-4a31-9f25-b68ead09f842",
+    "id": "bundle--4f635cf0-c356-462c-83f8-a13fbd664d42",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--3c291ee5-1782-4e5b-8131-5188c7388f45",
             "type": "relationship",
+            "id": "relationship--3c291ee5-1782-4e5b-8131-5188c7388f45",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:05.389Z",
             "description": "[RuMMS](https://attack.mitre.org/software/S0313) gathers the device phone number and IMEI and transmits them to a command and control server.(Citation: FireEye-RuMMS)",
             "relationship_type": "uses",
             "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7.json b/mobile-attack/relationship/relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7.json
index 352f1f761c..bced176e3e 100644
--- a/mobile-attack/relationship/relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7.json
+++ b/mobile-attack/relationship/relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--48a3682d-8749-4745-b206-b929e98e8336",
+    "id": "bundle--e97c8272-3bb2-4e53-b7fa-abf7101c503b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7",
             "type": "relationship",
+            "id": "relationship--3c3c957e-7a23-4801-9f6a-ba599ad727d7",
             "created": "2019-10-15T19:33:42.204Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
                 }
             ],
-            "modified": "2019-10-15T19:33:42.204Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:05.594Z",
             "description": "[Skygofree](https://attack.mitre.org/software/S0327) can track the device's location.(Citation: Kaspersky-Skygofree)",
             "relationship_type": "uses",
             "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3c43d125-6719-420e-bb69-878cc91c2474.json b/mobile-attack/relationship/relationship--3c43d125-6719-420e-bb69-878cc91c2474.json
index 1116b0274a..f7268bd208 100644
--- a/mobile-attack/relationship/relationship--3c43d125-6719-420e-bb69-878cc91c2474.json
+++ b/mobile-attack/relationship/relationship--3c43d125-6719-420e-bb69-878cc91c2474.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b14a2cf1-01e3-4942-83b9-ec12a9054121",
+    "id": "bundle--950d4564-2890-4e93-ab29-05c2c183e3e1",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:45:11.727Z",
+            "modified": "2025-04-16T21:48:05.821Z",
             "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can register for the `BOOT_COMPLETED` broadcast Intent.(Citation: Cybereason FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3c4ea7a5-251c-4d10-a724-f4a247f44637.json b/mobile-attack/relationship/relationship--3c4ea7a5-251c-4d10-a724-f4a247f44637.json
new file mode 100644
index 0000000000..608772b9e4
--- /dev/null
+++ b/mobile-attack/relationship/relationship--3c4ea7a5-251c-4d10-a724-f4a247f44637.json
@@ -0,0 +1,47 @@
+{
+    "type": "bundle",
+    "id": "bundle--187a288d-ebdb-442d-8df7-85c65a29bde8",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--3c4ea7a5-251c-4d10-a724-f4a247f44637",
+            "created": "2025-04-14T16:32:24.402Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:06.031Z",
+            "description": "Using an XOR-chain algorithm, [LightSpy](https://attack.mitre.org/software/S1185) decrypts an embedded configuration blob containing URLs for jailbreak components and next-stage payloads. It also decrypts modules in memory and on disk using AES-ECB with the hardcoded key `3e2717e8b3873b29`.(Citation: Threatfabric LightSpy 2023)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) Additionally, [LightSpy](https://attack.mitre.org/software/S1185)\u2019s plugins have been encrypted during transmission.(Citation: LinkedIn Dmitry LightSpy 2025)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3c57ee56-34bc-4f0c-b363-68dab3e5e7b3.json b/mobile-attack/relationship/relationship--3c57ee56-34bc-4f0c-b363-68dab3e5e7b3.json
index 713b446352..2d014a6213 100644
--- a/mobile-attack/relationship/relationship--3c57ee56-34bc-4f0c-b363-68dab3e5e7b3.json
+++ b/mobile-attack/relationship/relationship--3c57ee56-34bc-4f0c-b363-68dab3e5e7b3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--adaae51f-7c33-467e-b990-0f94134dc430",
+    "id": "bundle--1ccc1c5f-ee9c-46ff-8f9e-2ef7d0b89a07",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:58.361Z",
+            "modified": "2025-04-16T21:48:06.270Z",
             "description": "[DroidJack](https://attack.mitre.org/software/S0320) included code from the legitimate Pokemon GO app in order to appear identical to the user, but it also included additional malicious code.(Citation: Proofpoint-Droidjack)",
             "relationship_type": "uses",
             "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3c6776b9-258c-460c-b4b4-ea1a1453e5c5.json b/mobile-attack/relationship/relationship--3c6776b9-258c-460c-b4b4-ea1a1453e5c5.json
index 8d2d933881..a863cea176 100644
--- a/mobile-attack/relationship/relationship--3c6776b9-258c-460c-b4b4-ea1a1453e5c5.json
+++ b/mobile-attack/relationship/relationship--3c6776b9-258c-460c-b4b4-ea1a1453e5c5.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--f8c77785-ab96-4350-a5b0-0c235c9c0a12",
+    "id": "bundle--18b5ccd2-d4e6-4974-b49e-df37b0cd0311",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--3c6776b9-258c-460c-b4b4-ea1a1453e5c5",
             "created": "2023-08-16T16:40:34.787Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:40:34.787Z",
+            "modified": "2025-04-16T21:48:06.482Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather device location data.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3c874ffa-63c3-491f-8d8c-623b19a7fdad.json b/mobile-attack/relationship/relationship--3c874ffa-63c3-491f-8d8c-623b19a7fdad.json
index 2dd5283046..c3bde991be 100644
--- a/mobile-attack/relationship/relationship--3c874ffa-63c3-491f-8d8c-623b19a7fdad.json
+++ b/mobile-attack/relationship/relationship--3c874ffa-63c3-491f-8d8c-623b19a7fdad.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--13d39271-3f12-4bc7-a578-96e2f7dd4ec8",
+    "id": "bundle--afe1d19a-9410-4f97-bda8-d729f3b8d3a6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:37:37.674Z",
+            "modified": "2025-04-16T21:48:06.714Z",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect the device\u2019s call log.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3c90dc4c-8156-49ae-8144-76526268a6c1.json b/mobile-attack/relationship/relationship--3c90dc4c-8156-49ae-8144-76526268a6c1.json
index 1ec5fe57eb..3fe972e73d 100644
--- a/mobile-attack/relationship/relationship--3c90dc4c-8156-49ae-8144-76526268a6c1.json
+++ b/mobile-attack/relationship/relationship--3c90dc4c-8156-49ae-8144-76526268a6c1.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--4a70cddf-79b7-42f3-a604-e8efbdb83940",
+    "id": "bundle--249250d3-7cab-48fc-a05d-c0dbf4e7e9bc",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--3c90dc4c-8156-49ae-8144-76526268a6c1",
             "created": "2023-08-04T18:32:08.706Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T18:32:08.706Z",
+            "modified": "2025-04-16T21:48:06.927Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can request device administrator privileges. (Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3ca284e7-062c-4f23-b95d-9f9c6a2d882a.json b/mobile-attack/relationship/relationship--3ca284e7-062c-4f23-b95d-9f9c6a2d882a.json
index 7266d315cc..3822df9698 100644
--- a/mobile-attack/relationship/relationship--3ca284e7-062c-4f23-b95d-9f9c6a2d882a.json
+++ b/mobile-attack/relationship/relationship--3ca284e7-062c-4f23-b95d-9f9c6a2d882a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a1f8f60a-7e0d-4419-b6ba-d5e5d60f66e3",
+    "id": "bundle--25eb3ca8-ac75-4943-b3f8-17fb029d2fa7",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:25:35.330Z",
+            "modified": "2025-04-16T21:48:07.125Z",
             "description": "[Triada](https://attack.mitre.org/software/S0424) variants capture transaction data from SMS-based in-app purchases.(Citation: Kaspersky Triada March 2016) ",
             "relationship_type": "uses",
             "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00.json b/mobile-attack/relationship/relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00.json
index 4ff4b6eb65..186cf585a0 100644
--- a/mobile-attack/relationship/relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00.json
+++ b/mobile-attack/relationship/relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--b4a6ad20-6ff0-4d39-987e-1ba325866b22",
+    "id": "bundle--62834047-a0f7-475e-8e78-11fc12782b0d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00",
             "type": "relationship",
+            "id": "relationship--3ca453a4-bd78-4087-a93f-9261fb2e3f00",
             "created": "2020-09-15T15:18:12.421Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Cybereason FakeSpy",
-                    "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
-                    "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
+                    "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.",
+                    "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"
                 }
             ],
-            "modified": "2020-09-15T15:18:12.421Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:07.365Z",
             "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect a list of installed applications.(Citation: Cybereason FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba.json b/mobile-attack/relationship/relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba.json
index 68f05875d6..d49b7cbb00 100644
--- a/mobile-attack/relationship/relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba.json
+++ b/mobile-attack/relationship/relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--00e1ed73-bcd6-4fa1-b3e4-f3da0ac02547",
+    "id": "bundle--d6728529-bc15-44b5-ae7c-61cd2c06453c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba",
             "type": "relationship",
+            "id": "relationship--3d24d88e-a0ab-42c6-8e8f-11f721082bba",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
                 }
             ],
-            "modified": "2019-08-09T17:52:31.838Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:07.568Z",
             "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to exploit well-known Android OS vulnerabilities to escalate privileges.(Citation: Lookout-PegasusAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3d5a1472-4042-49a4-8b66-7ff1fcfee92c.json b/mobile-attack/relationship/relationship--3d5a1472-4042-49a4-8b66-7ff1fcfee92c.json
index b555826b8c..f2c6aeb028 100644
--- a/mobile-attack/relationship/relationship--3d5a1472-4042-49a4-8b66-7ff1fcfee92c.json
+++ b/mobile-attack/relationship/relationship--3d5a1472-4042-49a4-8b66-7ff1fcfee92c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--66f7e079-1bdb-4799-9785-11ed0bf0f779",
+    "id": "bundle--076b3d98-9841-493e-8c6e-43bcf90e649e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-18T17:49:54.985Z",
+            "modified": "2025-04-16T21:48:07.770Z",
             "description": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has sent SMS phishing messages to employee phone numbers with a link to a site configured with a fake credential harvesting login portal.(Citation: MSTIC Octo Tempest Operations October 2023)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--44d37b89-a739-4810-9111-0d2617a8939b",
             "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b.json b/mobile-attack/relationship/relationship--3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b.json
index d5650f2d01..b4350ab1ed 100644
--- a/mobile-attack/relationship/relationship--3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b.json
+++ b/mobile-attack/relationship/relationship--3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a662d4b2-cfdf-4dd9-9e85-7fe96f0b8109",
+    "id": "bundle--0a049a86-5b83-4627-bc79-45e4039e9ee9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b",
             "type": "relationship",
+            "id": "relationship--3d5f7bdf-ab59-48f9-89d5-23f9d8cd235b",
             "created": "2021-01-05T20:16:20.419Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Zscaler TikTok Spyware",
-                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware",
-                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."
+                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.",
+                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"
                 }
             ],
-            "modified": "2021-01-05T20:16:20.419Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:07.974Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can capture audio from the device\u2019s microphone and can record phone calls.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3d65c2b7-c907-45e1-b942-95f7d765e749.json b/mobile-attack/relationship/relationship--3d65c2b7-c907-45e1-b942-95f7d765e749.json
index 53d727eddf..e4fbfea304 100644
--- a/mobile-attack/relationship/relationship--3d65c2b7-c907-45e1-b942-95f7d765e749.json
+++ b/mobile-attack/relationship/relationship--3d65c2b7-c907-45e1-b942-95f7d765e749.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--902c3368-1321-4c51-b313-579e86a935f7",
+    "id": "bundle--99973ef7-c011-44ec-b5b4-bb0dc9db9fda",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:29:32.104Z",
+            "modified": "2025-04-16T21:48:08.196Z",
             "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
             "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3db58541-3870-424d-ad74-f2b84ff87abb.json b/mobile-attack/relationship/relationship--3db58541-3870-424d-ad74-f2b84ff87abb.json
index 54552a3ea0..5a7221f926 100644
--- a/mobile-attack/relationship/relationship--3db58541-3870-424d-ad74-f2b84ff87abb.json
+++ b/mobile-attack/relationship/relationship--3db58541-3870-424d-ad74-f2b84ff87abb.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ffebb15b-4f97-4ca3-a50a-9170afb30e6e",
+    "id": "bundle--23b180ab-a6d5-4d8c-810e-a342d18fbe00",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-14T19:10:57.654Z",
+            "modified": "2025-04-16T21:48:08.492Z",
             "description": "Unexpected behavior from an application could be an indicator of masquerading.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
             "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3dd0cd4d-bcde-4105-b98e-b32add191083.json b/mobile-attack/relationship/relationship--3dd0cd4d-bcde-4105-b98e-b32add191083.json
index dd0d135da5..257e641772 100644
--- a/mobile-attack/relationship/relationship--3dd0cd4d-bcde-4105-b98e-b32add191083.json
+++ b/mobile-attack/relationship/relationship--3dd0cd4d-bcde-4105-b98e-b32add191083.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b9a00fc7-148e-4dec-89a1-3199a375e7a9",
+    "id": "bundle--d980ebde-6b9a-487f-88cf-df08eb3b1926",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:39:39.589Z",
+            "modified": "2025-04-16T21:48:08.712Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) exfiltrates data using HTTP POST requests.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3dff770d-9627-4647-b945-7f24a97b2273.json b/mobile-attack/relationship/relationship--3dff770d-9627-4647-b945-7f24a97b2273.json
index 0bd13150b3..0798d54e98 100644
--- a/mobile-attack/relationship/relationship--3dff770d-9627-4647-b945-7f24a97b2273.json
+++ b/mobile-attack/relationship/relationship--3dff770d-9627-4647-b945-7f24a97b2273.json
@@ -1,23 +1,23 @@
 {
     "type": "bundle",
-    "id": "bundle--143def4e-221d-4e68-86d6-be84c4f78c49",
+    "id": "bundle--21af9ff1-45ef-45cb-8867-53e678489feb",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--3dff770d-9627-4647-b945-7f24a97b2273",
+            "created": "2019-09-15T15:26:22.926Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--3dff770d-9627-4647-b945-7f24a97b2273",
-            "type": "relationship",
-            "created": "2019-09-15T15:26:22.926Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2020-06-24T15:02:13.533Z",
+            "modified": "2025-04-16T21:48:08.919Z",
             "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3e11a61b-14b3-4268-a6dd-937d4baef6de.json b/mobile-attack/relationship/relationship--3e11a61b-14b3-4268-a6dd-937d4baef6de.json
index 943e7b8aa5..db0d61332d 100644
--- a/mobile-attack/relationship/relationship--3e11a61b-14b3-4268-a6dd-937d4baef6de.json
+++ b/mobile-attack/relationship/relationship--3e11a61b-14b3-4268-a6dd-937d4baef6de.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--6be2c1fe-75d6-484a-a5f9-a0c5541cd816",
+    "id": "bundle--e42e9d41-3871-4a52-bf9e-c8a9bfddf782",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--3e11a61b-14b3-4268-a6dd-937d4baef6de",
             "created": "2023-06-09T19:17:12.858Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-06-09T19:17:12.858Z",
+            "modified": "2025-04-16T21:48:09.121Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can record environmental and call audio.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3e2474d3-f36d-4193-92f6-273296befdd3.json b/mobile-attack/relationship/relationship--3e2474d3-f36d-4193-92f6-273296befdd3.json
index 877cb35897..8dc4c72725 100644
--- a/mobile-attack/relationship/relationship--3e2474d3-f36d-4193-92f6-273296befdd3.json
+++ b/mobile-attack/relationship/relationship--3e2474d3-f36d-4193-92f6-273296befdd3.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--d3cd60cf-5d88-4417-a781-c7cc81cb6bd7",
+    "id": "bundle--8497cafe-e2c1-4e3c-a7e9-58f55c4e1eaf",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--3e2474d3-f36d-4193-92f6-273296befdd3",
             "created": "2022-04-05T19:38:18.760Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:09.351Z",
             "description": "Users should protect their account credentials and enable multi-factor authentication options when available. ",
-            "modified": "2022-04-05T19:38:18.760Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3e2b9dc1-5da0-46a1-a576-4b41a10f3a60.json b/mobile-attack/relationship/relationship--3e2b9dc1-5da0-46a1-a576-4b41a10f3a60.json
index c95e08aedd..fb89c67617 100644
--- a/mobile-attack/relationship/relationship--3e2b9dc1-5da0-46a1-a576-4b41a10f3a60.json
+++ b/mobile-attack/relationship/relationship--3e2b9dc1-5da0-46a1-a576-4b41a10f3a60.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b8a20f35-a2a0-4e09-9eda-9768a62aa449",
+    "id": "bundle--3c944b96-cd2b-4c6a-b0dc-09874099dc36",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:21:27.210Z",
+            "modified": "2025-04-16T21:48:09.550Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) can access the device\u2019s contact list.(Citation: Talos GPlayed)",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1.json b/mobile-attack/relationship/relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1.json
index dd71fc164f..f49ebae810 100644
--- a/mobile-attack/relationship/relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1.json
+++ b/mobile-attack/relationship/relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--3dbf4655-307c-4541-a2aa-9094e41b0ef1",
+    "id": "bundle--ef1a5937-bb99-43c9-bfed-9a4bae30371b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1",
             "type": "relationship",
+            "id": "relationship--3e3cad6c-dd73-43c9-bf99-d4796ba97fb1",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf",
+                    "source_name": "CrowdStrike-Android",
                     "description": "CrowdStrike Global Intelligence Team. (2016). Use of Fancy Bear Android Malware in Tracking of Ukrainian FIeld Artillery Units. Retrieved February 6, 2017.",
-                    "source_name": "CrowdStrike-Android"
+                    "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
                 }
             ],
-            "modified": "2020-03-20T16:37:06.668Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:09.760Z",
             "description": "(Citation: CrowdStrike-Android)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--bef4c620-0787-42a8-a96d-b7eb6e85917c",
             "target_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3e5b5c7a-32e1-4745-8ceb-c46ce7276364.json b/mobile-attack/relationship/relationship--3e5b5c7a-32e1-4745-8ceb-c46ce7276364.json
index 3d3401aee5..b05d3a36b3 100644
--- a/mobile-attack/relationship/relationship--3e5b5c7a-32e1-4745-8ceb-c46ce7276364.json
+++ b/mobile-attack/relationship/relationship--3e5b5c7a-32e1-4745-8ceb-c46ce7276364.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--765085fb-405f-4b64-84dc-2c8cddb1bb8d",
+    "id": "bundle--159b8797-5711-4780-aa0c-a9767a53472b",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--3e5b5c7a-32e1-4745-8ceb-c46ce7276364",
             "created": "2023-02-06T19:46:19.592Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-06T19:46:19.592Z",
+            "modified": "2025-04-16T21:48:09.976Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has C2 commands to add an infected device to a DDoS pool.(Citation: threatfabric_sova_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56.json b/mobile-attack/relationship/relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56.json
index 1ab21725ee..391f7a8b14 100644
--- a/mobile-attack/relationship/relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56.json
+++ b/mobile-attack/relationship/relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--1317a636-eeda-4e22-b15b-67f01d122d48",
+    "id": "bundle--086feb0b-9739-4d31-856f-88152aa566c7",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--3ebcd3d8-dd8e-4cc9-8087-ce9e93df6f56",
             "created": "2017-10-25T14:48:53.738Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Android 9 introduced a new security policy that prevents applications from reading or writing data to other applications\u2019 internal storage directories, regardless of permissions. ",
-            "modified": "2022-04-01T13:51:48.934Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:10.210Z",
+            "description": "Android 9 introduced a new security policy that prevents applications from reading or writing data to other applications\u2019 internal storage directories, regardless of permissions. ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3ebdc17d-401e-4f6a-af51-2dc57437b817.json b/mobile-attack/relationship/relationship--3ebdc17d-401e-4f6a-af51-2dc57437b817.json
index 08857a8d7f..9dfbe43b2b 100644
--- a/mobile-attack/relationship/relationship--3ebdc17d-401e-4f6a-af51-2dc57437b817.json
+++ b/mobile-attack/relationship/relationship--3ebdc17d-401e-4f6a-af51-2dc57437b817.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--1625223a-6b58-41ff-aa0c-38a044a8b5aa",
+    "id": "bundle--10cac578-ab11-4228-84c2-09ca5b3212cc",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--3ebdc17d-401e-4f6a-af51-2dc57437b817",
             "created": "2019-09-20T18:03:57.062Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Android 10 Execute",
-                    "url": "https://developer.android.com/about/versions/10/behavior-changes-all#execute-permission",
-                    "description": "Android Developers. (n.d.). Behavior changes: all apps - Removed execute permission for app home directory. Retrieved September 20, 2019."
+                    "description": "Android Developers. (n.d.). Behavior changes: all apps - Removed execute permission for app home directory. Retrieved September 20, 2019.",
+                    "url": "https://developer.android.com/about/versions/10/behavior-changes-all#execute-permission"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:10.410Z",
             "description": "Applications that target Android API level 29 or higher cannot execute native code stored in the application's internal data storage directory, limiting the ability of applications to download and execute native code at runtime. (Citation: Android 10 Execute)",
-            "modified": "2022-04-01T18:37:44.516Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3ec30b37-1db2-4048-9dd9-22d863f034bb.json b/mobile-attack/relationship/relationship--3ec30b37-1db2-4048-9dd9-22d863f034bb.json
index 6ba49a8f69..9990f34f6d 100644
--- a/mobile-attack/relationship/relationship--3ec30b37-1db2-4048-9dd9-22d863f034bb.json
+++ b/mobile-attack/relationship/relationship--3ec30b37-1db2-4048-9dd9-22d863f034bb.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--03dbea87-bc32-4ff7-8bea-75ffdaec1f03",
+    "id": "bundle--1375dc7a-d7a4-4dd4-838e-a17307aac8d0",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-16T21:14:22.641Z",
+            "modified": "2025-04-16T21:48:10.620Z",
             "description": "[BITTER](https://attack.mitre.org/groups/G1002) has delivered malicious applications to victims via shortened URLs distributed through SMS, WhatsApp, and various social media platforms.(Citation: blackberry_mobile_malware_apt_esp) ",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--7f848c02-4d1e-4808-a4ae-4670681370a9",
             "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3ee5c123-416f-4d02-920d-ce44be7f11a5.json b/mobile-attack/relationship/relationship--3ee5c123-416f-4d02-920d-ce44be7f11a5.json
new file mode 100644
index 0000000000..f35ce67749
--- /dev/null
+++ b/mobile-attack/relationship/relationship--3ee5c123-416f-4d02-920d-ce44be7f11a5.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--6998bd63-8290-4dad-adfe-bfc182d84bc2",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--3ee5c123-416f-4d02-920d-ce44be7f11a5",
+            "created": "2025-03-28T14:42:05.150Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:10.830Z",
+            "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has obtained a list of installed applications.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f",
+            "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3efe7dcc-a572-45ac-aff2-2932206a0632.json b/mobile-attack/relationship/relationship--3efe7dcc-a572-45ac-aff2-2932206a0632.json
index 55b7c566f5..1930f1267c 100644
--- a/mobile-attack/relationship/relationship--3efe7dcc-a572-45ac-aff2-2932206a0632.json
+++ b/mobile-attack/relationship/relationship--3efe7dcc-a572-45ac-aff2-2932206a0632.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4c9905f1-73f9-4fae-b1f6-ea87183e6734",
+    "id": "bundle--9ce6fe9b-9692-4d09-ac23-e69423cb8d25",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:52:06.559Z",
+            "modified": "2025-04-16T21:48:11.040Z",
             "description": "[Riltok](https://attack.mitre.org/software/S0403) can access and upload the device's contact list to the command and control server.(Citation: Kaspersky Riltok June 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3f2daf2e-c28c-46cd-bf91-ae35e873f365.json b/mobile-attack/relationship/relationship--3f2daf2e-c28c-46cd-bf91-ae35e873f365.json
index c40a9429dd..40cc20435f 100644
--- a/mobile-attack/relationship/relationship--3f2daf2e-c28c-46cd-bf91-ae35e873f365.json
+++ b/mobile-attack/relationship/relationship--3f2daf2e-c28c-46cd-bf91-ae35e873f365.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--64f6eb04-4b3b-4083-b2f0-7739aa875527",
+    "id": "bundle--f9d771cb-a619-4045-869f-6766c771d353",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:35:59.273Z",
+            "modified": "2025-04-16T21:48:11.268Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3f31b209-dbc7-4c7e-bb0a-e37801121c13.json b/mobile-attack/relationship/relationship--3f31b209-dbc7-4c7e-bb0a-e37801121c13.json
index b12a296e60..9f8cec8551 100644
--- a/mobile-attack/relationship/relationship--3f31b209-dbc7-4c7e-bb0a-e37801121c13.json
+++ b/mobile-attack/relationship/relationship--3f31b209-dbc7-4c7e-bb0a-e37801121c13.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--501be8bb-adfd-4736-bb84-ea9e299e0a1f",
+    "id": "bundle--10312a17-4f26-40e2-b7f6-c01859999383",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:45:26.765Z",
+            "modified": "2025-04-16T21:48:11.488Z",
             "description": "[Exobot](https://attack.mitre.org/software/S0522) has registered to receive the `BOOT_COMPLETED` broadcast intent.(Citation: Threat Fabric Exobot)",
             "relationship_type": "uses",
             "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3f392718-87c4-483b-b89f-4f0cc056d251.json b/mobile-attack/relationship/relationship--3f392718-87c4-483b-b89f-4f0cc056d251.json
index 0c9ce709f6..75e6d9946a 100644
--- a/mobile-attack/relationship/relationship--3f392718-87c4-483b-b89f-4f0cc056d251.json
+++ b/mobile-attack/relationship/relationship--3f392718-87c4-483b-b89f-4f0cc056d251.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a62effcc-0328-4ba2-9de2-16d6d72697ee",
+    "id": "bundle--07a47a67-68fb-4807-8cda-5b026929912c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--3f392718-87c4-483b-b89f-4f0cc056d251",
             "type": "relationship",
+            "id": "relationship--3f392718-87c4-483b-b89f-4f0cc056d251",
             "created": "2020-07-20T13:58:53.610Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "TrendMicro-XLoader-FakeSpy",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
-                    "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
+                    "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"
                 }
             ],
-            "modified": "2020-09-24T15:12:24.302Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:11.731Z",
             "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) can obtain the device\u2019s UDID, version number, and product number.(Citation: TrendMicro-XLoader-FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3f47f048-badd-4476-8534-d06e20c02ec6.json b/mobile-attack/relationship/relationship--3f47f048-badd-4476-8534-d06e20c02ec6.json
index 30d289738c..c9fd7dc630 100644
--- a/mobile-attack/relationship/relationship--3f47f048-badd-4476-8534-d06e20c02ec6.json
+++ b/mobile-attack/relationship/relationship--3f47f048-badd-4476-8534-d06e20c02ec6.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--9ea0f5c5-9c9b-4475-bc42-00471a841e57",
+    "id": "bundle--21defba6-5b0c-409f-9d6c-420fcf6f7650",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--3f47f048-badd-4476-8534-d06e20c02ec6",
             "created": "2023-06-09T19:18:59.889Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-06-09T19:18:59.889Z",
+            "modified": "2025-04-16T21:48:11.949Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can use HTTP and HTTP POST to communicate information to the C2.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3f5dbd48-5899-4e97-96a6-ad7e68b673cd.json b/mobile-attack/relationship/relationship--3f5dbd48-5899-4e97-96a6-ad7e68b673cd.json
index 8b0655b5a6..fa10788b6e 100644
--- a/mobile-attack/relationship/relationship--3f5dbd48-5899-4e97-96a6-ad7e68b673cd.json
+++ b/mobile-attack/relationship/relationship--3f5dbd48-5899-4e97-96a6-ad7e68b673cd.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3cb6b10b-9e01-424b-9b93-e75243a45ccd",
+    "id": "bundle--b0a43ce0-1812-4715-b572-cc4d33dac86f",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T22:30:26.847Z",
+            "modified": "2025-04-16T21:48:12.147Z",
             "description": "Application vetting services could look for use of the accessibility service or features that typically require root access.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3f81a680-3151-4608-b83f-550756632013.json b/mobile-attack/relationship/relationship--3f81a680-3151-4608-b83f-550756632013.json
index 418e02438d..73ed4d853c 100644
--- a/mobile-attack/relationship/relationship--3f81a680-3151-4608-b83f-550756632013.json
+++ b/mobile-attack/relationship/relationship--3f81a680-3151-4608-b83f-550756632013.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--acbd4e16-6537-48d6-afc8-08962e09958b",
+    "id": "bundle--fca6222e-d7a5-4b51-afe3-fd0e4ab36675",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--3f81a680-3151-4608-b83f-550756632013",
             "type": "relationship",
+            "id": "relationship--3f81a680-3151-4608-b83f-550756632013",
             "created": "2020-07-20T13:58:53.604Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "TrendMicro-XLoader-FakeSpy",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
-                    "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
+                    "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"
                 }
             ],
-            "modified": "2020-09-24T15:12:24.301Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:12.375Z",
             "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) can obtain the device\u2019s IMEM, ICCID, and MEID.(Citation: TrendMicro-XLoader-FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3f973c3c-45f8-432a-9859-e8749f2e7418.json b/mobile-attack/relationship/relationship--3f973c3c-45f8-432a-9859-e8749f2e7418.json
index 08ca202b81..08161a4920 100644
--- a/mobile-attack/relationship/relationship--3f973c3c-45f8-432a-9859-e8749f2e7418.json
+++ b/mobile-attack/relationship/relationship--3f973c3c-45f8-432a-9859-e8749f2e7418.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--5d053a8a-31f5-48c9-8c86-08125f3e5e65",
+    "id": "bundle--60c5ae0c-79ee-4667-92c7-2ee2101b26a6",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--3f973c3c-45f8-432a-9859-e8749f2e7418",
             "type": "relationship",
+            "id": "relationship--3f973c3c-45f8-432a-9859-e8749f2e7418",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
                 }
             ],
-            "modified": "2019-08-09T17:52:31.848Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:12.575Z",
             "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses sensitive data in files, such as messages stored by the WhatsApp, Facebook, and Twitter applications. It also has the ability to access arbitrary filenames and retrieve directory listings.(Citation: Lookout-PegasusAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3fcd2177-2030-4781-bd19-8b9fa8c6e645.json b/mobile-attack/relationship/relationship--3fcd2177-2030-4781-bd19-8b9fa8c6e645.json
index fac85ad107..18e0ddaccf 100644
--- a/mobile-attack/relationship/relationship--3fcd2177-2030-4781-bd19-8b9fa8c6e645.json
+++ b/mobile-attack/relationship/relationship--3fcd2177-2030-4781-bd19-8b9fa8c6e645.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a26cf8f4-6a65-4512-a1dc-f72f6e86658d",
+    "id": "bundle--79cee6fc-dab8-4a8d-840e-2b52074d404b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--3fcd2177-2030-4781-bd19-8b9fa8c6e645",
             "type": "relationship",
+            "id": "relationship--3fcd2177-2030-4781-bd19-8b9fa8c6e645",
             "created": "2021-02-08T16:36:20.655Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "BlackBerry Bahamut",
-                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf",
-                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."
+                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.",
+                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"
                 }
             ],
-            "modified": "2021-05-24T13:16:56.410Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:12.775Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included phone call and audio recording capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a.json b/mobile-attack/relationship/relationship--3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a.json
index 751ef568ff..e617b287ce 100644
--- a/mobile-attack/relationship/relationship--3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a.json
+++ b/mobile-attack/relationship/relationship--3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--3dee65b7-2253-4113-bd20-069cdb27073c",
+    "id": "bundle--b87566f1-d34c-4bf5-9435-a187baf1da13",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--3fd2785f-f0eb-4aa9-8a10-e1c9a88b372a",
             "created": "2020-06-26T14:55:13.304Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Cybereason EventBot",
-                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
-                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
+                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.",
+                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:12.979Z",
             "description": "[EventBot](https://attack.mitre.org/software/S0478) can display popups over running applications.(Citation: Cybereason EventBot)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--3fdb8bfb-1b2d-4fac-bb41-d26a5ad18dbb.json b/mobile-attack/relationship/relationship--3fdb8bfb-1b2d-4fac-bb41-d26a5ad18dbb.json
index 12ea218684..6c011057da 100644
--- a/mobile-attack/relationship/relationship--3fdb8bfb-1b2d-4fac-bb41-d26a5ad18dbb.json
+++ b/mobile-attack/relationship/relationship--3fdb8bfb-1b2d-4fac-bb41-d26a5ad18dbb.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--90f28354-3b87-42b0-a2a3-42111e622b47",
+    "id": "bundle--23e2de81-1976-495e-939e-24957ea576b0",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--3fdb8bfb-1b2d-4fac-bb41-d26a5ad18dbb",
             "created": "2023-08-16T16:44:30.692Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:44:30.692Z",
+            "modified": "2025-04-16T21:48:13.215Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can send stolen data over HTTP.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4009ff40-4616-4b1c-bff9-599e52ccab37.json b/mobile-attack/relationship/relationship--4009ff40-4616-4b1c-bff9-599e52ccab37.json
index edfd0e75d7..8e94a6b739 100644
--- a/mobile-attack/relationship/relationship--4009ff40-4616-4b1c-bff9-599e52ccab37.json
+++ b/mobile-attack/relationship/relationship--4009ff40-4616-4b1c-bff9-599e52ccab37.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--0476df8d-e440-4651-a3e5-1ca0ac390614",
+    "id": "bundle--cdd91efa-9e0c-4d3b-a50d-2ea0845f3c31",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:28:34.373Z",
+            "modified": "2025-04-16T21:48:13.438Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device\u2019s contact list.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4088b31b-d542-4935-84b4-82b592159591.json b/mobile-attack/relationship/relationship--4088b31b-d542-4935-84b4-82b592159591.json
index 0e3941a3f1..d14bb77c30 100644
--- a/mobile-attack/relationship/relationship--4088b31b-d542-4935-84b4-82b592159591.json
+++ b/mobile-attack/relationship/relationship--4088b31b-d542-4935-84b4-82b592159591.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--f0ebe007-bd87-40f5-92b5-fa942b3fad3f",
+    "id": "bundle--5e34174f-da4a-453c-ae9a-55ad7b67584a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4088b31b-d542-4935-84b4-82b592159591",
             "type": "relationship",
+            "id": "relationship--4088b31b-d542-4935-84b4-82b592159591",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
+                    "source_name": "TrendMicro-RCSAndroid",
                     "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
-                    "source_name": "TrendMicro-RCSAndroid"
+                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
                 }
             ],
-            "modified": "2019-10-10T15:22:52.591Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:13.663Z",
             "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect contacts and messages from popular applications, including Facebook Messenger, WhatsApp, Skype, Viber, Line, WeChat, Hangouts, Telegram, and BlackBerry Messenger.(Citation: TrendMicro-RCSAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--40c9adb5-9d1a-4f51-8ef2-a80c2d78e4e4.json b/mobile-attack/relationship/relationship--40c9adb5-9d1a-4f51-8ef2-a80c2d78e4e4.json
index 89c059842d..cbef6acc3f 100644
--- a/mobile-attack/relationship/relationship--40c9adb5-9d1a-4f51-8ef2-a80c2d78e4e4.json
+++ b/mobile-attack/relationship/relationship--40c9adb5-9d1a-4f51-8ef2-a80c2d78e4e4.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--c0a2e056-bf95-4725-a33e-3ff913097149",
+    "id": "bundle--e9374a07-ed56-4ae3-ad72-ce13c5c27db8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--40c9adb5-9d1a-4f51-8ef2-a80c2d78e4e4",
             "created": "2022-04-05T19:38:41.538Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:13.858Z",
             "description": "If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device\u2019s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. ",
-            "modified": "2022-04-05T19:38:41.538Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--40f30137-4db9-4596-b4c7-a12f1497fd92.json b/mobile-attack/relationship/relationship--40f30137-4db9-4596-b4c7-a12f1497fd92.json
index ef1abd9ff8..b830c1d0d1 100644
--- a/mobile-attack/relationship/relationship--40f30137-4db9-4596-b4c7-a12f1497fd92.json
+++ b/mobile-attack/relationship/relationship--40f30137-4db9-4596-b4c7-a12f1497fd92.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--76a2f4cd-3105-42c4-94d1-0c97f4e3d478",
+    "id": "bundle--71a891d9-bc02-4d3d-91d8-0a0fb5a01d38",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--40f30137-4db9-4596-b4c7-a12f1497fd92",
             "created": "2020-11-10T17:08:35.831Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:14.058Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has performed rudimentary SSL certificate validation to verify C2 server authenticity before establishing a SSL connection.(Citation: Lookout Uyghur Campaign)",
-            "modified": "2022-04-18T16:02:42.303Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4159bc09-ddf3-4d88-9bf0-853ace9c8151.json b/mobile-attack/relationship/relationship--4159bc09-ddf3-4d88-9bf0-853ace9c8151.json
index 850adbede9..fe5a6bc345 100644
--- a/mobile-attack/relationship/relationship--4159bc09-ddf3-4d88-9bf0-853ace9c8151.json
+++ b/mobile-attack/relationship/relationship--4159bc09-ddf3-4d88-9bf0-853ace9c8151.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--c2f46c8e-13eb-425a-b009-30da9066d64a",
+    "id": "bundle--da2127c0-0dec-4128-8d16-0513aff11d0f",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--4159bc09-ddf3-4d88-9bf0-853ace9c8151",
             "created": "2023-12-18T18:50:27.381Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:50:27.381Z",
+            "modified": "2025-04-16T21:48:14.262Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can request the user unlock the device, or remotely unlock the device.(Citation: securelist_brata_0819)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--418168ad-fee9-42c8-ac27-11f7472a5f86.json b/mobile-attack/relationship/relationship--418168ad-fee9-42c8-ac27-11f7472a5f86.json
index f4540ef6fe..c1c0613b7a 100644
--- a/mobile-attack/relationship/relationship--418168ad-fee9-42c8-ac27-11f7472a5f86.json
+++ b/mobile-attack/relationship/relationship--418168ad-fee9-42c8-ac27-11f7472a5f86.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--47226779-ccd1-4cf6-9109-ddc1db3f5b5e",
+    "id": "bundle--59322c0b-b710-4142-bd16-205bfdc04b48",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:09:08.738Z",
+            "modified": "2025-04-16T21:48:14.475Z",
             "description": "[Exodus](https://attack.mitre.org/software/S0405) One checks in with the command and control server using HTTP POST requests.(Citation: SWB Exodus March 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--41b7cdc1-0b0a-49da-b694-774c22e6cd27.json b/mobile-attack/relationship/relationship--41b7cdc1-0b0a-49da-b694-774c22e6cd27.json
new file mode 100644
index 0000000000..e66fd1c445
--- /dev/null
+++ b/mobile-attack/relationship/relationship--41b7cdc1-0b0a-49da-b694-774c22e6cd27.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--f2391001-edd8-4b20-a97f-5c6f4e60a4da",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--41b7cdc1-0b0a-49da-b694-774c22e6cd27",
+            "created": "2025-03-28T14:40:13.034Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:14.694Z",
+            "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has monitored the device\u2019s geolocation, which includes coordinates, altitude, bearing and speed.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f",
+            "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--41da5845-a1a8-4d10-8929-053be3496396.json b/mobile-attack/relationship/relationship--41da5845-a1a8-4d10-8929-053be3496396.json
index c75ed5e8cf..fa05d0c57a 100644
--- a/mobile-attack/relationship/relationship--41da5845-a1a8-4d10-8929-053be3496396.json
+++ b/mobile-attack/relationship/relationship--41da5845-a1a8-4d10-8929-053be3496396.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b9aca6ce-14bd-4c4c-b133-7247a49ab06b",
+    "id": "bundle--f2ded9c0-589a-47da-acb3-d6769619589c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:39:57.165Z",
+            "modified": "2025-04-16T21:48:14.903Z",
             "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) uses HTTP data exfiltration.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4220ec84-3c30-462b-9bad-4fb4de42cfd4.json b/mobile-attack/relationship/relationship--4220ec84-3c30-462b-9bad-4fb4de42cfd4.json
index 4e19d4a5aa..731dea3d07 100644
--- a/mobile-attack/relationship/relationship--4220ec84-3c30-462b-9bad-4fb4de42cfd4.json
+++ b/mobile-attack/relationship/relationship--4220ec84-3c30-462b-9bad-4fb4de42cfd4.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--a5989efa-4ddf-4228-8f6a-6e1420e8d406",
+    "id": "bundle--86d02f9d-0cf0-412a-81de-37bd7f4fcd4f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--4220ec84-3c30-462b-9bad-4fb4de42cfd4",
             "created": "2022-04-06T15:28:20.249Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:15.122Z",
             "description": "Users should be instructed to not grant applications unexpected or unnecessary permissions. ",
-            "modified": "2022-04-06T15:28:20.249Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--42342d72-a37c-477e-b8f1-1768273fcb7f.json b/mobile-attack/relationship/relationship--42342d72-a37c-477e-b8f1-1768273fcb7f.json
index 6b40c27f74..521f513c48 100644
--- a/mobile-attack/relationship/relationship--42342d72-a37c-477e-b8f1-1768273fcb7f.json
+++ b/mobile-attack/relationship/relationship--42342d72-a37c-477e-b8f1-1768273fcb7f.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--68c882c5-dcf2-461b-b95b-4e92c0cf4c93",
+    "id": "bundle--5b8a2570-7265-4576-ac7c-4b13c78c607d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--42342d72-a37c-477e-b8f1-1768273fcb7f",
             "created": "2019-10-18T15:51:48.451Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Users should be advised not to grant consent for screen captures to occur unless expected. Users should avoid enabling USB debugging (Android Debug Bridge) unless explicitly required. ",
-            "modified": "2022-04-01T13:32:32.335Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:15.321Z",
+            "description": "Users should be advised not to grant consent for screen captures to occur unless expected. Users should avoid enabling USB debugging (Android Debug Bridge) unless explicitly required. ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--42510b9a-7e72-4a52-bc7a-6e1a7ebacff7.json b/mobile-attack/relationship/relationship--42510b9a-7e72-4a52-bc7a-6e1a7ebacff7.json
index a8dbeb9fab..16903b951c 100644
--- a/mobile-attack/relationship/relationship--42510b9a-7e72-4a52-bc7a-6e1a7ebacff7.json
+++ b/mobile-attack/relationship/relationship--42510b9a-7e72-4a52-bc7a-6e1a7ebacff7.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--7fc34758-6d02-43fc-99e7-0a49eaf9a11e",
+    "id": "bundle--55f4482f-1902-47c8-a734-4776f6d0ddf6",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--42510b9a-7e72-4a52-bc7a-6e1a7ebacff7",
             "created": "2023-08-16T16:33:12.493Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:33:12.493Z",
+            "modified": "2025-04-16T21:48:15.528Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) has disguised itself as other applications, such as a cryptocurrency app called \u2018CoinSpot\u2019, and IKO bank in Poland. It has also used familiar icons, such as the Chrome and Bitcoin logos.(Citation: cyble_chameleon_0423) ",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--42536c96-ae61-41ab-a1bf-3e7d126a4000.json b/mobile-attack/relationship/relationship--42536c96-ae61-41ab-a1bf-3e7d126a4000.json
index 3032ff47d6..5066ae4e37 100644
--- a/mobile-attack/relationship/relationship--42536c96-ae61-41ab-a1bf-3e7d126a4000.json
+++ b/mobile-attack/relationship/relationship--42536c96-ae61-41ab-a1bf-3e7d126a4000.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--5dfb15c0-a50a-435c-b058-50b6eeec9a19",
+    "id": "bundle--e5301396-0a4c-4f8e-9990-d3db46a53051",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--42536c96-ae61-41ab-a1bf-3e7d126a4000",
             "created": "2022-03-30T15:13:42.462Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:15.746Z",
             "description": "",
-            "modified": "2022-03-30T15:13:42.462Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831",
             "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--42624ee9-1bf5-46aa-87d0-9fda0de9a06e.json b/mobile-attack/relationship/relationship--42624ee9-1bf5-46aa-87d0-9fda0de9a06e.json
index dbadb908d9..8faeec308a 100644
--- a/mobile-attack/relationship/relationship--42624ee9-1bf5-46aa-87d0-9fda0de9a06e.json
+++ b/mobile-attack/relationship/relationship--42624ee9-1bf5-46aa-87d0-9fda0de9a06e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3915af4c-1156-4ff0-b6f9-ccfa72e2b8fd",
+    "id": "bundle--c83d7a1f-50dc-48a2-891e-7c8074759d47",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:50:47.973Z",
+            "modified": "2025-04-16T21:48:15.945Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) avoids being analyzed by only activating the malware after recording a certain number of steps from the accelerometer.(Citation: Threat Fabric Cerberus)",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4267ebfa-d932-4949-9d7f-8e183f51f2d9.json b/mobile-attack/relationship/relationship--4267ebfa-d932-4949-9d7f-8e183f51f2d9.json
index ead4e32e49..12a50f2c61 100644
--- a/mobile-attack/relationship/relationship--4267ebfa-d932-4949-9d7f-8e183f51f2d9.json
+++ b/mobile-attack/relationship/relationship--4267ebfa-d932-4949-9d7f-8e183f51f2d9.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--a24d58d8-9fc3-4cb4-afea-8b5495a2ea78",
+    "id": "bundle--e26fcf2b-49ae-4a1c-885f-a12ca2f63dfc",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--4267ebfa-d932-4949-9d7f-8e183f51f2d9",
             "created": "2023-12-18T18:10:38.421Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:10:38.421Z",
+            "modified": "2025-04-16T21:48:16.164Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can perform a factory reset.(Citation: cleafy_brata_0122)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--429a4b02-f774-4b1e-aaef-5fd9c654dd09.json b/mobile-attack/relationship/relationship--429a4b02-f774-4b1e-aaef-5fd9c654dd09.json
index 95c03ebc9c..ba04612266 100644
--- a/mobile-attack/relationship/relationship--429a4b02-f774-4b1e-aaef-5fd9c654dd09.json
+++ b/mobile-attack/relationship/relationship--429a4b02-f774-4b1e-aaef-5fd9c654dd09.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--cb1414e6-b934-45e4-8b7a-837c37b0ddc4",
+    "id": "bundle--ccdf7eea-ecfb-44a7-b6c6-ab4572d20817",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--429a4b02-f774-4b1e-aaef-5fd9c654dd09",
             "type": "relationship",
+            "id": "relationship--429a4b02-f774-4b1e-aaef-5fd9c654dd09",
             "created": "2021-02-08T16:36:20.846Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "BlackBerry Bahamut",
-                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf",
-                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."
+                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.",
+                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"
                 }
             ],
-            "modified": "2021-05-24T13:16:56.596Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:16.410Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has exfiltrated local account data and calendar information as part of Operation ROCK.(Citation: BlackBerry Bahamut)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b.json b/mobile-attack/relationship/relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b.json
index 0b41f05d08..4081938fa2 100644
--- a/mobile-attack/relationship/relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b.json
+++ b/mobile-attack/relationship/relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--7ecf643b-f8f6-44d2-8a51-3ec3591384e0",
+    "id": "bundle--b81e572d-e32d-4d4a-91c9-e82af4b1e24b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--42ae42eb-ea75-457a-bf39-4ea04304dd0b",
             "created": "2017-12-14T16:46:06.044Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Gooligan Citation",
-                    "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/",
-                    "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016."
+                    "description": "Check Point Research Team. (2016, November 30). More Than 1 Million Google Accounts Breached by Gooligan. Retrieved December 12, 2016.",
+                    "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:16.647Z",
             "description": "[Gooligan](https://attack.mitre.org/software/S0290) can install adware to generate revenue.(Citation: Gooligan Citation)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396.json b/mobile-attack/relationship/relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396.json
index d138381a27..4340777748 100644
--- a/mobile-attack/relationship/relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396.json
+++ b/mobile-attack/relationship/relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e6014cce-1e5e-43f6-a7bc-02f877b7f05b",
+    "id": "bundle--205f9e24-d0de-44a5-9ab5-9b796331228b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396",
             "type": "relationship",
+            "id": "relationship--42f8d024-64a7-4bbf-8c05-2b0c7e667396",
             "created": "2020-12-14T15:02:35.304Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Securelist Asacub",
-                    "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/",
-                    "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020."
+                    "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.",
+                    "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"
                 }
             ],
-            "modified": "2020-12-14T15:02:35.304Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:16.858Z",
             "description": "[Asacub](https://attack.mitre.org/software/S0540) has stored encrypted strings in the APK file.(Citation: Securelist Asacub)",
             "relationship_type": "uses",
             "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b.json b/mobile-attack/relationship/relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b.json
index 1c98359612..ebfbe04af4 100644
--- a/mobile-attack/relationship/relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b.json
+++ b/mobile-attack/relationship/relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--6f2b2aba-fce1-48f8-a52e-b02a745ce321",
+    "id": "bundle--382c7ec1-7364-43d0-84e1-6092b96b9248",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b",
             "type": "relationship",
+            "id": "relationship--430b2b14-9d63-401c-b76b-d0247ee7e27b",
             "created": "2020-07-20T13:27:33.549Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos-WolfRAT",
-                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
-                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."
+                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.",
+                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"
                 }
             ],
-            "modified": "2020-08-10T21:57:54.524Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:17.058Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can record the screen and take screenshots to capture messages from Line, Facebook Messenger, and WhatsApp.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--433af79b-ce77-4a4c-84f7-6cdc34e70674.json b/mobile-attack/relationship/relationship--433af79b-ce77-4a4c-84f7-6cdc34e70674.json
index c8b64ff31d..4ddc3ad82a 100644
--- a/mobile-attack/relationship/relationship--433af79b-ce77-4a4c-84f7-6cdc34e70674.json
+++ b/mobile-attack/relationship/relationship--433af79b-ce77-4a4c-84f7-6cdc34e70674.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5de9dfbf-d7c5-4fa2-b352-402f0ca06369",
+    "id": "bundle--4cc49326-aaee-4f5d-b73e-85cee7563a42",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:48:53.396Z",
+            "modified": "2025-04-16T21:48:17.268Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) can intercept SMS messages.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041.json b/mobile-attack/relationship/relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041.json
index 40e7c8f566..bc797b9a22 100644
--- a/mobile-attack/relationship/relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041.json
+++ b/mobile-attack/relationship/relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--2c085a32-26e2-4029-9208-19d700998893",
+    "id": "bundle--3dd29ffa-2b86-44f1-a433-f9ef9f6d5bec",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041",
             "type": "relationship",
+            "id": "relationship--433ba5b0-76eb-49e1-a2ed-e54994e94041",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
                 }
             ],
-            "modified": "2019-10-10T15:27:22.174Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:17.492Z",
             "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather cellular IDs.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--437f719c-d602-4cb8-a2b9-c33e85ad7c50.json b/mobile-attack/relationship/relationship--437f719c-d602-4cb8-a2b9-c33e85ad7c50.json
index a5485e845f..5bc9ef4d4b 100644
--- a/mobile-attack/relationship/relationship--437f719c-d602-4cb8-a2b9-c33e85ad7c50.json
+++ b/mobile-attack/relationship/relationship--437f719c-d602-4cb8-a2b9-c33e85ad7c50.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2636aca1-5a9a-47a1-b3b5-99a52b75d5a9",
+    "id": "bundle--2411f3c3-56f0-4661-bed2-03007a150c8c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:52:43.629Z",
+            "modified": "2025-04-16T21:48:17.720Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) can obtain the device\u2019s contact list.(Citation: Threat Fabric Cerberus)",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--439d905b-1ad8-461a-ab0d-b2f426cb2c3a.json b/mobile-attack/relationship/relationship--439d905b-1ad8-461a-ab0d-b2f426cb2c3a.json
index 32b2b62f08..d1e794c884 100644
--- a/mobile-attack/relationship/relationship--439d905b-1ad8-461a-ab0d-b2f426cb2c3a.json
+++ b/mobile-attack/relationship/relationship--439d905b-1ad8-461a-ab0d-b2f426cb2c3a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e8d3c487-f753-4734-921f-787fd6334738",
+    "id": "bundle--8837766b-6cb0-49c5-b6ac-4bd66017dc7e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T16:24:02.473Z",
+            "modified": "2025-04-16T21:48:17.932Z",
             "description": "On Android, the user is presented with a permissions popup when an application requests access to external device storage.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38.json b/mobile-attack/relationship/relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38.json
index fba0ca3ae1..ca1c069cde 100644
--- a/mobile-attack/relationship/relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38.json
+++ b/mobile-attack/relationship/relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--6baad8ed-6280-4d0e-b97a-b8957ac0a034",
+    "id": "bundle--5c976094-1f7a-4ff9-917a-a75fafc46576",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38",
             "type": "relationship",
+            "id": "relationship--43a62244-29f1-4f7f-bc9f-9b7b8e488b38",
             "created": "2020-05-11T16:37:36.616Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "ThreatFabric Ginp",
                     "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.",
-                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
-                    "source_name": "ThreatFabric Ginp"
+                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"
                 }
             ],
-            "modified": "2020-05-11T16:37:36.616Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:18.142Z",
             "description": " [Ginp](https://attack.mitre.org/software/S0423) can inject input to make itself the default SMS handler.(Citation: ThreatFabric Ginp) ",
             "relationship_type": "uses",
             "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
             "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--43af5696-ac4d-4618-9da9-0784b8f7e433.json b/mobile-attack/relationship/relationship--43af5696-ac4d-4618-9da9-0784b8f7e433.json
index 9f6a20590b..f4ce19953a 100644
--- a/mobile-attack/relationship/relationship--43af5696-ac4d-4618-9da9-0784b8f7e433.json
+++ b/mobile-attack/relationship/relationship--43af5696-ac4d-4618-9da9-0784b8f7e433.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--37298a0b-4752-42f6-99d4-59a5070a0d30",
+    "id": "bundle--424e122e-f38c-4c44-b645-bb38d9e639bd",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--43af5696-ac4d-4618-9da9-0784b8f7e433",
             "created": "2023-12-18T19:07:55.393Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T19:07:55.393Z",
+            "modified": "2025-04-16T21:48:18.376Z",
             "description": "[AhRat](https://attack.mitre.org/software/S1095) can collect the device\u2019s contact list.(Citation: welivesecurity_ahrat_0523)",
             "relationship_type": "uses",
             "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--43eeee7f-339a-4f6e-9df3-ccbf08ecf358.json b/mobile-attack/relationship/relationship--43eeee7f-339a-4f6e-9df3-ccbf08ecf358.json
index 82ef1c5d32..d0901786cf 100644
--- a/mobile-attack/relationship/relationship--43eeee7f-339a-4f6e-9df3-ccbf08ecf358.json
+++ b/mobile-attack/relationship/relationship--43eeee7f-339a-4f6e-9df3-ccbf08ecf358.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e4aa1693-e01c-406f-aa85-a877aab79670",
+    "id": "bundle--8af8446a-201e-46f9-9335-3aa6ba3c1bde",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--43eeee7f-339a-4f6e-9df3-ccbf08ecf358",
             "type": "relationship",
+            "id": "relationship--43eeee7f-339a-4f6e-9df3-ccbf08ecf358",
             "created": "2020-11-10T17:08:35.664Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-01T19:48:44.840Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:18.591Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has looked for specific applications, such as MiCode.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--442dd700-2d7d-4cad-8282-9027e4f69133.json b/mobile-attack/relationship/relationship--442dd700-2d7d-4cad-8282-9027e4f69133.json
index 372715caca..33b4d465af 100644
--- a/mobile-attack/relationship/relationship--442dd700-2d7d-4cad-8282-9027e4f69133.json
+++ b/mobile-attack/relationship/relationship--442dd700-2d7d-4cad-8282-9027e4f69133.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--cac1493b-b97e-4d52-9ae3-1f5572cd8dba",
+    "id": "bundle--f02ed768-8391-43b9-abad-4d6786841798",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--442dd700-2d7d-4cad-8282-9027e4f69133",
             "created": "2022-03-30T20:31:41.927Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:18.816Z",
             "description": "New OS releases frequently contain additional limitations or controls around device location access.",
-            "modified": "2022-03-30T20:31:41.927Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--44304163-9a44-4760-bd04-0e14adb33299.json b/mobile-attack/relationship/relationship--44304163-9a44-4760-bd04-0e14adb33299.json
index 5ace59a3cc..92e732cfca 100644
--- a/mobile-attack/relationship/relationship--44304163-9a44-4760-bd04-0e14adb33299.json
+++ b/mobile-attack/relationship/relationship--44304163-9a44-4760-bd04-0e14adb33299.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--f29b449b-c89f-4c78-9ee7-2208a67812a4",
+    "id": "bundle--4d2612f8-3824-47ff-ab19-d24b3ae3368c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--44304163-9a44-4760-bd04-0e14adb33299",
             "created": "2022-04-01T15:13:40.779Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Trend Micro iOS URL Hijacking",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/",
-                    "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12).  iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020."
+                    "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12).  iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:19.024Z",
             "description": "iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.",
-            "modified": "2022-04-01T15:13:40.779Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4449ac76-8329-4483-b152-99b990006cbc.json b/mobile-attack/relationship/relationship--4449ac76-8329-4483-b152-99b990006cbc.json
index 7d727b6a64..7e32368282 100644
--- a/mobile-attack/relationship/relationship--4449ac76-8329-4483-b152-99b990006cbc.json
+++ b/mobile-attack/relationship/relationship--4449ac76-8329-4483-b152-99b990006cbc.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3324623a-f23f-4d54-b91b-9743bdc0df5c",
+    "id": "bundle--6d4ba7ca-b91d-4f5a-acc0-ee9a597ac6ba",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:58:10.115Z",
+            "modified": "2025-04-16T21:48:19.270Z",
             "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect a list of known Wi-Fi access points.(Citation: FlexiSpy-Features) ",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4454a696-7619-40ee-971b-cbf646e4ee61.json b/mobile-attack/relationship/relationship--4454a696-7619-40ee-971b-cbf646e4ee61.json
index ca1810f53a..60ca4c6ca5 100644
--- a/mobile-attack/relationship/relationship--4454a696-7619-40ee-971b-cbf646e4ee61.json
+++ b/mobile-attack/relationship/relationship--4454a696-7619-40ee-971b-cbf646e4ee61.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--9fb7a6d7-6aef-437d-950e-9b9e00f5e764",
+    "id": "bundle--ba1a0b09-5005-4888-b22d-4e795dbe0ced",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--4454a696-7619-40ee-971b-cbf646e4ee61",
             "created": "2017-12-14T16:46:06.044Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Lookout-EnterpriseApps",
-                    "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/",
-                    "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016."
+                    "description": "Lookout. (2016, May 25). 5 active mobile threats spoofing enterprise apps. Retrieved December 19, 2016.",
+                    "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:19.473Z",
             "description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to send messages to premium SMS messages.(Citation: Lookout-EnterpriseApps)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--44a673c9-7ce7-42a0-8ab4-60bbb5001ce2.json b/mobile-attack/relationship/relationship--44a673c9-7ce7-42a0-8ab4-60bbb5001ce2.json
index 91b87d06e4..64c4716772 100644
--- a/mobile-attack/relationship/relationship--44a673c9-7ce7-42a0-8ab4-60bbb5001ce2.json
+++ b/mobile-attack/relationship/relationship--44a673c9-7ce7-42a0-8ab4-60bbb5001ce2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2f340ed0-61b6-470d-964f-5b0b0739e7b5",
+    "id": "bundle--4c5b5d27-96be-4486-8e49-cc621aa8dbe7",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T22:23:14.948Z",
+            "modified": "2025-04-16T21:48:19.690Z",
             "description": "Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--44b63426-1ea7-456e-907b-0856e3eab0c3.json b/mobile-attack/relationship/relationship--44b63426-1ea7-456e-907b-0856e3eab0c3.json
index 77b47c442b..08638e30a4 100644
--- a/mobile-attack/relationship/relationship--44b63426-1ea7-456e-907b-0856e3eab0c3.json
+++ b/mobile-attack/relationship/relationship--44b63426-1ea7-456e-907b-0856e3eab0c3.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4aed51ad-a8dc-4b06-a622-947d7731ff44",
+    "id": "bundle--a752f6da-20f2-46e2-a8ac-5b0d38936d37",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--44b63426-1ea7-456e-907b-0856e3eab0c3",
             "type": "relationship",
+            "id": "relationship--44b63426-1ea7-456e-907b-0856e3eab0c3",
             "created": "2020-12-31T18:25:05.142Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "CYBERWARCON CHEMISTGAMES",
-                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w",
-                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."
+                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.",
+                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"
                 }
             ],
-            "modified": "2020-12-31T18:25:05.142Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:19.892Z",
             "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has collected the device\u2019s location.(Citation: CYBERWARCON CHEMISTGAMES)",
             "relationship_type": "uses",
             "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--44da429b-9dee-43c9-9397-445c6f9e647e.json b/mobile-attack/relationship/relationship--44da429b-9dee-43c9-9397-445c6f9e647e.json
index da26149e29..60369055f0 100644
--- a/mobile-attack/relationship/relationship--44da429b-9dee-43c9-9397-445c6f9e647e.json
+++ b/mobile-attack/relationship/relationship--44da429b-9dee-43c9-9397-445c6f9e647e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--989c14d5-c35e-4578-a940-2f4bae948754",
+    "id": "bundle--ec4f577c-6e97-41f2-9e09-9acf83ff34d7",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--44da429b-9dee-43c9-9397-445c6f9e647e",
             "created": "2022-03-30T19:54:59.651Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:20.091Z",
             "description": "Android includes system partition integrity mechanisms that could detect unauthorized modifications. ",
-            "modified": "2022-03-30T19:54:59.651Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
             "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408.json b/mobile-attack/relationship/relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408.json
index bb6b71fd53..e52334da09 100644
--- a/mobile-attack/relationship/relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408.json
+++ b/mobile-attack/relationship/relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--93fb5587-ce51-498e-bf87-d85d1c6c5b7a",
+    "id": "bundle--d5c84daf-08d2-432b-908e-bc6b703d75d9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--450a1b75-efa5-4d7a-bcd5-d3e63723b408",
             "created": "2017-12-14T16:46:06.044Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Lookout-Pegasus",
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf",
-                    "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016."
+                    "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:20.333Z",
             "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the connection state and tracks which types of networks the phone is connected to, potentially to determine the bandwidth and ability to send full data across the network.(Citation: Lookout-Pegasus)",
-            "modified": "2022-04-15T19:47:48.036Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
             "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--45253350-c802-4566-a72d-57d43d05fd63.json b/mobile-attack/relationship/relationship--45253350-c802-4566-a72d-57d43d05fd63.json
index 9fd98c3032..12abb6aa02 100644
--- a/mobile-attack/relationship/relationship--45253350-c802-4566-a72d-57d43d05fd63.json
+++ b/mobile-attack/relationship/relationship--45253350-c802-4566-a72d-57d43d05fd63.json
@@ -1,23 +1,23 @@
 {
     "type": "bundle",
-    "id": "bundle--72c77731-1736-41f0-a786-3844f93e3314",
+    "id": "bundle--05860650-433f-48ed-a423-59fab4d4fe2d",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--45253350-c802-4566-a72d-57d43d05fd63",
+            "created": "2020-05-07T15:24:49.530Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--45253350-c802-4566-a72d-57d43d05fd63",
-            "type": "relationship",
-            "created": "2020-05-07T15:24:49.530Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2020-05-27T13:23:34.536Z",
+            "modified": "2025-04-16T21:48:20.548Z",
             "description": "Security updates frequently contain patches to vulnerabilities.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--45383213-4323-4f77-9f9f-360d6d43c128.json b/mobile-attack/relationship/relationship--45383213-4323-4f77-9f9f-360d6d43c128.json
index 88536da34c..3cc6a35dff 100644
--- a/mobile-attack/relationship/relationship--45383213-4323-4f77-9f9f-360d6d43c128.json
+++ b/mobile-attack/relationship/relationship--45383213-4323-4f77-9f9f-360d6d43c128.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--ec4d2a12-959d-48f9-a261-d91257246086",
+    "id": "bundle--438e214e-c0ea-4293-8a69-c56b71f0e84e",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--45383213-4323-4f77-9f9f-360d6d43c128",
             "created": "2024-04-02T19:13:21.430Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-02T19:13:21.430Z",
+            "modified": "2025-04-16T21:48:20.765Z",
             "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can retrieve a device\u2019s contact list.(Citation: Meta Adversarial Threat Report 2022)",
             "relationship_type": "uses",
             "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--45505ae7-0e54-4279-82c3-f92f4a832ed9.json b/mobile-attack/relationship/relationship--45505ae7-0e54-4279-82c3-f92f4a832ed9.json
index 4fef4c0bcf..d81d64d789 100644
--- a/mobile-attack/relationship/relationship--45505ae7-0e54-4279-82c3-f92f4a832ed9.json
+++ b/mobile-attack/relationship/relationship--45505ae7-0e54-4279-82c3-f92f4a832ed9.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--23ff68b7-57fd-45c6-8180-f141069c7019",
+    "id": "bundle--25b3967f-cf72-4609-9600-32a67125fc3c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--45505ae7-0e54-4279-82c3-f92f4a832ed9",
             "created": "2022-04-06T13:57:38.847Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:20.968Z",
             "description": "",
-            "modified": "2022-04-06T13:57:38.847Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--8f0e39c6-82c9-41ec-9f93-5696c0f2e274",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--455b1287-5784-42b4-91fb-01dac007758d.json b/mobile-attack/relationship/relationship--455b1287-5784-42b4-91fb-01dac007758d.json
index c181ae24f7..b93d2c0a5f 100644
--- a/mobile-attack/relationship/relationship--455b1287-5784-42b4-91fb-01dac007758d.json
+++ b/mobile-attack/relationship/relationship--455b1287-5784-42b4-91fb-01dac007758d.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--d12a2697-f351-4165-86a3-60b0fc5c1441",
+    "id": "bundle--e897d900-2abb-4e76-9d06-aa0964074305",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--455b1287-5784-42b4-91fb-01dac007758d",
             "created": "2020-09-29T13:24:15.234Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Lookout-Dendroid",
-                    "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/",
-                    "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016."
+                    "description": "Marc Rogers. (2014, March 6). Dendroid malware can take over your camera, record audio, and sneak into Google Play. Retrieved December 22, 2016.",
+                    "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:21.219Z",
             "description": "[Dendroid](https://attack.mitre.org/software/S0301) can open a dialog box to ask the user for passwords.(Citation: Lookout-Dendroid)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4586277d-bebd-4717-87c6-a31a9be741ed.json b/mobile-attack/relationship/relationship--4586277d-bebd-4717-87c6-a31a9be741ed.json
index dd0f4cfd4f..bc4c20ab69 100644
--- a/mobile-attack/relationship/relationship--4586277d-bebd-4717-87c6-a31a9be741ed.json
+++ b/mobile-attack/relationship/relationship--4586277d-bebd-4717-87c6-a31a9be741ed.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--cfc22c37-f4b6-41b8-9059-7195fe71df7e",
+    "id": "bundle--c3eaf349-2ebd-4d29-9899-16445764f07e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4586277d-bebd-4717-87c6-a31a9be741ed",
             "type": "relationship",
+            "id": "relationship--4586277d-bebd-4717-87c6-a31a9be741ed",
             "created": "2020-12-24T21:45:56.982Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T21:45:56.982Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:21.432Z",
             "description": "[SilkBean](https://attack.mitre.org/software/S0549) can get file lists on the SD card.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--45da5ed9-3a9b-4491-98cb-96db68e245bb.json b/mobile-attack/relationship/relationship--45da5ed9-3a9b-4491-98cb-96db68e245bb.json
index b03d004f68..eda868a7cf 100644
--- a/mobile-attack/relationship/relationship--45da5ed9-3a9b-4491-98cb-96db68e245bb.json
+++ b/mobile-attack/relationship/relationship--45da5ed9-3a9b-4491-98cb-96db68e245bb.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--8f918394-7af2-4340-b280-89c3abbf01a8",
+    "id": "bundle--77a7cdf1-e9f2-4a0f-9382-99d0eca6d4d5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--45da5ed9-3a9b-4491-98cb-96db68e245bb",
             "created": "2020-12-14T14:52:03.184Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Sophos Red Alert 2.0",
-                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/",
-                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."
+                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.",
+                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:21.651Z",
             "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has used malicious overlays to collect banking credentials.(Citation: Sophos Red Alert 2.0)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--465b7a4a-32d5-475c-9fb9-6335c44fb0d1.json b/mobile-attack/relationship/relationship--465b7a4a-32d5-475c-9fb9-6335c44fb0d1.json
index 728c55bb63..a0f5c7f442 100644
--- a/mobile-attack/relationship/relationship--465b7a4a-32d5-475c-9fb9-6335c44fb0d1.json
+++ b/mobile-attack/relationship/relationship--465b7a4a-32d5-475c-9fb9-6335c44fb0d1.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--27eaf5e7-637a-4848-bafd-fb4b4ab2b971",
+    "id": "bundle--831ce755-7e00-4d15-85d2-3d3442600665",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--465b7a4a-32d5-475c-9fb9-6335c44fb0d1",
             "created": "2022-04-05T19:48:31.354Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:21.875Z",
             "description": "",
-            "modified": "2022-04-05T19:48:31.354Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
             "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--465d14e7-eb9e-4794-9cb3-1de2cff86a8e.json b/mobile-attack/relationship/relationship--465d14e7-eb9e-4794-9cb3-1de2cff86a8e.json
index 9e20adf8c8..7e1a960d12 100644
--- a/mobile-attack/relationship/relationship--465d14e7-eb9e-4794-9cb3-1de2cff86a8e.json
+++ b/mobile-attack/relationship/relationship--465d14e7-eb9e-4794-9cb3-1de2cff86a8e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--91c36251-703c-4fab-a0ed-475a181f7602",
+    "id": "bundle--60c83671-f5af-4bfb-beab-11ba1e16822e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:28:07.442Z",
+            "modified": "2025-04-16T21:48:22.077Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) registers for the `USER_PRESENT` broadcast intent and uses it as a trigger to take photos with the front-facing camera.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4667e169-d85a-4d0c-9da7-2fe22d1ba873.json b/mobile-attack/relationship/relationship--4667e169-d85a-4d0c-9da7-2fe22d1ba873.json
new file mode 100644
index 0000000000..398a85d641
--- /dev/null
+++ b/mobile-attack/relationship/relationship--4667e169-d85a-4d0c-9da7-2fe22d1ba873.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--f8da3f56-711b-4e36-8c6e-3c06535b7ee8",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--4667e169-d85a-4d0c-9da7-2fe22d1ba873",
+            "created": "2025-03-28T14:39:33.150Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:22.303Z",
+            "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has collected a list of running processes.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f",
+            "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4761145d-34ac-4b45-a0d6-a09b1907a196.json b/mobile-attack/relationship/relationship--4761145d-34ac-4b45-a0d6-a09b1907a196.json
index 655ebc15ab..38a80b4ded 100644
--- a/mobile-attack/relationship/relationship--4761145d-34ac-4b45-a0d6-a09b1907a196.json
+++ b/mobile-attack/relationship/relationship--4761145d-34ac-4b45-a0d6-a09b1907a196.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--b79da328-6408-44b1-88b5-9abc980624e1",
+    "id": "bundle--22430947-317a-4064-851a-544de5bb3584",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4761145d-34ac-4b45-a0d6-a09b1907a196",
             "type": "relationship",
+            "id": "relationship--4761145d-34ac-4b45-a0d6-a09b1907a196",
             "created": "2020-12-18T20:14:47.367Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "WhiteOps TERRACOTTA",
-                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study",
-                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."
+                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.",
+                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"
                 }
             ],
-            "modified": "2020-12-18T20:14:47.367Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:22.509Z",
             "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can inject clicks to launch applications, share posts on social media, and interact with WebViews to perform fraudulent actions.(Citation: WhiteOps TERRACOTTA)",
             "relationship_type": "uses",
             "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
             "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--476e269e-3c49-4fda-a54b-3f0cb577c5af.json b/mobile-attack/relationship/relationship--476e269e-3c49-4fda-a54b-3f0cb577c5af.json
index f70697a525..89f39352e7 100644
--- a/mobile-attack/relationship/relationship--476e269e-3c49-4fda-a54b-3f0cb577c5af.json
+++ b/mobile-attack/relationship/relationship--476e269e-3c49-4fda-a54b-3f0cb577c5af.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--95e21985-08f0-467f-b403-9f2b66e88566",
+    "id": "bundle--cd425eb7-9ca5-457e-ac75-0b47f222deff",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:52:58.974Z",
+            "modified": "2025-04-16T21:48:22.710Z",
             "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect the device\u2019s contact list.(Citation: Sophos Red Alert 2.0)",
             "relationship_type": "uses",
             "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--477edf7d-cc1f-49b7-9d96-f88399808775.json b/mobile-attack/relationship/relationship--477edf7d-cc1f-49b7-9d96-f88399808775.json
index 1e326d6681..92bde003cf 100644
--- a/mobile-attack/relationship/relationship--477edf7d-cc1f-49b7-9d96-f88399808775.json
+++ b/mobile-attack/relationship/relationship--477edf7d-cc1f-49b7-9d96-f88399808775.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--81ed427b-ce02-4f66-89f5-f92e5ada2112",
+    "id": "bundle--ed8a794f-7c89-445a-905d-bb137f1b59ab",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--477edf7d-cc1f-49b7-9d96-f88399808775",
             "created": "2022-04-05T20:15:43.660Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:22.920Z",
             "description": "",
-            "modified": "2022-04-05T20:15:43.660Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
             "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4819f391-01de-4525-992b-7e4a4f6667de.json b/mobile-attack/relationship/relationship--4819f391-01de-4525-992b-7e4a4f6667de.json
index f8d3ba3a73..265dd06ca0 100644
--- a/mobile-attack/relationship/relationship--4819f391-01de-4525-992b-7e4a4f6667de.json
+++ b/mobile-attack/relationship/relationship--4819f391-01de-4525-992b-7e4a4f6667de.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--9a68ce44-556a-4574-822e-aa6578645081",
+    "id": "bundle--3579bb91-29ec-4f5f-a495-5ad7a4aacaaa",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4819f391-01de-4525-992b-7e4a4f6667de",
             "type": "relationship",
+            "id": "relationship--4819f391-01de-4525-992b-7e4a4f6667de",
             "created": "2020-11-20T15:46:51.603Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Symantec GoldenCup",
-                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans",
-                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."
+                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.",
+                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"
                 }
             ],
-            "modified": "2020-11-20T15:46:51.603Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:23.116Z",
             "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can take pictures with the camera.(Citation: Symantec GoldenCup)",
             "relationship_type": "uses",
             "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--481e5d33-eca4-453c-9fec-27ee01d50989.json b/mobile-attack/relationship/relationship--481e5d33-eca4-453c-9fec-27ee01d50989.json
index 7f835c6f53..539e1ffd1b 100644
--- a/mobile-attack/relationship/relationship--481e5d33-eca4-453c-9fec-27ee01d50989.json
+++ b/mobile-attack/relationship/relationship--481e5d33-eca4-453c-9fec-27ee01d50989.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--da127058-0e75-4460-be91-1dec0d6858c5",
+    "id": "bundle--630b98c6-a2cd-48d7-ba16-ade18b80e6eb",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:26:12.006Z",
+            "modified": "2025-04-16T21:48:23.329Z",
             "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view files and media.(Citation: cloudmark_tanglebot_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--48486680-530c-4ed9-aca3-94969aa262b6.json b/mobile-attack/relationship/relationship--48486680-530c-4ed9-aca3-94969aa262b6.json
index bbf5ab5e50..0730ace990 100644
--- a/mobile-attack/relationship/relationship--48486680-530c-4ed9-aca3-94969aa262b6.json
+++ b/mobile-attack/relationship/relationship--48486680-530c-4ed9-aca3-94969aa262b6.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c69fba1f-f72e-438d-bad4-1f13900173bf",
+    "id": "bundle--87407f3a-50d4-4b26-accf-e719eeddf4fe",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:38:00.609Z",
+            "modified": "2025-04-16T21:48:23.533Z",
             "description": "[Pallas](https://attack.mitre.org/software/S0399) accesses and exfiltrates the call log.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--48552acc-5f1a-422f-90fa-37108446f36d.json b/mobile-attack/relationship/relationship--48552acc-5f1a-422f-90fa-37108446f36d.json
index 79858b151b..696050078a 100644
--- a/mobile-attack/relationship/relationship--48552acc-5f1a-422f-90fa-37108446f36d.json
+++ b/mobile-attack/relationship/relationship--48552acc-5f1a-422f-90fa-37108446f36d.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b3a64641-7a1f-497a-a01b-9179b57676c9",
+    "id": "bundle--031fe98a-8ff7-4f4c-b5ff-1d3720e047c9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--48552acc-5f1a-422f-90fa-37108446f36d",
             "created": "2022-03-30T19:14:20.374Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:23.777Z",
             "description": "",
-            "modified": "2022-03-30T19:14:20.374Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--039bc59c-ecc7-4997-b2b4-4ab728bd91aa",
             "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--48854999-1c12-4454-bb7c-051691a081f9.json b/mobile-attack/relationship/relationship--48854999-1c12-4454-bb7c-051691a081f9.json
index a129071916..f3e3ebac1d 100644
--- a/mobile-attack/relationship/relationship--48854999-1c12-4454-bb7c-051691a081f9.json
+++ b/mobile-attack/relationship/relationship--48854999-1c12-4454-bb7c-051691a081f9.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--10d2bbb1-a23d-488d-a731-a5dcb4eff221",
+    "id": "bundle--e250bfdf-1dd8-4a65-9806-6ae76bda8725",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--48854999-1c12-4454-bb7c-051691a081f9",
             "created": "2022-03-28T19:25:49.640Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:23.994Z",
             "description": "Ensure Verified Boot is enabled on devices with that capability.",
-            "modified": "2022-03-28T19:25:49.640Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
             "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4896e256-fb04-403c-bbb7-2323b158a6e0.json b/mobile-attack/relationship/relationship--4896e256-fb04-403c-bbb7-2323b158a6e0.json
index a9d6399d8d..6c3e933134 100644
--- a/mobile-attack/relationship/relationship--4896e256-fb04-403c-bbb7-2323b158a6e0.json
+++ b/mobile-attack/relationship/relationship--4896e256-fb04-403c-bbb7-2323b158a6e0.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--32828ea4-1cbb-4922-a6a3-280b997f5d28",
+    "id": "bundle--1cd7d72c-9525-4f9a-b126-f162a532df76",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--4896e256-fb04-403c-bbb7-2323b158a6e0",
             "created": "2022-03-30T19:52:05.143Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:24.227Z",
             "description": "",
-            "modified": "2022-03-30T19:52:05.143Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
             "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4897ef75-0035-4ae5-b325-de2f6b27565f.json b/mobile-attack/relationship/relationship--4897ef75-0035-4ae5-b325-de2f6b27565f.json
index bd7a64c9c8..bacd8e9674 100644
--- a/mobile-attack/relationship/relationship--4897ef75-0035-4ae5-b325-de2f6b27565f.json
+++ b/mobile-attack/relationship/relationship--4897ef75-0035-4ae5-b325-de2f6b27565f.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--226b21ad-bfff-410e-965c-cd773ece0c4c",
+    "id": "bundle--46d51df9-2bfc-40fa-9892-a6696fbac442",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--4897ef75-0035-4ae5-b325-de2f6b27565f",
             "created": "2023-09-21T22:31:28.428Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-21T22:31:28.428Z",
+            "modified": "2025-04-16T21:48:24.429Z",
             "description": "Application vetting services may look for indications that the application\u2019s update includes malicious code at runtime. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74.json b/mobile-attack/relationship/relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74.json
index b6cc2206d3..26419ec29b 100644
--- a/mobile-attack/relationship/relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74.json
+++ b/mobile-attack/relationship/relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--f7fe3f30-c3d5-47ab-9953-f6ede8d016fc",
+    "id": "bundle--bbf2dc6c-e871-4b07-a5df-139bbe66ef05",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74",
             "type": "relationship",
+            "id": "relationship--48c0d9f7-9293-4f38-8ae5-9f5342621f74",
             "created": "2021-01-05T20:16:20.511Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Zscaler TikTok Spyware",
-                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware",
-                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."
+                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.",
+                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"
                 }
             ],
-            "modified": "2021-01-05T20:16:20.511Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:24.770Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has contained an alarm that triggers every three minutes and timers for communicating with the C2.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--00290ac5-551e-44aa-bbd8-c4b913488a6d",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--48cd0af5-9ad1-44b3-beeb-d576974dadee.json b/mobile-attack/relationship/relationship--48cd0af5-9ad1-44b3-beeb-d576974dadee.json
index 811e4c8b10..ce41c99c0d 100644
--- a/mobile-attack/relationship/relationship--48cd0af5-9ad1-44b3-beeb-d576974dadee.json
+++ b/mobile-attack/relationship/relationship--48cd0af5-9ad1-44b3-beeb-d576974dadee.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--b198218f-9a54-44ed-8808-735dcb1fe35c",
+    "id": "bundle--0b4493d7-7218-480a-9ff9-db2a21d0fe66",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--48cd0af5-9ad1-44b3-beeb-d576974dadee",
             "created": "2023-09-28T17:19:00.464Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:19:00.464Z",
+            "modified": "2025-04-16T21:48:24.984Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can request the `DISABLE_KEYGUARD` permission to disable the device lock screen password.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4920a041-86f7-495b-896c-4d964950ed7e.json b/mobile-attack/relationship/relationship--4920a041-86f7-495b-896c-4d964950ed7e.json
index f3adce3dff..7ff243ae10 100644
--- a/mobile-attack/relationship/relationship--4920a041-86f7-495b-896c-4d964950ed7e.json
+++ b/mobile-attack/relationship/relationship--4920a041-86f7-495b-896c-4d964950ed7e.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--c601b7ee-1165-45a9-91ce-330fe6ff4ac3",
+    "id": "bundle--0146b1cb-a4fd-45d2-b28b-1cd3cd32daac",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4920a041-86f7-495b-896c-4d964950ed7e",
             "type": "relationship",
+            "id": "relationship--4920a041-86f7-495b-896c-4d964950ed7e",
             "created": "2020-12-17T20:15:22.454Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Palo Alto HenBox",
-                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/",
-                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."
+                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.",
+                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
                 }
             ],
-            "modified": "2020-12-17T20:15:22.454Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:25.212Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) has contained native libraries.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--492d5699-f885-411a-8431-254fcf33fb12.json b/mobile-attack/relationship/relationship--492d5699-f885-411a-8431-254fcf33fb12.json
index bc7c3d929b..b06abec25a 100644
--- a/mobile-attack/relationship/relationship--492d5699-f885-411a-8431-254fcf33fb12.json
+++ b/mobile-attack/relationship/relationship--492d5699-f885-411a-8431-254fcf33fb12.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--778b96f8-0c55-4d4e-8173-b7573433263f",
+    "id": "bundle--80bc5a55-098f-437c-a14e-7c5f9cf9bc45",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--492d5699-f885-411a-8431-254fcf33fb12",
             "created": "2019-08-09T16:14:58.367Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Android Capture Sensor 2019",
-                    "url": "https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access",
-                    "description": "Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019."
+                    "description": "Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019.",
+                    "url": "https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:25.422Z",
             "description": "Android 9 and above restricts access to the mic, camera, and other device sensors from applications running in the background. iOS 14 and Android 12 introduced a visual indicator on the status bar (green dot) when an application is accessing the device\u2019s camera.(Citation: Android Capture Sensor 2019)",
-            "modified": "2022-04-01T13:56:12.774Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4943cca6-69b1-4565-ac09-87ebda04584c.json b/mobile-attack/relationship/relationship--4943cca6-69b1-4565-ac09-87ebda04584c.json
index 2d12fa2954..4de41b849a 100644
--- a/mobile-attack/relationship/relationship--4943cca6-69b1-4565-ac09-87ebda04584c.json
+++ b/mobile-attack/relationship/relationship--4943cca6-69b1-4565-ac09-87ebda04584c.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--f6192af4-7174-440c-a4eb-7e3547b63cf4",
+    "id": "bundle--f9a98429-47ff-4c73-a89c-09ca61e815fa",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--4943cca6-69b1-4565-ac09-87ebda04584c",
             "created": "2022-04-01T18:52:02.211Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:25.625Z",
             "description": "Users should be taught the dangers of rooting or jailbreaking their device.",
-            "modified": "2022-04-01T18:52:02.211Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--494ece43-ebba-4519-86be-cd5c4d4dd337.json b/mobile-attack/relationship/relationship--494ece43-ebba-4519-86be-cd5c4d4dd337.json
new file mode 100644
index 0000000000..ddd0110af0
--- /dev/null
+++ b/mobile-attack/relationship/relationship--494ece43-ebba-4519-86be-cd5c4d4dd337.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--eb17b377-377b-4ced-a37c-f422ad8e59b2",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--494ece43-ebba-4519-86be-cd5c4d4dd337",
+            "created": "2025-04-14T19:24:14.837Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:25.838Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) collects and compresses data to be exfiltrated using SSZipArchive.(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--496976ef-4a0c-4782-95e7-231bd44df162.json b/mobile-attack/relationship/relationship--496976ef-4a0c-4782-95e7-231bd44df162.json
index d7f5607946..f1ef809c49 100644
--- a/mobile-attack/relationship/relationship--496976ef-4a0c-4782-95e7-231bd44df162.json
+++ b/mobile-attack/relationship/relationship--496976ef-4a0c-4782-95e7-231bd44df162.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ea1cb09a-0084-4756-b960-615374314dab",
+    "id": "bundle--5bb16ca8-20f5-4ecd-b27e-303aa53b3fe5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--496976ef-4a0c-4782-95e7-231bd44df162",
             "type": "relationship",
+            "id": "relationship--496976ef-4a0c-4782-95e7-231bd44df162",
             "created": "2020-12-14T15:02:35.295Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Securelist Asacub",
-                    "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/",
-                    "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020."
+                    "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.",
+                    "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"
                 }
             ],
-            "modified": "2020-12-14T15:02:35.295Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:26.046Z",
             "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device information, including device model and OS version.(Citation: Securelist Asacub)",
             "relationship_type": "uses",
             "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--49c0c003-433c-467f-93b7-ca585aab8232.json b/mobile-attack/relationship/relationship--49c0c003-433c-467f-93b7-ca585aab8232.json
index f90a8a8847..c83e658255 100644
--- a/mobile-attack/relationship/relationship--49c0c003-433c-467f-93b7-ca585aab8232.json
+++ b/mobile-attack/relationship/relationship--49c0c003-433c-467f-93b7-ca585aab8232.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--1cfceb1d-1c2f-4be5-acc7-9ae2fbb6a9f9",
+    "id": "bundle--697ebc25-d2d5-47b5-9d5b-e4c39c379411",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--49c0c003-433c-467f-93b7-ca585aab8232",
             "created": "2023-08-16T16:46:17.841Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:46:17.841Z",
+            "modified": "2025-04-16T21:48:26.280Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can register as an `SMSBroadcast` receiver to monitor incoming SMS messages.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4a408dee-07da-4855-b2ff-be512480ccb5.json b/mobile-attack/relationship/relationship--4a408dee-07da-4855-b2ff-be512480ccb5.json
index b8d723af56..1f5aea7d04 100644
--- a/mobile-attack/relationship/relationship--4a408dee-07da-4855-b2ff-be512480ccb5.json
+++ b/mobile-attack/relationship/relationship--4a408dee-07da-4855-b2ff-be512480ccb5.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ca5059b3-c9cb-4e2a-a6f0-80cf4cf5139e",
+    "id": "bundle--8d5befb9-5462-46c2-bc80-5ade46e5d116",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:18:05.095Z",
+            "modified": "2025-04-16T21:48:26.483Z",
             "description": "[TianySpy](https://attack.mitre.org/software/S1056) can gather device UDIDs.(Citation: trendmicro_tianyspy_0122) ",
             "relationship_type": "uses",
             "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4a4aba6e-2dc4-43a5-bcac-876c89114a57.json b/mobile-attack/relationship/relationship--4a4aba6e-2dc4-43a5-bcac-876c89114a57.json
index 0c18876ee8..a082a94bf3 100644
--- a/mobile-attack/relationship/relationship--4a4aba6e-2dc4-43a5-bcac-876c89114a57.json
+++ b/mobile-attack/relationship/relationship--4a4aba6e-2dc4-43a5-bcac-876c89114a57.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--60514bd3-e935-497d-bd46-891ce987100e",
+    "id": "bundle--407a15ac-ad36-402b-8fd9-268aac08e701",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T16:09:09.008Z",
+            "modified": "2025-04-16T21:48:26.704Z",
             "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice. (Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4a608d3b-aa02-4563-8b6b-c64a491856f5.json b/mobile-attack/relationship/relationship--4a608d3b-aa02-4563-8b6b-c64a491856f5.json
index 9bf4aac7d5..e99a28f4d4 100644
--- a/mobile-attack/relationship/relationship--4a608d3b-aa02-4563-8b6b-c64a491856f5.json
+++ b/mobile-attack/relationship/relationship--4a608d3b-aa02-4563-8b6b-c64a491856f5.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--a6e656ff-5bc4-46e9-83fe-2e30930956f1",
+    "id": "bundle--5bb77bc4-615d-4100-ada5-22423daf0fc5",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--4a608d3b-aa02-4563-8b6b-c64a491856f5",
             "created": "2023-03-03T16:26:20.400Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-03T16:26:20.400Z",
+            "modified": "2025-04-16T21:48:26.923Z",
             "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected information about running processes.(Citation: paloalto_yispecter_1015)",
             "relationship_type": "uses",
             "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
             "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e.json b/mobile-attack/relationship/relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e.json
index 24f5c0841b..6f9d1f618a 100644
--- a/mobile-attack/relationship/relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e.json
+++ b/mobile-attack/relationship/relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--24d05677-61a3-41aa-9ac2-49b0378f6473",
+    "id": "bundle--d8d0d1a9-30fd-4503-9287-f07c404447bd",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e",
             "type": "relationship",
+            "id": "relationship--4a67b14a-e489-4e8f-b545-5bdf134e146e",
             "created": "2020-04-24T15:06:33.519Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "TrendMicro Coronavirus Updates",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
-                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
+                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"
                 }
             ],
-            "modified": "2020-04-24T15:06:33.519Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:27.134Z",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect messages from GSM, WhatsApp, Telegram, Facebook, and Threema by reading the application\u2019s notification content.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4a77c56b-ed2c-4e43-bd0f-7acf9cce1952.json b/mobile-attack/relationship/relationship--4a77c56b-ed2c-4e43-bd0f-7acf9cce1952.json
index 68afc901b1..4c807dce3a 100644
--- a/mobile-attack/relationship/relationship--4a77c56b-ed2c-4e43-bd0f-7acf9cce1952.json
+++ b/mobile-attack/relationship/relationship--4a77c56b-ed2c-4e43-bd0f-7acf9cce1952.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--42d16c5d-ea8b-4ab8-ae3c-8bab383d0417",
+    "id": "bundle--b88892a3-c9cb-4610-9999-a9a9e360bd1c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:25:55.378Z",
+            "modified": "2025-04-16T21:48:27.369Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) can intercept SMS messages.(Citation: SecurityIntelligence TrickMo)",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4a936488-526c-40c1-b2d5-490052cb0e73.json b/mobile-attack/relationship/relationship--4a936488-526c-40c1-b2d5-490052cb0e73.json
index 0226052c53..67ff1e9f12 100644
--- a/mobile-attack/relationship/relationship--4a936488-526c-40c1-b2d5-490052cb0e73.json
+++ b/mobile-attack/relationship/relationship--4a936488-526c-40c1-b2d5-490052cb0e73.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--feb93786-56c6-4217-a4f2-38107aad56eb",
+    "id": "bundle--704c85c0-07e7-4990-a152-2279dc303b70",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:22:53.698Z",
+            "modified": "2025-04-16T21:48:27.569Z",
             "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can run bash commands.(Citation: CYBERWARCON CHEMISTGAMES)",
             "relationship_type": "uses",
             "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341",
             "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4aae6ab8-2a67-4780-a69e-b15ecff7fc5d.json b/mobile-attack/relationship/relationship--4aae6ab8-2a67-4780-a69e-b15ecff7fc5d.json
index fbb2a4dcbf..eb6953d35b 100644
--- a/mobile-attack/relationship/relationship--4aae6ab8-2a67-4780-a69e-b15ecff7fc5d.json
+++ b/mobile-attack/relationship/relationship--4aae6ab8-2a67-4780-a69e-b15ecff7fc5d.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--16f0ca14-e09b-4cdb-afc9-67db5c9fdf03",
+    "id": "bundle--96660f16-8e8c-4aa6-bd84-511f9832c73f",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--4aae6ab8-2a67-4780-a69e-b15ecff7fc5d",
             "created": "2023-02-28T21:43:12.487Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-28T21:43:12.487Z",
+            "modified": "2025-04-16T21:48:27.776Z",
             "description": "[TangleBot](https://attack.mitre.org/software/S1069) can make and block phone calls.(Citation: cloudmark_tanglebot_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f",
             "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4ab1867c-b924-4b0d-a332-c0e150a28d7d.json b/mobile-attack/relationship/relationship--4ab1867c-b924-4b0d-a332-c0e150a28d7d.json
index 1001631ddc..693f9d7238 100644
--- a/mobile-attack/relationship/relationship--4ab1867c-b924-4b0d-a332-c0e150a28d7d.json
+++ b/mobile-attack/relationship/relationship--4ab1867c-b924-4b0d-a332-c0e150a28d7d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--45d20c43-7494-4d27-be6c-fc8a188862b8",
+    "id": "bundle--34183edb-d2b4-4fea-a48b-d463eea62190",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T22:11:01.943Z",
+            "modified": "2025-04-16T21:48:27.979Z",
             "description": "Application vetting services could look for `android.permission.READ_CALENDAR` or `android.permission.WRITE_CALENDAR` in an Android application\u2019s manifest, or `NSCalendarsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need calendar access, so extra scrutiny could be applied to those that request it. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257.json b/mobile-attack/relationship/relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257.json
index 2fc09b067b..474beb7420 100644
--- a/mobile-attack/relationship/relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257.json
+++ b/mobile-attack/relationship/relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--1465b89b-f3de-4c55-b4b5-87b375ed386f",
+    "id": "bundle--34e70f63-af1d-4b43-ac8b-490529d052fb",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257",
             "type": "relationship",
+            "id": "relationship--4ad83f33-c64a-4ad6-ab6f-0548c9dde257",
             "created": "2020-10-29T17:48:27.469Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Threat Fabric Exobot",
-                    "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html",
-                    "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020."
+                    "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"
                 }
             ],
-            "modified": "2020-10-29T17:48:27.469Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:28.177Z",
             "description": "[Exobot](https://attack.mitre.org/software/S0522) can forward SMS messages.(Citation: Threat Fabric Exobot)",
             "relationship_type": "uses",
             "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4ae0c45f-4ff0-4296-aaf4-c3e0d2e355e3.json b/mobile-attack/relationship/relationship--4ae0c45f-4ff0-4296-aaf4-c3e0d2e355e3.json
index bb87f09d87..ed88fe0dca 100644
--- a/mobile-attack/relationship/relationship--4ae0c45f-4ff0-4296-aaf4-c3e0d2e355e3.json
+++ b/mobile-attack/relationship/relationship--4ae0c45f-4ff0-4296-aaf4-c3e0d2e355e3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c14b6bf2-2a33-4b3d-8465-1abd2a3f6426",
+    "id": "bundle--53a70d6a-b53d-46b5-bcd4-03a7919eacc2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:42:40.327Z",
+            "modified": "2025-04-16T21:48:28.396Z",
             "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can hide its icon if it detects that it is being run on an emulator.(Citation: Cybereason FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4aec0738-2c76-4dc7-af8a-87785e658193.json b/mobile-attack/relationship/relationship--4aec0738-2c76-4dc7-af8a-87785e658193.json
index 4a645ad809..c30641a3b6 100644
--- a/mobile-attack/relationship/relationship--4aec0738-2c76-4dc7-af8a-87785e658193.json
+++ b/mobile-attack/relationship/relationship--4aec0738-2c76-4dc7-af8a-87785e658193.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a7428f75-8026-470e-8380-80e7da59c6b2",
+    "id": "bundle--302166b0-7cf9-4268-8f7a-aed9fa25597a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:26:18.801Z",
+            "modified": "2025-04-16T21:48:28.591Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can run shell commands.(Citation: SecureList BusyGasper)",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4af26643-880f-4c34-a4a8-23e89b950c9d.json b/mobile-attack/relationship/relationship--4af26643-880f-4c34-a4a8-23e89b950c9d.json
index b26a47a9a4..6b63adc404 100644
--- a/mobile-attack/relationship/relationship--4af26643-880f-4c34-a4a8-23e89b950c9d.json
+++ b/mobile-attack/relationship/relationship--4af26643-880f-4c34-a4a8-23e89b950c9d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a9f68bfb-094a-483d-a62c-028d0a972231",
+    "id": "bundle--ad25052f-7645-4eaa-9d5b-f97d27105f6d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:18:38.582Z",
+            "modified": "2025-04-16T21:48:28.807Z",
             "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect the device calendars.(Citation: CyberMerchants-FlexiSpy)",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4b16e681-9542-4f32-b23a-f1b0caf44b6a.json b/mobile-attack/relationship/relationship--4b16e681-9542-4f32-b23a-f1b0caf44b6a.json
index 1e57488871..ca1324d592 100644
--- a/mobile-attack/relationship/relationship--4b16e681-9542-4f32-b23a-f1b0caf44b6a.json
+++ b/mobile-attack/relationship/relationship--4b16e681-9542-4f32-b23a-f1b0caf44b6a.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--230c27f4-83d0-495d-9fb6-326818889fac",
+    "id": "bundle--075ae8f5-efd3-4687-be5c-d7acc1336979",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4b16e681-9542-4f32-b23a-f1b0caf44b6a",
             "type": "relationship",
+            "id": "relationship--4b16e681-9542-4f32-b23a-f1b0caf44b6a",
             "created": "2020-12-24T21:55:56.726Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T21:55:56.726Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:29.016Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has downloaded additional code to root devices, such as TowelRoot.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4b3cfd7c-5e41-4d9e-8879-b126ba66eaf1.json b/mobile-attack/relationship/relationship--4b3cfd7c-5e41-4d9e-8879-b126ba66eaf1.json
index 450f1a458b..d688566ea3 100644
--- a/mobile-attack/relationship/relationship--4b3cfd7c-5e41-4d9e-8879-b126ba66eaf1.json
+++ b/mobile-attack/relationship/relationship--4b3cfd7c-5e41-4d9e-8879-b126ba66eaf1.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--3821c14d-7910-445d-92ed-c95b6b7564bd",
+    "id": "bundle--74d13492-730f-42fd-87e5-ada8f2e6fedf",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--4b3cfd7c-5e41-4d9e-8879-b126ba66eaf1",
             "created": "2021-10-01T14:42:49.176Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SecureList BusyGasper",
-                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/",
-                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021."
+                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.",
+                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:29.262Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect every user screen tap and compare the input to a hardcoded list of coordinates to translate the input to a character.(Citation: SecureList BusyGasper)",
-            "modified": "2022-04-15T17:33:49.565Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4b68bcb1-a512-40f7-9aee-235b3668f022.json b/mobile-attack/relationship/relationship--4b68bcb1-a512-40f7-9aee-235b3668f022.json
index 2d207f5a0c..1383bc2c9f 100644
--- a/mobile-attack/relationship/relationship--4b68bcb1-a512-40f7-9aee-235b3668f022.json
+++ b/mobile-attack/relationship/relationship--4b68bcb1-a512-40f7-9aee-235b3668f022.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--7f6b62e7-fe4a-48cf-ad92-fbb0ae245ee6",
+    "id": "bundle--60849764-83e7-4eb8-99d9-9babc679257b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4b68bcb1-a512-40f7-9aee-235b3668f022",
             "type": "relationship",
+            "id": "relationship--4b68bcb1-a512-40f7-9aee-235b3668f022",
             "created": "2020-01-27T17:05:58.271Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Trend Micro Bouncing Golf 2019",
                     "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
-                    "source_name": "Trend Micro Bouncing Golf 2019"
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
                 }
             ],
-            "modified": "2020-01-27T17:05:58.271Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:29.466Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain clipboard contents.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4b7e117b-0c82-49d0-bee6-119158b3355b.json b/mobile-attack/relationship/relationship--4b7e117b-0c82-49d0-bee6-119158b3355b.json
index cc1cf79a6f..ba6e1ba3fd 100644
--- a/mobile-attack/relationship/relationship--4b7e117b-0c82-49d0-bee6-119158b3355b.json
+++ b/mobile-attack/relationship/relationship--4b7e117b-0c82-49d0-bee6-119158b3355b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--25437178-69aa-4b49-900a-7e5ea0ab8911",
+    "id": "bundle--89731b4d-276c-42b3-b8ab-55b41a76a1e4",
     "spec_version": "2.0",
     "objects": [
         {
@@ -14,20 +14,24 @@
                     "source_name": "proofpoint_flubot_0421",
                     "description": "Crista Giering, F. Naves, Andrew Conway, Adam McNeil . (2021, April 27). FluBot Android Malware Spreading Rapidly Through Europe, May Hit U.S. Soon. Retrieved February 28, 2023.",
                     "url": "https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon"
+                },
+                {
+                    "source_name": "Europol FluBot Jun2022",
+                    "description": "Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.",
+                    "url": "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-28T20:32:50.168Z",
-            "description": "[FluBot](https://attack.mitre.org/software/S1067) can disable Google Play Protect to prevent detection.(Citation: proofpoint_flubot_0421)",
+            "modified": "2025-04-16T21:48:29.693Z",
+            "description": "[FluBot](https://attack.mitre.org/software/S1067) can disable Google Play Protect to prevent detection.(Citation: proofpoint_flubot_0421)(Citation: Europol FluBot Jun2022) ",
             "relationship_type": "uses",
             "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4b838636-bfa4-4592-b72f-3044946b8187.json b/mobile-attack/relationship/relationship--4b838636-bfa4-4592-b72f-3044946b8187.json
index b885689ba4..20fb8aed49 100644
--- a/mobile-attack/relationship/relationship--4b838636-bfa4-4592-b72f-3044946b8187.json
+++ b/mobile-attack/relationship/relationship--4b838636-bfa4-4592-b72f-3044946b8187.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ead1ef43-2450-49bc-9a11-6289388c8c9d",
+    "id": "bundle--d4bfc357-ae8f-4313-885f-568dec1bece0",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:53:16.656Z",
+            "modified": "2025-04-16T21:48:29.889Z",
             "description": "[eSurv](https://attack.mitre.org/software/S0507) can exfiltrate the device\u2019s contact list.(Citation: Lookout eSurv)",
             "relationship_type": "uses",
             "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61.json b/mobile-attack/relationship/relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61.json
index ffbe6bb402..d2ed3a13a7 100644
--- a/mobile-attack/relationship/relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61.json
+++ b/mobile-attack/relationship/relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--7fbaa469-d909-47ae-b47b-55fa6b56e5de",
+    "id": "bundle--4b261add-8059-4a1b-aafd-2de68c354b74",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61",
             "type": "relationship",
+            "id": "relationship--4b8d027d-5da2-4a01-ad31-b6644a5cda61",
             "created": "2020-04-24T15:06:33.495Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "TrendMicro Coronavirus Updates",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
-                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
+                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"
                 }
             ],
-            "modified": "2020-04-24T15:06:33.495Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:30.097Z",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can track the device\u2019s location.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4bdda427-2fff-428d-ba19-4bee5d2508e1.json b/mobile-attack/relationship/relationship--4bdda427-2fff-428d-ba19-4bee5d2508e1.json
index e2b40e4e95..fb5ac0f2e1 100644
--- a/mobile-attack/relationship/relationship--4bdda427-2fff-428d-ba19-4bee5d2508e1.json
+++ b/mobile-attack/relationship/relationship--4bdda427-2fff-428d-ba19-4bee5d2508e1.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ade1c942-b5a6-46c8-8648-dbd8cf4c5045",
+    "id": "bundle--208dff62-4059-4974-b348-dc55cae066cd",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4bdda427-2fff-428d-ba19-4bee5d2508e1",
             "type": "relationship",
+            "id": "relationship--4bdda427-2fff-428d-ba19-4bee5d2508e1",
             "created": "2021-02-08T16:36:20.801Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "BlackBerry Bahamut",
-                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf",
-                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."
+                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.",
+                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"
                 }
             ],
-            "modified": "2021-05-24T13:16:56.571Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:30.323Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included video recording in the malicious apps deployed as part of Operation BULL.(Citation: BlackBerry Bahamut)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4c035760-9bf2-40cd-87d1-f286afd76376.json b/mobile-attack/relationship/relationship--4c035760-9bf2-40cd-87d1-f286afd76376.json
index 2ba041ac9e..0980778578 100644
--- a/mobile-attack/relationship/relationship--4c035760-9bf2-40cd-87d1-f286afd76376.json
+++ b/mobile-attack/relationship/relationship--4c035760-9bf2-40cd-87d1-f286afd76376.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--ba7fbb9b-f446-432a-88f2-41620526f7ed",
+    "id": "bundle--74ea450f-55b1-44c4-ad0f-3bca4a716805",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--4c035760-9bf2-40cd-87d1-f286afd76376",
             "created": "2023-07-21T19:41:45.173Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:41:45.173Z",
+            "modified": "2025-04-16T21:48:30.532Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect clipboard data.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4c6f1475-3b92-4a37-8bb5-4dcc69660b11.json b/mobile-attack/relationship/relationship--4c6f1475-3b92-4a37-8bb5-4dcc69660b11.json
index a9e76a0c8e..9ccd751336 100644
--- a/mobile-attack/relationship/relationship--4c6f1475-3b92-4a37-8bb5-4dcc69660b11.json
+++ b/mobile-attack/relationship/relationship--4c6f1475-3b92-4a37-8bb5-4dcc69660b11.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--01d3da92-d592-46f2-9864-03c87092bd90",
+    "id": "bundle--a4dab1c9-9c8a-4c5c-9f84-80a8bf55d845",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2022-09-30T18:38:37.195Z",
+            "modified": "2025-04-16T21:48:30.752Z",
             "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors capable of exfiltrating specific files directly from the infected devices.(Citation: Cylance Dust Storm)",
             "relationship_type": "uses",
             "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4c7e776d-ed19-4e5a-842c-81612f5c07bd.json b/mobile-attack/relationship/relationship--4c7e776d-ed19-4e5a-842c-81612f5c07bd.json
index 69199f8bea..f6d17ed315 100644
--- a/mobile-attack/relationship/relationship--4c7e776d-ed19-4e5a-842c-81612f5c07bd.json
+++ b/mobile-attack/relationship/relationship--4c7e776d-ed19-4e5a-842c-81612f5c07bd.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4c75f57a-4eb2-42bb-b67a-676506167700",
+    "id": "bundle--521fa30d-d97d-4635-81e4-72fe41ff34ac",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:10:38.937Z",
+            "modified": "2025-04-16T21:48:30.950Z",
             "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can download the address book.(Citation: SWB Exodus March 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4cb926c1-c242-45c2-be46-07c22435a8a5.json b/mobile-attack/relationship/relationship--4cb926c1-c242-45c2-be46-07c22435a8a5.json
index 30c8d54d19..7e0fcfa6d8 100644
--- a/mobile-attack/relationship/relationship--4cb926c1-c242-45c2-be46-07c22435a8a5.json
+++ b/mobile-attack/relationship/relationship--4cb926c1-c242-45c2-be46-07c22435a8a5.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--cfbb8242-d25e-4eac-92f0-952394f9ce66",
+    "id": "bundle--9fd62d38-a4c5-4002-865c-31ad221c0bd3",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--4cb926c1-c242-45c2-be46-07c22435a8a5",
             "created": "2022-09-30T19:23:02.689Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2022-09-30T19:23:02.689Z",
+            "modified": "2025-04-16T21:48:31.145Z",
             "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors that would send information and data from a victim's mobile device to the C2 servers.(Citation: Cylance Dust Storm)",
             "relationship_type": "uses",
             "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4cc8a16f-562a-42c7-b5d9-10e1088af89c.json b/mobile-attack/relationship/relationship--4cc8a16f-562a-42c7-b5d9-10e1088af89c.json
index ef0ffc1a70..3a0c0fc9fa 100644
--- a/mobile-attack/relationship/relationship--4cc8a16f-562a-42c7-b5d9-10e1088af89c.json
+++ b/mobile-attack/relationship/relationship--4cc8a16f-562a-42c7-b5d9-10e1088af89c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--341c89f8-497a-414e-b8c6-9178e33e58a6",
+    "id": "bundle--98da657b-b1be-4708-9e76-4577abe99382",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:31:38.319Z",
+            "modified": "2025-04-16T21:48:31.364Z",
             "description": "[Gustuff](https://attack.mitre.org/software/S0406) can intercept two-factor authentication codes transmitted via SMS.(Citation: Talos Gustuff Apr 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4cccb708-b51b-4e71-94a1-78d6819eaac1.json b/mobile-attack/relationship/relationship--4cccb708-b51b-4e71-94a1-78d6819eaac1.json
index 0c4af9d8bf..6eac55fdf7 100644
--- a/mobile-attack/relationship/relationship--4cccb708-b51b-4e71-94a1-78d6819eaac1.json
+++ b/mobile-attack/relationship/relationship--4cccb708-b51b-4e71-94a1-78d6819eaac1.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--dd116701-1bbc-4bf4-bc23-2e85dbce4b68",
+    "id": "bundle--e6030f05-a4e1-4c80-b847-6c252d419f80",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T22:16:55.879Z",
+            "modified": "2025-04-16T21:48:31.575Z",
             "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
             "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4d431474-1dcc-4d0e-9906-129eb02f00b3.json b/mobile-attack/relationship/relationship--4d431474-1dcc-4d0e-9906-129eb02f00b3.json
index d75bc4857d..c0dd84b95f 100644
--- a/mobile-attack/relationship/relationship--4d431474-1dcc-4d0e-9906-129eb02f00b3.json
+++ b/mobile-attack/relationship/relationship--4d431474-1dcc-4d0e-9906-129eb02f00b3.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--0caac200-5ccd-4a0e-ba9e-1fa53ac03259",
+    "id": "bundle--543510ff-b1fe-4ec7-8c92-bfd4078e193e",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--4d431474-1dcc-4d0e-9906-129eb02f00b3",
             "created": "2023-02-06T19:43:43.574Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-06T19:43:43.574Z",
+            "modified": "2025-04-16T21:48:31.778Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can uninstall itself.(Citation: threatfabric_sova_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4d4dfc26-3ab7-4798-abf2-be8dc278fdfa.json b/mobile-attack/relationship/relationship--4d4dfc26-3ab7-4798-abf2-be8dc278fdfa.json
index e7e61abcd1..0c284730fc 100644
--- a/mobile-attack/relationship/relationship--4d4dfc26-3ab7-4798-abf2-be8dc278fdfa.json
+++ b/mobile-attack/relationship/relationship--4d4dfc26-3ab7-4798-abf2-be8dc278fdfa.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--d9d384d8-f205-45be-80e6-3920db5ccdc6",
+    "id": "bundle--d8966374-7b8e-43bd-aab5-f511c719a0b1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4d4dfc26-3ab7-4798-abf2-be8dc278fdfa",
             "type": "relationship",
+            "id": "relationship--4d4dfc26-3ab7-4798-abf2-be8dc278fdfa",
             "created": "2020-11-24T17:55:12.804Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos GPlayed",
-                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html",
-                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."
+                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.",
+                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"
                 }
             ],
-            "modified": "2020-11-24T17:55:12.804Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:32.000Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) has the capability to remotely load plugins and download and compile new .NET code.(Citation: Talos GPlayed) ",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4d537065-9a82-42d5-923d-45194453cc25.json b/mobile-attack/relationship/relationship--4d537065-9a82-42d5-923d-45194453cc25.json
new file mode 100644
index 0000000000..ca62a01d47
--- /dev/null
+++ b/mobile-attack/relationship/relationship--4d537065-9a82-42d5-923d-45194453cc25.json
@@ -0,0 +1,25 @@
+{
+    "type": "bundle",
+    "id": "bundle--dd7fed0b-d5cb-4e48-9a52-071659e885c3",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--4d537065-9a82-42d5-923d-45194453cc25",
+            "created": "2025-02-12T15:20:54.813Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:32.214Z",
+            "description": "Enterprises should monitor for SIM card changes on the Enterprise Mobility Management (EMM) or the Mobile Device Management (MDM).  ",
+            "relationship_type": "mitigates",
+            "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
+            "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4d542595-1eb0-45aa-9702-9d494142b390.json b/mobile-attack/relationship/relationship--4d542595-1eb0-45aa-9702-9d494142b390.json
index e383a70dcf..00ef0adb1c 100644
--- a/mobile-attack/relationship/relationship--4d542595-1eb0-45aa-9702-9d494142b390.json
+++ b/mobile-attack/relationship/relationship--4d542595-1eb0-45aa-9702-9d494142b390.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--efd2aa0c-a9f9-4cd5-baf6-1b0f6a06961a",
+    "id": "bundle--e040a3a2-1c38-4e6f-9811-156c89e71342",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4d542595-1eb0-45aa-9702-9d494142b390",
             "type": "relationship",
+            "id": "relationship--4d542595-1eb0-45aa-9702-9d494142b390",
             "created": "2019-08-09T18:08:07.109Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/",
+                    "source_name": "Kaspersky-Skygofree",
                     "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
-                    "source_name": "Kaspersky-Skygofree"
+                    "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
                 }
             ],
-            "modified": "2019-08-09T18:08:07.109Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:32.411Z",
             "description": "[Skygofree](https://attack.mitre.org/software/S0327) can record video or capture photos when an infected device is in a specified location.(Citation: Kaspersky-Skygofree)",
             "relationship_type": "uses",
             "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4d6a900d-d1c4-4a91-bded-c9062aae384b.json b/mobile-attack/relationship/relationship--4d6a900d-d1c4-4a91-bded-c9062aae384b.json
index bece598f54..85971fc05b 100644
--- a/mobile-attack/relationship/relationship--4d6a900d-d1c4-4a91-bded-c9062aae384b.json
+++ b/mobile-attack/relationship/relationship--4d6a900d-d1c4-4a91-bded-c9062aae384b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--afd4e04d-e4ab-4e25-8a93-cb1bb9774ceb",
+    "id": "bundle--a743efa3-b624-45df-b9b4-f42053ff9fb3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:47:18.774Z",
+            "modified": "2025-04-16T21:48:32.617Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has registered for device boot, incoming, and outgoing calls broadcast intents.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7.json b/mobile-attack/relationship/relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7.json
index d3b9ff20de..986c5c6533 100644
--- a/mobile-attack/relationship/relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7.json
+++ b/mobile-attack/relationship/relationship--4d7e937d-7ea1-49cb-939c-5244815e51d7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8794233b-9e12-4936-a4f5-6484395da6b1",
+    "id": "bundle--83fd892b-9d1a-403b-9abc-e98744e46223",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:03:03.296Z",
+            "modified": "2025-04-16T21:48:32.825Z",
             "description": "[RuMMS](https://attack.mitre.org/software/S0313) uses HTTP for command and control.(Citation: FireEye-RuMMS)",
             "relationship_type": "uses",
             "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4d88c5ac-68c0-4304-9474-d07372d0ad99.json b/mobile-attack/relationship/relationship--4d88c5ac-68c0-4304-9474-d07372d0ad99.json
index 371a466749..7df1b3f30d 100644
--- a/mobile-attack/relationship/relationship--4d88c5ac-68c0-4304-9474-d07372d0ad99.json
+++ b/mobile-attack/relationship/relationship--4d88c5ac-68c0-4304-9474-d07372d0ad99.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--58a8b861-8e3e-4f4d-8fcd-67beb37094ad",
+    "id": "bundle--11353b4a-19d4-4a0a-8b8a-a654f42f1153",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--4d88c5ac-68c0-4304-9474-d07372d0ad99",
             "created": "2023-09-21T22:19:04.080Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-21T22:19:04.080Z",
+            "modified": "2025-04-16T21:48:33.023Z",
             "description": "Enterprises can provision policies to mobile devices for application allow-listing, ensuring only approved applications are installed onto mobile devices.  ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4dcbb081-a0b3-4b80-a63e-28547cb6f89c.json b/mobile-attack/relationship/relationship--4dcbb081-a0b3-4b80-a63e-28547cb6f89c.json
index f762b7a798..61ec3bf85b 100644
--- a/mobile-attack/relationship/relationship--4dcbb081-a0b3-4b80-a63e-28547cb6f89c.json
+++ b/mobile-attack/relationship/relationship--4dcbb081-a0b3-4b80-a63e-28547cb6f89c.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--d82d0153-6ec8-4049-819e-d0c2373270bc",
+    "id": "bundle--65cb9836-ce8e-4f6a-939c-f7f0192c433c",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--4dcbb081-a0b3-4b80-a63e-28547cb6f89c",
             "created": "2023-12-18T18:10:16.764Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -28,16 +29,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:10:16.764Z",
+            "modified": "2025-04-16T21:48:33.228Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can log device keystrokes.(Citation: securelist_brata_0819)(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4de3f794-63df-4f9e-8bd8-59796d91aa36.json b/mobile-attack/relationship/relationship--4de3f794-63df-4f9e-8bd8-59796d91aa36.json
index bc936e4b0c..be2cc72afe 100644
--- a/mobile-attack/relationship/relationship--4de3f794-63df-4f9e-8bd8-59796d91aa36.json
+++ b/mobile-attack/relationship/relationship--4de3f794-63df-4f9e-8bd8-59796d91aa36.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--4da55742-6915-4c7e-9ed8-a98feeb99e6e",
+    "id": "bundle--7d911aae-4958-4a1a-8b24-fa45b403654e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--4de3f794-63df-4f9e-8bd8-59796d91aa36",
             "created": "2020-05-07T15:33:32.895Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "CheckPoint Agent Smith",
-                    "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
-                    "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
+                    "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.",
+                    "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:33.439Z",
             "description": "[Agent Smith](https://attack.mitre.org/software/S0440) shows fraudulent ads to generate revenue.(Citation: CheckPoint Agent Smith)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4df6a22e-489f-400c-b953-cc53bfb708a3.json b/mobile-attack/relationship/relationship--4df6a22e-489f-400c-b953-cc53bfb708a3.json
index 97a53934b1..877e78e312 100644
--- a/mobile-attack/relationship/relationship--4df6a22e-489f-400c-b953-cc53bfb708a3.json
+++ b/mobile-attack/relationship/relationship--4df6a22e-489f-400c-b953-cc53bfb708a3.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a59f54cf-2e11-4bf4-8f69-9c0809da5006",
+    "id": "bundle--ca4c31b4-8bef-4fe4-a9b0-3eec82f4cc68",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4df6a22e-489f-400c-b953-cc53bfb708a3",
             "type": "relationship",
+            "id": "relationship--4df6a22e-489f-400c-b953-cc53bfb708a3",
             "created": "2020-09-14T14:13:45.296Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout eSurv",
-                    "url": "https://blog.lookout.com/esurv-research",
-                    "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
+                    "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/esurv-research"
                 }
             ],
-            "modified": "2020-09-14T14:13:45.296Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:33.663Z",
             "description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s iOS version can collect device information.(Citation: Lookout eSurv)",
             "relationship_type": "uses",
             "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4e68feca-083f-40ed-88d8-2b6a3935c949.json b/mobile-attack/relationship/relationship--4e68feca-083f-40ed-88d8-2b6a3935c949.json
index 0aac0ba105..264dccb3c1 100644
--- a/mobile-attack/relationship/relationship--4e68feca-083f-40ed-88d8-2b6a3935c949.json
+++ b/mobile-attack/relationship/relationship--4e68feca-083f-40ed-88d8-2b6a3935c949.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a2ff33d7-67c2-4804-9e77-cff9978f24c6",
+    "id": "bundle--df489636-c0b0-4e67-a1eb-a09341ab0a37",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "cyble_drinik_1022",
-                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.",
-                    "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:53:38.271Z",
+            "modified": "2025-04-16T21:48:33.862Z",
             "description": "[Drinik](https://attack.mitre.org/software/S1054) can use the Android `CallScreeningService` to silently block incoming calls.(Citation: cyble_drinik_1022)",
             "relationship_type": "uses",
             "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe",
             "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4e6b726d-9ef4-4eb6-b9a7-74059caee5b7.json b/mobile-attack/relationship/relationship--4e6b726d-9ef4-4eb6-b9a7-74059caee5b7.json
index 67f6ab9bee..90002dfeb4 100644
--- a/mobile-attack/relationship/relationship--4e6b726d-9ef4-4eb6-b9a7-74059caee5b7.json
+++ b/mobile-attack/relationship/relationship--4e6b726d-9ef4-4eb6-b9a7-74059caee5b7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f94e8125-4d8f-402f-86db-620a57b503a4",
+    "id": "bundle--a2ec7c0d-a367-455e-9a96-b34142646d6a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:26:22.984Z",
+            "modified": "2025-04-16T21:48:34.064Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect SMS messages.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819.json b/mobile-attack/relationship/relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819.json
index be8e31cfa9..d62fa323e0 100644
--- a/mobile-attack/relationship/relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819.json
+++ b/mobile-attack/relationship/relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--242a2571-956b-4b4f-8876-7f628bb133ef",
+    "id": "bundle--ec7f0432-bee5-4e71-b43e-5aec1f37d973",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819",
             "type": "relationship",
+            "id": "relationship--4e7a1b10-0f68-4a48-a13d-0c7bc13fb819",
             "created": "2019-08-07T15:57:13.412Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Kaspersky Riltok June 2019",
-                    "url": "https://securelist.com/mobile-banker-riltok/91374/",
-                    "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."
+                    "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.",
+                    "url": "https://securelist.com/mobile-banker-riltok/91374/"
                 }
             ],
-            "modified": "2019-09-15T15:36:42.312Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:34.265Z",
             "description": "[Riltok](https://attack.mitre.org/software/S0403) can retrieve a list of installed applications. Installed application names are then checked against an adversary-defined list of targeted applications.(Citation: Kaspersky Riltok June 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4e9f021d-3cf4-4790-8f7d-f87f33133446.json b/mobile-attack/relationship/relationship--4e9f021d-3cf4-4790-8f7d-f87f33133446.json
index b70494ebfb..4778a3e5d0 100644
--- a/mobile-attack/relationship/relationship--4e9f021d-3cf4-4790-8f7d-f87f33133446.json
+++ b/mobile-attack/relationship/relationship--4e9f021d-3cf4-4790-8f7d-f87f33133446.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ab4bec13-f1d8-4f42-82e1-0ad17e8a8d26",
+    "id": "bundle--be6598e3-56b1-40fa-8289-703d4787c1a2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:26:37.661Z",
+            "modified": "2025-04-16T21:48:34.465Z",
             "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect SMS messages.(Citation: Sophos Red Alert 2.0)",
             "relationship_type": "uses",
             "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4ed97a0d-2fcf-4c53-8aaa-21e174b28309.json b/mobile-attack/relationship/relationship--4ed97a0d-2fcf-4c53-8aaa-21e174b28309.json
index 8d15063a31..6cff396ec5 100644
--- a/mobile-attack/relationship/relationship--4ed97a0d-2fcf-4c53-8aaa-21e174b28309.json
+++ b/mobile-attack/relationship/relationship--4ed97a0d-2fcf-4c53-8aaa-21e174b28309.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--cdc5c3f3-c70c-4879-8618-04116bcc1fa4",
+    "id": "bundle--7bd23803-69e1-4dac-b362-c78797658fce",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T20:31:07.234Z",
+            "modified": "2025-04-16T21:48:34.667Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect call logs.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4ee57616-7205-490c-86c3-c27dcffd8689.json b/mobile-attack/relationship/relationship--4ee57616-7205-490c-86c3-c27dcffd8689.json
index 67fa18649f..d822938151 100644
--- a/mobile-attack/relationship/relationship--4ee57616-7205-490c-86c3-c27dcffd8689.json
+++ b/mobile-attack/relationship/relationship--4ee57616-7205-490c-86c3-c27dcffd8689.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--bff83a09-46a3-4ef2-8079-8095897859fe",
+    "id": "bundle--6c6811ea-caa7-4df6-bfa6-e7b274965cbf",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--4ee57616-7205-490c-86c3-c27dcffd8689",
             "created": "2022-04-06T13:35:43.203Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:34.929Z",
             "description": "Recent OS versions have limited access to certain APIs unless certain conditions are met, making [Data Manipulation](https://attack.mitre.org/techniques/T1641) more difficult",
-            "modified": "2022-04-06T13:35:43.203Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4efa4953-7854-4144-8837-d7831ccbe35d.json b/mobile-attack/relationship/relationship--4efa4953-7854-4144-8837-d7831ccbe35d.json
index df656a44ad..78bbfc0d2f 100644
--- a/mobile-attack/relationship/relationship--4efa4953-7854-4144-8837-d7831ccbe35d.json
+++ b/mobile-attack/relationship/relationship--4efa4953-7854-4144-8837-d7831ccbe35d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--1d195d1d-a182-44aa-85d2-3a5fbb093cc6",
+    "id": "bundle--0d8b249d-5af8-48fb-9d84-c662f77443bf",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4efa4953-7854-4144-8837-d7831ccbe35d",
             "type": "relationship",
+            "id": "relationship--4efa4953-7854-4144-8837-d7831ccbe35d",
             "created": "2020-04-24T17:46:31.691Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecurityIntelligence TrickMo",
-                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
-                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
+                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.",
+                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"
                 }
             ],
-            "modified": "2020-04-24T17:46:31.691Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:35.127Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect a list of installed applications.(Citation: SecurityIntelligence TrickMo)",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f.json b/mobile-attack/relationship/relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f.json
index a1e9d9503e..4eec6ae0cf 100644
--- a/mobile-attack/relationship/relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f.json
+++ b/mobile-attack/relationship/relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--3f409866-2a05-4b92-a302-158def7cbfcb",
+    "id": "bundle--cfc9b44b-b86d-4c8c-a8a0-859cb07c08f9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--4f2ae057-ef0b-4995-b24d-348a76a74a4f",
             "created": "2017-12-14T16:46:06.044Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Lookout-Pegasus",
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf",
-                    "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016."
+                    "description": "Lookout. (2016). Technical Analysis of Pegasus Spyware. Retrieved December 12, 2016.",
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:35.364Z",
             "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) uses SMS for command and control.(Citation: Lookout-Pegasus)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49.json b/mobile-attack/relationship/relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49.json
index ed68589563..69eb96e573 100644
--- a/mobile-attack/relationship/relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49.json
+++ b/mobile-attack/relationship/relationship--4f366c8c-9c70-44ed-baa8-d433d5dbfe49.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d42ce4e5-d24c-4794-a0b4-57cdfb9f107d",
+    "id": "bundle--8d7e093d-524b-4398-87f8-0ca6eeb8b94e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:13:18.720Z",
+            "modified": "2025-04-16T21:48:35.572Z",
             "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses call logs.(Citation: Lookout-PegasusAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4f6f4def-e76d-4d1b-9416-b6543e7dbc54.json b/mobile-attack/relationship/relationship--4f6f4def-e76d-4d1b-9416-b6543e7dbc54.json
index 9e48209570..ff343b78f3 100644
--- a/mobile-attack/relationship/relationship--4f6f4def-e76d-4d1b-9416-b6543e7dbc54.json
+++ b/mobile-attack/relationship/relationship--4f6f4def-e76d-4d1b-9416-b6543e7dbc54.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--7e4d535a-a7b3-4029-bb22-ce26cd46efd6",
+    "id": "bundle--9b0dcbef-4644-4809-8490-46ea0ca7c1a7",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--4f6f4def-e76d-4d1b-9416-b6543e7dbc54",
             "type": "relationship",
+            "id": "relationship--4f6f4def-e76d-4d1b-9416-b6543e7dbc54",
             "created": "2021-10-01T14:42:48.744Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList BusyGasper",
-                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/",
-                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021."
+                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.",
+                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"
                 }
             ],
-            "modified": "2021-10-01T14:42:48.744Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:35.767Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can record audio.(Citation: SecureList BusyGasper)",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4f812a57-efdc-463b-bf37-baa4bca7502b.json b/mobile-attack/relationship/relationship--4f812a57-efdc-463b-bf37-baa4bca7502b.json
index 4ac1617790..216ad235b3 100644
--- a/mobile-attack/relationship/relationship--4f812a57-efdc-463b-bf37-baa4bca7502b.json
+++ b/mobile-attack/relationship/relationship--4f812a57-efdc-463b-bf37-baa4bca7502b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3b46442e-5feb-4c5a-bebb-79ffd07e7d11",
+    "id": "bundle--61e877c4-ef58-4a51-bff0-4701597d7082",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:35:00.081Z",
+            "modified": "2025-04-16T21:48:35.969Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) can uninstall itself from a device on command by abusing the accessibility service.(Citation: SecurityIntelligence TrickMo) ",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4fc165fd-185e-4c70-b423-c242cf715510.json b/mobile-attack/relationship/relationship--4fc165fd-185e-4c70-b423-c242cf715510.json
index 2a8ad56192..58436acd31 100644
--- a/mobile-attack/relationship/relationship--4fc165fd-185e-4c70-b423-c242cf715510.json
+++ b/mobile-attack/relationship/relationship--4fc165fd-185e-4c70-b423-c242cf715510.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--baa7a0e0-6906-459f-a979-7d2ca03ab9d2",
+    "id": "bundle--fbecd14a-40f2-4e15-bb18-6e2eff19bb4e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T16:55:21.480Z",
+            "modified": "2025-04-16T21:48:36.171Z",
             "description": "[Rotexy](https://attack.mitre.org/software/S0411) checks if it is running in an analysis environment.(Citation: securelist rotexy 2018) ",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4ff5f854-bfe9-45bc-b11a-196cf826b760.json b/mobile-attack/relationship/relationship--4ff5f854-bfe9-45bc-b11a-196cf826b760.json
index 4e541dd519..fb373ba212 100644
--- a/mobile-attack/relationship/relationship--4ff5f854-bfe9-45bc-b11a-196cf826b760.json
+++ b/mobile-attack/relationship/relationship--4ff5f854-bfe9-45bc-b11a-196cf826b760.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--678e6732-9cb4-4ae3-a1f1-96a8ebb0ee05",
+    "id": "bundle--2476b5a5-c8c4-48ee-a04e-8d31e87623c5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--4ff5f854-bfe9-45bc-b11a-196cf826b760",
             "created": "2022-03-30T14:41:20.735Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Android Changes to System Broadcasts",
-                    "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts",
-                    "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020."
+                    "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.",
+                    "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:36.370Z",
             "description": "Android 8 introduced additional limitations on the implicit intents that an application can register for.(Citation: Android Changes to System Broadcasts)",
-            "modified": "2022-03-30T14:41:20.735Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--4ff9b16f-3643-4fa0-b107-f93a9bb847c3.json b/mobile-attack/relationship/relationship--4ff9b16f-3643-4fa0-b107-f93a9bb847c3.json
index 5dace66767..e2a0950563 100644
--- a/mobile-attack/relationship/relationship--4ff9b16f-3643-4fa0-b107-f93a9bb847c3.json
+++ b/mobile-attack/relationship/relationship--4ff9b16f-3643-4fa0-b107-f93a9bb847c3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a7b85b2d-bc47-4c8c-bb5f-13436a61c785",
+    "id": "bundle--65937ce8-7ae8-4b30-ac62-15ff527c9dad",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:26:33.166Z",
+            "modified": "2025-04-16T21:48:36.569Z",
             "description": "[TangleBot](https://attack.mitre.org/software/S1069) can use overlays to cover legitimate applications or screens.(Citation: cloudmark_tanglebot_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c.json b/mobile-attack/relationship/relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c.json
index 89ffbf95d7..2896a98ef4 100644
--- a/mobile-attack/relationship/relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c.json
+++ b/mobile-attack/relationship/relationship--5012c647-9b58-4a4f-b64f-468c9b76a60c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--aa0d7e5d-25ac-4a4a-b043-646d47c370fb",
+    "id": "bundle--32c0adc8-4246-402d-8f1e-485a10894d93",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:53:41.561Z",
+            "modified": "2025-04-16T21:48:36.769Z",
             "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can view contacts.(Citation: Zscaler-SpyNote)",
             "relationship_type": "uses",
             "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--501c3f2a-1ae0-4832-9730-3fdf5f31df5c.json b/mobile-attack/relationship/relationship--501c3f2a-1ae0-4832-9730-3fdf5f31df5c.json
new file mode 100644
index 0000000000..5bc5228a4f
--- /dev/null
+++ b/mobile-attack/relationship/relationship--501c3f2a-1ae0-4832-9730-3fdf5f31df5c.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--f44da57a-a528-4d2e-af6c-2c57525fba95",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--501c3f2a-1ae0-4832-9730-3fdf5f31df5c",
+            "created": "2025-03-27T22:38:07.896Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Europol FluBot Jun2022",
+                    "description": "Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.",
+                    "url": "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:36.973Z",
+            "description": "[FluBot](https://attack.mitre.org/software/S1067) has collected credentials, banking details and other information from the victim device.(Citation: Europol FluBot Jun2022) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
+            "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--502fc83c-ce03-4ce7-a202-095bbe0b492b.json b/mobile-attack/relationship/relationship--502fc83c-ce03-4ce7-a202-095bbe0b492b.json
index c93be67fb3..1dee317bb3 100644
--- a/mobile-attack/relationship/relationship--502fc83c-ce03-4ce7-a202-095bbe0b492b.json
+++ b/mobile-attack/relationship/relationship--502fc83c-ce03-4ce7-a202-095bbe0b492b.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--f77f02f5-d94a-494c-b05c-3f4755b4759b",
+    "id": "bundle--9683c41e-0b7c-40f4-8021-42f1541d8748",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--502fc83c-ce03-4ce7-a202-095bbe0b492b",
             "created": "2023-07-21T19:51:08.375Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:51:08.375Z",
+            "modified": "2025-04-16T21:48:37.222Z",
             "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can access a device\u2019s location.(Citation: kaspersky_fakecalls_0422)",
             "relationship_type": "uses",
             "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--503ca6f2-a747-43fb-8fc5-7be095dcb966.json b/mobile-attack/relationship/relationship--503ca6f2-a747-43fb-8fc5-7be095dcb966.json
index 1ae647e013..b1a090bc0f 100644
--- a/mobile-attack/relationship/relationship--503ca6f2-a747-43fb-8fc5-7be095dcb966.json
+++ b/mobile-attack/relationship/relationship--503ca6f2-a747-43fb-8fc5-7be095dcb966.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--6d017b5d-1d5d-404b-93f2-1bbe60d982e5",
+    "id": "bundle--9b3c53e6-85cb-477b-a2db-25011d08c2d5",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--503ca6f2-a747-43fb-8fc5-7be095dcb966",
             "created": "2023-08-04T18:31:30.237Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T18:31:30.237Z",
+            "modified": "2025-04-16T21:48:37.499Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can access images stored on external storage.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--506d657b-1634-442e-8179-7187f82feb3a.json b/mobile-attack/relationship/relationship--506d657b-1634-442e-8179-7187f82feb3a.json
index f28ec1988b..ed419b8cd5 100644
--- a/mobile-attack/relationship/relationship--506d657b-1634-442e-8179-7187f82feb3a.json
+++ b/mobile-attack/relationship/relationship--506d657b-1634-442e-8179-7187f82feb3a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--75dda219-8434-4927-96f3-b03feffc9387",
+    "id": "bundle--9bfa3aab-986d-4db4-bde8-7277ebe9c0a2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:38:17.926Z",
+            "modified": "2025-04-16T21:48:37.715Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the call logs.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24.json b/mobile-attack/relationship/relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24.json
index fd01defbf5..2e3f9e732d 100644
--- a/mobile-attack/relationship/relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24.json
+++ b/mobile-attack/relationship/relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--3f776525-4031-45be-8cb5-ba8c7ba3d74c",
+    "id": "bundle--a7b7dcb4-9430-4016-bd4f-730b0b7a8b7e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24",
             "type": "relationship",
+            "id": "relationship--5088a10e-03d2-4643-8df8-b7b601c2cc24",
             "created": "2020-01-27T17:05:58.267Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Trend Micro Bouncing Golf 2019",
                     "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
-                    "source_name": "Trend Micro Bouncing Golf 2019"
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
                 }
             ],
-            "modified": "2020-01-27T17:05:58.267Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:37.917Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can track the device\u2019s location.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--50ad2a8c-ed45-4376-be31-8bafa26ba794.json b/mobile-attack/relationship/relationship--50ad2a8c-ed45-4376-be31-8bafa26ba794.json
index 618d1112d9..63e687a774 100644
--- a/mobile-attack/relationship/relationship--50ad2a8c-ed45-4376-be31-8bafa26ba794.json
+++ b/mobile-attack/relationship/relationship--50ad2a8c-ed45-4376-be31-8bafa26ba794.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--697b436a-d183-455b-b77a-fc0491e313e0",
+    "id": "bundle--9febcdea-00f6-4ec2-a670-8f458a1075d8",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.103Z",
+            "modified": "2025-04-16T21:48:38.121Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) can collect the device\u2019s ID.(Citation: Cofense Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--50bab448-fee6-49e9-a296-498fe06eacc7.json b/mobile-attack/relationship/relationship--50bab448-fee6-49e9-a296-498fe06eacc7.json
index 0715b0f176..f003e1692a 100644
--- a/mobile-attack/relationship/relationship--50bab448-fee6-49e9-a296-498fe06eacc7.json
+++ b/mobile-attack/relationship/relationship--50bab448-fee6-49e9-a296-498fe06eacc7.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--87464241-5a0a-412a-873b-c9a789433750",
+    "id": "bundle--647425c0-9367-4d58-ae35-c2af3cb46cfd",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--50bab448-fee6-49e9-a296-498fe06eacc7",
             "type": "relationship",
+            "id": "relationship--50bab448-fee6-49e9-a296-498fe06eacc7",
             "created": "2019-11-21T16:42:48.490Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList - ViceLeaker 2019",
-                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
-                    "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."
+                    "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.",
+                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"
                 }
             ],
-            "modified": "2019-11-21T16:42:48.490Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:38.317Z",
             "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can obtain a list of installed applications.(Citation: SecureList - ViceLeaker 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--50c81a85-8c70-48df-a338-8622d2debc74.json b/mobile-attack/relationship/relationship--50c81a85-8c70-48df-a338-8622d2debc74.json
index 5b793bc7c2..3ba095bbe9 100644
--- a/mobile-attack/relationship/relationship--50c81a85-8c70-48df-a338-8622d2debc74.json
+++ b/mobile-attack/relationship/relationship--50c81a85-8c70-48df-a338-8622d2debc74.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d2cbda50-bba7-4c4d-96ce-fe89511d71f1",
+    "id": "bundle--6ec724a8-d2d6-41ae-ad77-076b97317428",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:38:39.008Z",
+            "modified": "2025-04-16T21:48:38.523Z",
             "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather call logs.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--50d8e788-d405-45e8-b6b7-0f02f353cc97.json b/mobile-attack/relationship/relationship--50d8e788-d405-45e8-b6b7-0f02f353cc97.json
index 2024c481c0..afa9ddd02d 100644
--- a/mobile-attack/relationship/relationship--50d8e788-d405-45e8-b6b7-0f02f353cc97.json
+++ b/mobile-attack/relationship/relationship--50d8e788-d405-45e8-b6b7-0f02f353cc97.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--4aba2d7d-76f1-4ae2-9e46-03e5ea5dd859",
+    "id": "bundle--2810e4af-e8fe-4834-9ea4-943a23261111",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--50d8e788-d405-45e8-b6b7-0f02f353cc97",
             "created": "2023-09-28T17:20:00.981Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:20:00.981Z",
+            "modified": "2025-04-16T21:48:38.729Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can request coarse and fine location permissions to track the device.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--50e3b570-2e9a-409b-973a-3ce91b9579d4.json b/mobile-attack/relationship/relationship--50e3b570-2e9a-409b-973a-3ce91b9579d4.json
index e0714e68fd..b6a3d6a258 100644
--- a/mobile-attack/relationship/relationship--50e3b570-2e9a-409b-973a-3ce91b9579d4.json
+++ b/mobile-attack/relationship/relationship--50e3b570-2e9a-409b-973a-3ce91b9579d4.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5cab1c60-34e0-4a77-bd68-1b1679cfa6a3",
+    "id": "bundle--9cf257c7-9b85-4dd8-a7b3-283ed18c50d7",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T20:31:19.083Z",
+            "modified": "2025-04-16T21:48:38.945Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to receive files from the C2 and execute them via the parent application.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--50f03c00-5488-49fe-a527-a8776e526523.json b/mobile-attack/relationship/relationship--50f03c00-5488-49fe-a527-a8776e526523.json
index f16e6a20e3..5539d93cbd 100644
--- a/mobile-attack/relationship/relationship--50f03c00-5488-49fe-a527-a8776e526523.json
+++ b/mobile-attack/relationship/relationship--50f03c00-5488-49fe-a527-a8776e526523.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--7335d92e-2b71-47a6-ae73-7075a24677b4",
+    "id": "bundle--ffd01ce5-5a8b-45c9-bbb6-b8bf8648d8a0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--50f03c00-5488-49fe-a527-a8776e526523",
             "type": "relationship",
+            "id": "relationship--50f03c00-5488-49fe-a527-a8776e526523",
             "created": "2020-11-24T17:55:12.820Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos GPlayed",
-                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html",
-                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."
+                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.",
+                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"
                 }
             ],
-            "modified": "2020-11-24T17:55:12.820Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:39.146Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect a list of installed applications.(Citation: Talos GPlayed)",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5107be8a-b5fc-4442-af0d-2c92e086a912.json b/mobile-attack/relationship/relationship--5107be8a-b5fc-4442-af0d-2c92e086a912.json
index 32f65a5a2a..cec450fcc1 100644
--- a/mobile-attack/relationship/relationship--5107be8a-b5fc-4442-af0d-2c92e086a912.json
+++ b/mobile-attack/relationship/relationship--5107be8a-b5fc-4442-af0d-2c92e086a912.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--80e91ce4-dd0d-45d7-9bc6-37ce4a84b2c0",
+    "id": "bundle--2722a040-7212-421e-bae9-978f449ab529",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--5107be8a-b5fc-4442-af0d-2c92e086a912",
             "type": "relationship",
+            "id": "relationship--5107be8a-b5fc-4442-af0d-2c92e086a912",
             "created": "2020-05-11T16:13:43.062Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "CheckPoint Agent Smith",
-                    "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
-                    "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
+                    "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.",
+                    "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"
                 }
             ],
-            "modified": "2020-05-11T16:13:43.062Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:39.375Z",
             "description": "[Agent Smith](https://attack.mitre.org/software/S0440) checks if a targeted application is running in user-space prior to infection.(Citation: CheckPoint Agent Smith) ",
             "relationship_type": "uses",
             "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
             "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--51457698-e98b-435a-88c2-75a82cdc2bda.json b/mobile-attack/relationship/relationship--51457698-e98b-435a-88c2-75a82cdc2bda.json
index 8efe1950c0..3c26888cc8 100644
--- a/mobile-attack/relationship/relationship--51457698-e98b-435a-88c2-75a82cdc2bda.json
+++ b/mobile-attack/relationship/relationship--51457698-e98b-435a-88c2-75a82cdc2bda.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c8337e08-d8db-4c7e-9195-f5db76525f53",
+    "id": "bundle--26508fcc-1b9a-4131-b92b-b9ea0c656547",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:38:56.380Z",
+            "modified": "2025-04-16T21:48:39.579Z",
             "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads call logs.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5151b976-cfcf-4771-a75a-995d49bcc1ab.json b/mobile-attack/relationship/relationship--5151b976-cfcf-4771-a75a-995d49bcc1ab.json
index 9ad67fc864..93f7bbefb8 100644
--- a/mobile-attack/relationship/relationship--5151b976-cfcf-4771-a75a-995d49bcc1ab.json
+++ b/mobile-attack/relationship/relationship--5151b976-cfcf-4771-a75a-995d49bcc1ab.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--cf2e7ffd-c548-4ca5-b813-ab8356bbfc80",
+    "id": "bundle--0a074533-51fb-4239-99f7-38a352479bd5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--5151b976-cfcf-4771-a75a-995d49bcc1ab",
             "created": "2022-04-11T20:06:38.811Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:39.792Z",
             "description": "Mobile security products that are part of the Samsung Knox for Mobile Threat Defense program could examine running applications while the device is idle, potentially detecting malicious applications that are running primarily when the device is not being used.",
-            "modified": "2022-04-11T20:06:38.811Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
             "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--51757971-17ac-40c3-bae7-78365579db49.json b/mobile-attack/relationship/relationship--51757971-17ac-40c3-bae7-78365579db49.json
index 40ff6d149d..e450f057f9 100644
--- a/mobile-attack/relationship/relationship--51757971-17ac-40c3-bae7-78365579db49.json
+++ b/mobile-attack/relationship/relationship--51757971-17ac-40c3-bae7-78365579db49.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--9823e727-dd9c-44a6-b173-77ffded8ea6c",
+    "id": "bundle--1a32b9e0-13a9-4047-a024-e48338aac035",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:02:27.188Z",
+            "modified": "2025-04-16T21:48:39.996Z",
             "description": "[OBAD](https://attack.mitre.org/software/S0286) abuses device administrator access to make it more difficult for users to remove the application.(Citation: TrendMicro-Obad)",
             "relationship_type": "uses",
             "source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde",
             "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--51b0a4fb-a308-4694-9437-95702a50ebd5.json b/mobile-attack/relationship/relationship--51b0a4fb-a308-4694-9437-95702a50ebd5.json
index f133446b6b..2bd05e69f3 100644
--- a/mobile-attack/relationship/relationship--51b0a4fb-a308-4694-9437-95702a50ebd5.json
+++ b/mobile-attack/relationship/relationship--51b0a4fb-a308-4694-9437-95702a50ebd5.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--32542680-b40d-4aaa-9fd6-0c9f6d728b08",
+    "id": "bundle--1f3b03f1-c143-457e-a3a1-e5660e686010",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--51b0a4fb-a308-4694-9437-95702a50ebd5",
             "type": "relationship",
+            "id": "relationship--51b0a4fb-a308-4694-9437-95702a50ebd5",
             "created": "2020-09-11T16:22:03.231Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout ViperRAT",
-                    "url": "https://blog.lookout.com/viperrat-mobile-apt",
-                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
+                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/viperrat-mobile-apt"
                 }
             ],
-            "modified": "2020-09-11T16:22:03.231Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:40.234Z",
             "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can take photos with the device camera.(Citation: Lookout ViperRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--51bd38a1-465b-49c0-9218-5984f391a51c.json b/mobile-attack/relationship/relationship--51bd38a1-465b-49c0-9218-5984f391a51c.json
index ecaa91f414..92070b2844 100644
--- a/mobile-attack/relationship/relationship--51bd38a1-465b-49c0-9218-5984f391a51c.json
+++ b/mobile-attack/relationship/relationship--51bd38a1-465b-49c0-9218-5984f391a51c.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--e33c278e-fb33-4a8c-8fe6-b3c1b43b0758",
+    "id": "bundle--54bc0373-1f94-4dc0-a144-9743a1e2c3ee",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--51bd38a1-465b-49c0-9218-5984f391a51c",
             "created": "2023-12-18T19:03:44.550Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T19:03:44.550Z",
+            "modified": "2025-04-16T21:48:40.452Z",
             "description": "[AhRat](https://attack.mitre.org/software/S1095) can register with the `BOOT_COMPLETED` broadcast to start when the device turns on.(Citation: welivesecurity_ahrat_0523)",
             "relationship_type": "uses",
             "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5",
             "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--51bf6ffc-85c7-4910-8821-9736a1ec60f1.json b/mobile-attack/relationship/relationship--51bf6ffc-85c7-4910-8821-9736a1ec60f1.json
index 467b6c769e..e135f802ba 100644
--- a/mobile-attack/relationship/relationship--51bf6ffc-85c7-4910-8821-9736a1ec60f1.json
+++ b/mobile-attack/relationship/relationship--51bf6ffc-85c7-4910-8821-9736a1ec60f1.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--2ffc5a32-4033-4331-8f1a-5586f0d6757e",
+    "id": "bundle--f2bbf7ba-b4db-4858-9799-f047aa087601",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--51bf6ffc-85c7-4910-8821-9736a1ec60f1",
             "created": "2019-09-04T15:38:57.037Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "FlexiSpy-Features",
-                    "url": "https://www.flexispy.com/en/features-overview.htm",
-                    "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019."
+                    "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.",
+                    "url": "https://www.flexispy.com/en/features-overview.htm"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:40.669Z",
             "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record keystrokes and analyze them for keywords.(Citation: FlexiSpy-Features)",
-            "modified": "2022-04-15T17:34:17.813Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--51d31e17-6c80-4ab3-9e8e-6231483e0999.json b/mobile-attack/relationship/relationship--51d31e17-6c80-4ab3-9e8e-6231483e0999.json
index 28a7eb6727..0de30acac9 100644
--- a/mobile-attack/relationship/relationship--51d31e17-6c80-4ab3-9e8e-6231483e0999.json
+++ b/mobile-attack/relationship/relationship--51d31e17-6c80-4ab3-9e8e-6231483e0999.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--85508948-47c3-4105-98ed-9a3619d7fb3a",
+    "id": "bundle--7fe2b57a-9ca6-4957-8db5-7fae3a66de6e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:21:12.197Z",
+            "modified": "2025-04-16T21:48:40.876Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) can register for the `BOOT_COMPLETED` broadcast intent.(Citation: Talos GPlayed)",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--51f75dd5-b584-482f-8f7f-dbee2d5cf6f3.json b/mobile-attack/relationship/relationship--51f75dd5-b584-482f-8f7f-dbee2d5cf6f3.json
index 151bbed7df..eb918e9c57 100644
--- a/mobile-attack/relationship/relationship--51f75dd5-b584-482f-8f7f-dbee2d5cf6f3.json
+++ b/mobile-attack/relationship/relationship--51f75dd5-b584-482f-8f7f-dbee2d5cf6f3.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--6ceffb2b-70b0-447d-a72f-576144252829",
+    "id": "bundle--6cbd0f1d-568e-4b23-8ded-178045ba0185",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--51f75dd5-b584-482f-8f7f-dbee2d5cf6f3",
             "created": "2019-10-18T15:51:48.487Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.",
-            "modified": "2022-04-05T19:42:51.306Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:41.079Z",
+            "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--520668a0-2523-4515-8ed9-f8059023632f.json b/mobile-attack/relationship/relationship--520668a0-2523-4515-8ed9-f8059023632f.json
index d6eb2f61aa..7eb2b620d0 100644
--- a/mobile-attack/relationship/relationship--520668a0-2523-4515-8ed9-f8059023632f.json
+++ b/mobile-attack/relationship/relationship--520668a0-2523-4515-8ed9-f8059023632f.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--8642c133-9aa2-4fc3-9de5-75bc4e9b551b",
+    "id": "bundle--9bb44400-a042-44c6-8e4f-e27bc6a187c7",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--520668a0-2523-4515-8ed9-f8059023632f",
             "created": "2024-02-20T23:59:59.854Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:59:59.854Z",
+            "modified": "2025-04-16T21:48:41.315Z",
             "description": "[TianySpy](https://attack.mitre.org/software/S1056) can check to see if WiFi is enabled.(Citation: trendmicro_tianyspy_0122) ",
             "relationship_type": "uses",
             "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--520c7112-9768-42c5-8917-1950efd182f9.json b/mobile-attack/relationship/relationship--520c7112-9768-42c5-8917-1950efd182f9.json
index c42a9e0a8a..2e180e7e6f 100644
--- a/mobile-attack/relationship/relationship--520c7112-9768-42c5-8917-1950efd182f9.json
+++ b/mobile-attack/relationship/relationship--520c7112-9768-42c5-8917-1950efd182f9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--1a82ca49-c9b2-47b0-aade-014151558a41",
+    "id": "bundle--48f776d9-b88f-47ce-be78-77ff1411db7e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:33:30.155Z",
+            "modified": "2025-04-16T21:48:41.520Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use keylogging to capture user input.(Citation: threatfabric_sova_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--526099a3-132d-430f-9559-fc067e39b227.json b/mobile-attack/relationship/relationship--526099a3-132d-430f-9559-fc067e39b227.json
new file mode 100644
index 0000000000..faf15f9c55
--- /dev/null
+++ b/mobile-attack/relationship/relationship--526099a3-132d-430f-9559-fc067e39b227.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--9762e15b-db54-43df-a143-129e3471ab7b",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--526099a3-132d-430f-9559-fc067e39b227",
+            "created": "2025-03-24T20:28:37.281Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:41.783Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has collected a list of running processes.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--52649ab6-8d1c-41d0-9804-3fd4b6a1ba48.json b/mobile-attack/relationship/relationship--52649ab6-8d1c-41d0-9804-3fd4b6a1ba48.json
index b0a5f63674..16122fa0da 100644
--- a/mobile-attack/relationship/relationship--52649ab6-8d1c-41d0-9804-3fd4b6a1ba48.json
+++ b/mobile-attack/relationship/relationship--52649ab6-8d1c-41d0-9804-3fd4b6a1ba48.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--dd6994af-dadb-4d16-a629-f32bc29c439d",
+    "id": "bundle--7d701fbb-def6-4300-b8be-eee69c714d3f",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T14:52:23.577Z",
+            "modified": "2025-04-16T21:48:41.977Z",
             "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications. \n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--526ce88f-ee58-4a55-a1b2-b72e1b5971aa.json b/mobile-attack/relationship/relationship--526ce88f-ee58-4a55-a1b2-b72e1b5971aa.json
index d1377e9aef..c0c63892cc 100644
--- a/mobile-attack/relationship/relationship--526ce88f-ee58-4a55-a1b2-b72e1b5971aa.json
+++ b/mobile-attack/relationship/relationship--526ce88f-ee58-4a55-a1b2-b72e1b5971aa.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--5266b262-e1e9-40fe-9adc-829b6f29bed9",
+    "id": "bundle--3880d39f-a304-4b9a-99ef-e3b97d0abf35",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--526ce88f-ee58-4a55-a1b2-b72e1b5971aa",
             "created": "2022-04-01T16:52:36.974Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:42.208Z",
             "description": "",
-            "modified": "2022-04-01T16:52:36.974Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--82f04b1e-5371-4a6f-be06-411f0f43b483",
             "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--529107fd-6420-4573-8dbf-cdcd49c2708c.json b/mobile-attack/relationship/relationship--529107fd-6420-4573-8dbf-cdcd49c2708c.json
index b7aa1df813..e98e29ac62 100644
--- a/mobile-attack/relationship/relationship--529107fd-6420-4573-8dbf-cdcd49c2708c.json
+++ b/mobile-attack/relationship/relationship--529107fd-6420-4573-8dbf-cdcd49c2708c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--79caf4cb-e021-49da-9307-c3c7b0dbed9d",
+    "id": "bundle--038c75af-9080-4056-b80b-c3106de5695d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--529107fd-6420-4573-8dbf-cdcd49c2708c",
             "type": "relationship",
+            "id": "relationship--529107fd-6420-4573-8dbf-cdcd49c2708c",
             "created": "2020-06-26T14:55:13.307Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Cybereason EventBot",
-                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
-                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
+                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.",
+                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"
                 }
             ],
-            "modified": "2020-06-26T14:55:13.307Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:42.411Z",
             "description": "[EventBot](https://attack.mitre.org/software/S0478) can gather device network information.(Citation: Cybereason EventBot) ",
             "relationship_type": "uses",
             "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25.json b/mobile-attack/relationship/relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25.json
index 404ad8e355..fa76a93c22 100644
--- a/mobile-attack/relationship/relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25.json
+++ b/mobile-attack/relationship/relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--eb9ec932-0e04-4899-a0f8-05b5fb870f7c",
+    "id": "bundle--46915f2e-5adc-4610-a31a-35f20b7ea45f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25",
             "type": "relationship",
+            "id": "relationship--52ad5145-3b04-4cc8-bed8-4a14501afe25",
             "created": "2020-09-11T15:55:43.774Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
+                    "source_name": "Lookout-StealthMango",
                     "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
-                    "source_name": "Lookout-StealthMango"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
                 }
             ],
-            "modified": "2020-09-11T15:55:43.774Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:42.614Z",
             "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) deletes incoming SMS messages from specified numbers, including those that contain particular strings.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--52f7e464-db89-4201-aea8-38d9b44bbd1b.json b/mobile-attack/relationship/relationship--52f7e464-db89-4201-aea8-38d9b44bbd1b.json
index 38b6f666af..89dc922b70 100644
--- a/mobile-attack/relationship/relationship--52f7e464-db89-4201-aea8-38d9b44bbd1b.json
+++ b/mobile-attack/relationship/relationship--52f7e464-db89-4201-aea8-38d9b44bbd1b.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--f83ec9ef-fa24-4878-ae94-d3a596a4ddea",
+    "id": "bundle--b7fd4b3a-f3b2-4dfb-a4f5-a960f474e8f3",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--52f7e464-db89-4201-aea8-38d9b44bbd1b",
             "type": "relationship",
+            "id": "relationship--52f7e464-db89-4201-aea8-38d9b44bbd1b",
             "created": "2020-12-18T20:14:47.314Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "WhiteOps TERRACOTTA",
-                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study",
-                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."
+                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.",
+                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"
                 }
             ],
-            "modified": "2020-12-18T20:14:47.314Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:42.818Z",
             "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has utilized foreground services.(Citation: WhiteOps TERRACOTTA)",
             "relationship_type": "uses",
             "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
             "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--53364899-1ea5-47fa-afde-c210aed64120.json b/mobile-attack/relationship/relationship--53364899-1ea5-47fa-afde-c210aed64120.json
index ef8d3ca752..daf95da800 100644
--- a/mobile-attack/relationship/relationship--53364899-1ea5-47fa-afde-c210aed64120.json
+++ b/mobile-attack/relationship/relationship--53364899-1ea5-47fa-afde-c210aed64120.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--9d568362-27d4-4b54-9ff8-6d93db842ae9",
+    "id": "bundle--191838ac-7c80-40c9-9b68-7699f2e56e98",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--53364899-1ea5-47fa-afde-c210aed64120",
             "type": "relationship",
+            "id": "relationship--53364899-1ea5-47fa-afde-c210aed64120",
             "created": "2019-07-10T15:47:19.659Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
+                    "source_name": "Lookout Dark Caracal Jan 2018",
                     "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
-                    "source_name": "Lookout Dark Caracal Jan 2018"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
                 }
             ],
-            "modified": "2019-07-16T15:35:21.086Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:43.024Z",
             "description": "(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12",
             "target_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--533e5ce5-138c-4bfc-9a59-eb0ced8e6e1a.json b/mobile-attack/relationship/relationship--533e5ce5-138c-4bfc-9a59-eb0ced8e6e1a.json
index 8bee2e023b..f59d30767c 100644
--- a/mobile-attack/relationship/relationship--533e5ce5-138c-4bfc-9a59-eb0ced8e6e1a.json
+++ b/mobile-attack/relationship/relationship--533e5ce5-138c-4bfc-9a59-eb0ced8e6e1a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7b0bba5c-2c50-4bed-8c22-684bc96ae890",
+    "id": "bundle--85c2cfec-54fb-483b-a9f8-b0ceccfb1de1",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:59.484Z",
+            "modified": "2025-04-16T21:48:43.252Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has impersonated several apps, including official Google apps, chat apps, VPN apps, and popular games.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5340f466-abf0-4bb9-a7e9-44694014561d.json b/mobile-attack/relationship/relationship--5340f466-abf0-4bb9-a7e9-44694014561d.json
new file mode 100644
index 0000000000..639db772ed
--- /dev/null
+++ b/mobile-attack/relationship/relationship--5340f466-abf0-4bb9-a7e9-44694014561d.json
@@ -0,0 +1,52 @@
+{
+    "type": "bundle",
+    "id": "bundle--23d733bd-0fc7-42a7-bc4d-67dab4c7ddf8",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--5340f466-abf0-4bb9-a7e9-44694014561d",
+            "created": "2025-03-24T20:09:44.817Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Shoshin_Kaspersky LightSpy 2020",
+                    "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.",
+                    "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:43.461Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s call log.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--535d2425-21aa-4fe5-ae6d-5b677f459020.json b/mobile-attack/relationship/relationship--535d2425-21aa-4fe5-ae6d-5b677f459020.json
index 7feaff7254..471c54af46 100644
--- a/mobile-attack/relationship/relationship--535d2425-21aa-4fe5-ae6d-5b677f459020.json
+++ b/mobile-attack/relationship/relationship--535d2425-21aa-4fe5-ae6d-5b677f459020.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--91bb751b-9fd8-4e6e-9e22-4e8f7379cfd2",
+    "id": "bundle--5b0ac098-0c81-48c3-bff4-f10a909fba16",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--535d2425-21aa-4fe5-ae6d-5b677f459020",
             "created": "2022-03-28T19:41:37.162Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:43.673Z",
             "description": "Security updates may contain patches for devices that were compromised at the supply chain level.",
-            "modified": "2022-03-28T19:41:37.162Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--53ebd5b6-e60e-4aa4-a342-de586917f06d.json b/mobile-attack/relationship/relationship--53ebd5b6-e60e-4aa4-a342-de586917f06d.json
index 428525dea4..4cb7986996 100644
--- a/mobile-attack/relationship/relationship--53ebd5b6-e60e-4aa4-a342-de586917f06d.json
+++ b/mobile-attack/relationship/relationship--53ebd5b6-e60e-4aa4-a342-de586917f06d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--60aa06e8-8f45-46af-8ef2-08a22aedeee3",
+    "id": "bundle--7c8f642b-3692-4d2d-b617-bc294301c5f9",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T22:26:05.065Z",
+            "modified": "2025-04-16T21:48:43.889Z",
             "description": "The user can view which applications have permission to use the camera through the device settings screen, where the user can then choose to revoke the permissions.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--54151897-cc7e-4f92-af50-bed41ea78d92.json b/mobile-attack/relationship/relationship--54151897-cc7e-4f92-af50-bed41ea78d92.json
index 9435a8e050..28b6aa143d 100644
--- a/mobile-attack/relationship/relationship--54151897-cc7e-4f92-af50-bed41ea78d92.json
+++ b/mobile-attack/relationship/relationship--54151897-cc7e-4f92-af50-bed41ea78d92.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2cb69f10-33f6-4581-b7a4-805179614920",
+    "id": "bundle--81ab77e4-c985-493f-b8cb-82528a93f113",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:03:20.968Z",
+            "modified": "2025-04-16T21:48:44.095Z",
             "description": "[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) uses Google Cloud Messaging (GCM) for command and control.(Citation: Kaspersky-MobileMalware)",
             "relationship_type": "uses",
             "source_ref": "malware--28e39395-91e7-4f02-b694-5e079c964da9",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5417959b-9478-49fb-b779-3c82a10ad080.json b/mobile-attack/relationship/relationship--5417959b-9478-49fb-b779-3c82a10ad080.json
index 948621cf67..8814f5ceed 100644
--- a/mobile-attack/relationship/relationship--5417959b-9478-49fb-b779-3c82a10ad080.json
+++ b/mobile-attack/relationship/relationship--5417959b-9478-49fb-b779-3c82a10ad080.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--db9a09d9-d512-43d7-9511-23f823809930",
+    "id": "bundle--311776af-80cf-408f-8031-16ae3f787687",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--5417959b-9478-49fb-b779-3c82a10ad080",
             "type": "relationship",
+            "id": "relationship--5417959b-9478-49fb-b779-3c82a10ad080",
             "created": "2020-12-17T20:15:22.498Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Palo Alto HenBox",
-                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/",
-                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."
+                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.",
+                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
                 }
             ],
-            "modified": "2020-12-17T20:15:22.498Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:44.326Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) can obtain a list of running apps.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--544e8fc3-c656-4081-9b4f-8a5d60926f47.json b/mobile-attack/relationship/relationship--544e8fc3-c656-4081-9b4f-8a5d60926f47.json
index 433710a7cb..aec84bd11c 100644
--- a/mobile-attack/relationship/relationship--544e8fc3-c656-4081-9b4f-8a5d60926f47.json
+++ b/mobile-attack/relationship/relationship--544e8fc3-c656-4081-9b4f-8a5d60926f47.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--2877d693-2491-430b-b290-3f6417514241",
+    "id": "bundle--bf1ae5ec-d538-46f9-bc79-f0fa9d4974c6",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--544e8fc3-c656-4081-9b4f-8a5d60926f47",
             "created": "2022-04-01T17:08:41.293Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:44.526Z",
             "description": "If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device\u2019s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. ",
-            "modified": "2022-04-01T17:08:41.293Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--545d9313-3fcc-4d4a-b9d2-7555430df8f2.json b/mobile-attack/relationship/relationship--545d9313-3fcc-4d4a-b9d2-7555430df8f2.json
index d05b83b9c1..a5f44c8810 100644
--- a/mobile-attack/relationship/relationship--545d9313-3fcc-4d4a-b9d2-7555430df8f2.json
+++ b/mobile-attack/relationship/relationship--545d9313-3fcc-4d4a-b9d2-7555430df8f2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--031237b9-6860-443a-af64-14adca4cc39d",
+    "id": "bundle--3e84f1e9-ffe7-4cc3-8aa2-12baf0396b0e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:28:58.447Z",
+            "modified": "2025-04-16T21:48:44.748Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can reset the user's password/PIN.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5482462c-08bc-4e28-bc20-bfbbc60f3f81.json b/mobile-attack/relationship/relationship--5482462c-08bc-4e28-bc20-bfbbc60f3f81.json
index 0265984db6..e05f07e417 100644
--- a/mobile-attack/relationship/relationship--5482462c-08bc-4e28-bc20-bfbbc60f3f81.json
+++ b/mobile-attack/relationship/relationship--5482462c-08bc-4e28-bc20-bfbbc60f3f81.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--297a1219-ae48-4af8-9e5c-1294037a3333",
+    "id": "bundle--098b5fe7-6d69-40b1-87de-578c23b2b750",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--5482462c-08bc-4e28-bc20-bfbbc60f3f81",
             "created": "2022-04-05T20:03:46.789Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:44.949Z",
             "description": "",
-            "modified": "2022-04-05T20:03:46.789Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--60623164-ccd8-4508-a141-b5a34820b3de",
             "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--54bfecbc-4d1d-4bca-bb9c-652d09b29515.json b/mobile-attack/relationship/relationship--54bfecbc-4d1d-4bca-bb9c-652d09b29515.json
index 3b2c62157d..fb3c040fef 100644
--- a/mobile-attack/relationship/relationship--54bfecbc-4d1d-4bca-bb9c-652d09b29515.json
+++ b/mobile-attack/relationship/relationship--54bfecbc-4d1d-4bca-bb9c-652d09b29515.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--525931bf-bcb1-402f-8bc6-e75ebfa50cf0",
+    "id": "bundle--ed5beb94-ae59-4cf4-8300-6c30d5520eee",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T19:14:31.727Z",
+            "modified": "2025-04-16T21:48:45.146Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect the device ID, model, manufacturer, and Android version. It can also check available storage space and if the screen is locked.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--54ce9375-cc0f-456e-ac22-e6fe822a6cec.json b/mobile-attack/relationship/relationship--54ce9375-cc0f-456e-ac22-e6fe822a6cec.json
index e9ecd68eeb..49bb5b3ca9 100644
--- a/mobile-attack/relationship/relationship--54ce9375-cc0f-456e-ac22-e6fe822a6cec.json
+++ b/mobile-attack/relationship/relationship--54ce9375-cc0f-456e-ac22-e6fe822a6cec.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--f32d1e2e-2387-4d9e-8353-ce8534318dcc",
+    "id": "bundle--ba2beae2-ce06-41e3-b7ee-d23362fbef55",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--54ce9375-cc0f-456e-ac22-e6fe822a6cec",
             "created": "2022-04-01T15:54:48.924Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:45.369Z",
             "description": "Applications very rarely require administrator permission. Developers should be cautioned against using this higher degree of access to avoid being flagged as a potentially malicious application. ",
-            "modified": "2022-04-01T15:54:48.924Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
             "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--54da16fe-c3af-4283-8e73-434beca633d4.json b/mobile-attack/relationship/relationship--54da16fe-c3af-4283-8e73-434beca633d4.json
new file mode 100644
index 0000000000..33d650693d
--- /dev/null
+++ b/mobile-attack/relationship/relationship--54da16fe-c3af-4283-8e73-434beca633d4.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--0bd31f6e-e319-419d-91f3-843eb065d2ad",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--54da16fe-c3af-4283-8e73-434beca633d4",
+            "created": "2025-03-28T15:05:00.278Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:45.574Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors use the heartbeat beacons from the implant to obtain device information, such as the IMEI, MEID, and the serial number.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--54dac52d-5279-407f-b7b4-5484ae90b98c.json b/mobile-attack/relationship/relationship--54dac52d-5279-407f-b7b4-5484ae90b98c.json
index dc1d337c61..aa80770aab 100644
--- a/mobile-attack/relationship/relationship--54dac52d-5279-407f-b7b4-5484ae90b98c.json
+++ b/mobile-attack/relationship/relationship--54dac52d-5279-407f-b7b4-5484ae90b98c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--42c73c73-21f9-4f1d-ae2a-657c65d87c5d",
+    "id": "bundle--709b6cfa-0113-42af-894f-8091eeaa3836",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--54dac52d-5279-407f-b7b4-5484ae90b98c",
             "type": "relationship",
+            "id": "relationship--54dac52d-5279-407f-b7b4-5484ae90b98c",
             "created": "2021-02-17T20:43:52.402Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout FrozenCell",
-                    "url": "https://blog.lookout.com/frozencell-mobile-threat",
-                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."
+                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.",
+                    "url": "https://blog.lookout.com/frozencell-mobile-threat"
                 }
             ],
-            "modified": "2021-02-17T20:43:52.402Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:45.814Z",
             "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has downloaded and installed additional applications.(Citation: Lookout FrozenCell)",
             "relationship_type": "uses",
             "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--554ec347-c8b2-43da-876b-36608dcc543d.json b/mobile-attack/relationship/relationship--554ec347-c8b2-43da-876b-36608dcc543d.json
index 1fa2b7054d..65995313a9 100644
--- a/mobile-attack/relationship/relationship--554ec347-c8b2-43da-876b-36608dcc543d.json
+++ b/mobile-attack/relationship/relationship--554ec347-c8b2-43da-876b-36608dcc543d.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--528080d1-a163-43af-a470-78f069f91ff8",
+    "id": "bundle--c9878eaa-6cf2-4f54-87ea-db8e406dbd32",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--554ec347-c8b2-43da-876b-36608dcc543d",
             "created": "2017-10-25T14:48:53.746Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "TelephonyManager",
-                    "url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html",
-                    "description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016."
+                    "description": "Android. (n.d.). TelephonyManager. Retrieved December 21, 2016.",
+                    "url": "https://developer.android.com/reference/android/telephony/TelephonyManager.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:46.010Z",
             "description": "Android 10 introduced changes that prevent normal applications from accessing sensitive device identifiers.(Citation: TelephonyManager) ",
-            "modified": "2022-03-30T21:04:59.921Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--557e6d99-d7d8-4e2f-bc01-66b0754de089.json b/mobile-attack/relationship/relationship--557e6d99-d7d8-4e2f-bc01-66b0754de089.json
index cec1f5efa8..d7d5d23de2 100644
--- a/mobile-attack/relationship/relationship--557e6d99-d7d8-4e2f-bc01-66b0754de089.json
+++ b/mobile-attack/relationship/relationship--557e6d99-d7d8-4e2f-bc01-66b0754de089.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--66421c32-2d2e-4bd1-a0ca-94ec87572509",
+    "id": "bundle--29bbfbfe-bcea-42ad-9c93-b41f7a7f612f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--557e6d99-d7d8-4e2f-bc01-66b0754de089",
             "created": "2022-03-28T19:41:27.610Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:46.225Z",
             "description": "Application developers should be cautious when selecting third-party libraries to integrate into their application.",
-            "modified": "2022-03-28T19:41:27.610Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
             "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15.json b/mobile-attack/relationship/relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15.json
index 4338498ce3..6efe1de7fe 100644
--- a/mobile-attack/relationship/relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15.json
+++ b/mobile-attack/relationship/relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--5be95294-9d93-4797-84cc-83c10dd0c997",
+    "id": "bundle--0ff99854-89ab-4a92-b535-5aecb25c5ed3",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15",
             "type": "relationship",
+            "id": "relationship--55afe9a0-d261-48ea-b5a8-0b1685ff2f15",
             "created": "2020-04-24T15:06:33.319Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "TrendMicro Coronavirus Updates",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
-                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
+                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"
                 }
             ],
-            "modified": "2020-04-24T15:06:33.319Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:46.434Z",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect voice notes, device accounts, and gallery images.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--55b3df0f-252d-4208-bdb8-91fa1e1119b4.json b/mobile-attack/relationship/relationship--55b3df0f-252d-4208-bdb8-91fa1e1119b4.json
index eb30b6b0c2..0a03ac81e5 100644
--- a/mobile-attack/relationship/relationship--55b3df0f-252d-4208-bdb8-91fa1e1119b4.json
+++ b/mobile-attack/relationship/relationship--55b3df0f-252d-4208-bdb8-91fa1e1119b4.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--bbdd73ff-c78c-4d73-a4fc-aa873f777ffc",
+    "id": "bundle--772f0450-934a-49c4-920f-bafe34a0044a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:23:12.919Z",
+            "modified": "2025-04-16T21:48:46.649Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can execute commands .(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--55f1c604-f3e1-4eef-8313-d136425be83d.json b/mobile-attack/relationship/relationship--55f1c604-f3e1-4eef-8313-d136425be83d.json
new file mode 100644
index 0000000000..d4e14d3193
--- /dev/null
+++ b/mobile-attack/relationship/relationship--55f1c604-f3e1-4eef-8313-d136425be83d.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--17bc8927-bcae-41ab-9fe3-813578d9f575",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--55f1c604-f3e1-4eef-8313-d136425be83d",
+            "created": "2025-01-10T16:25:28.944Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SentinelLabs AridViper 2023",
+                    "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.",
+                    "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:46.852Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) has obfuscated code and anti-virtualization techniques to hinder analysis.(Citation: SentinelLabs AridViper 2023)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--27d18e87-8f32-4be1-b456-39b90454360f",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5619e263-d48c-47a5-ab68-8677fe080a15.json b/mobile-attack/relationship/relationship--5619e263-d48c-47a5-ab68-8677fe080a15.json
index 22a410890f..8e2013ab9d 100644
--- a/mobile-attack/relationship/relationship--5619e263-d48c-47a5-ab68-8677fe080a15.json
+++ b/mobile-attack/relationship/relationship--5619e263-d48c-47a5-ab68-8677fe080a15.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--93ef35af-2e2e-495f-b58a-48cc3a9deb0f",
+    "id": "bundle--7a89f88c-38cc-4fa7-9e61-25da76e978d8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--5619e263-d48c-47a5-ab68-8677fe080a15",
             "created": "2022-03-30T14:42:27.821Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:47.054Z",
             "description": "",
-            "modified": "2022-03-30T14:42:27.821Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
             "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--56551987-326a-46ad-a34a-59bb7ab793a9.json b/mobile-attack/relationship/relationship--56551987-326a-46ad-a34a-59bb7ab793a9.json
index 2297d472aa..19173e2d18 100644
--- a/mobile-attack/relationship/relationship--56551987-326a-46ad-a34a-59bb7ab793a9.json
+++ b/mobile-attack/relationship/relationship--56551987-326a-46ad-a34a-59bb7ab793a9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--fc903d2b-880f-49fe-ba5a-73741ef7c422",
+    "id": "bundle--5593f094-c5fa-4da9-9744-b22f4ad223bf",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:24:07.828Z",
+            "modified": "2025-04-16T21:48:47.259Z",
             "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can request device administrator permissions.(Citation: Sophos Red Alert 2.0)",
             "relationship_type": "uses",
             "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
             "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--56758bb5-230e-43ac-9851-167c296c3dfa.json b/mobile-attack/relationship/relationship--56758bb5-230e-43ac-9851-167c296c3dfa.json
index 9071480248..61bf859fce 100644
--- a/mobile-attack/relationship/relationship--56758bb5-230e-43ac-9851-167c296c3dfa.json
+++ b/mobile-attack/relationship/relationship--56758bb5-230e-43ac-9851-167c296c3dfa.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6971cb1d-8984-43e3-a7c3-d38ed3d395f9",
+    "id": "bundle--50955e98-6868-4e10-9774-e4c6e30ae33c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T22:25:29.731Z",
+            "modified": "2025-04-16T21:48:47.474Z",
             "description": "During the vetting process, applications using the Android permission `android.permission.CAMERA`, or the iOS `NSCameraUsageDescription` plist entry could be given closer scrutiny. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--56816b86-3c80-429b-8360-7b4e77538c97.json b/mobile-attack/relationship/relationship--56816b86-3c80-429b-8360-7b4e77538c97.json
new file mode 100644
index 0000000000..918eac43f8
--- /dev/null
+++ b/mobile-attack/relationship/relationship--56816b86-3c80-429b-8360-7b4e77538c97.json
@@ -0,0 +1,42 @@
+{
+    "type": "bundle",
+    "id": "bundle--b6e43022-5a5a-4af3-9963-557c0c728767",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--56816b86-3c80-429b-8360-7b4e77538c97",
+            "created": "2025-03-24T18:00:24.386Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:47.670Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has collected payment history from WeChat Pay.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: LinkedIn Dmitry LightSpy 2025)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--56a0173f-68ec-48f6-88d8-ed1e7a2470ba.json b/mobile-attack/relationship/relationship--56a0173f-68ec-48f6-88d8-ed1e7a2470ba.json
index 49a6bb81ba..61c53c9b00 100644
--- a/mobile-attack/relationship/relationship--56a0173f-68ec-48f6-88d8-ed1e7a2470ba.json
+++ b/mobile-attack/relationship/relationship--56a0173f-68ec-48f6-88d8-ed1e7a2470ba.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--086a8eb9-f52d-4b19-915c-eeb487151181",
+    "id": "bundle--fc7fb772-6fa0-4da3-91d9-3fba79df278a",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--56a0173f-68ec-48f6-88d8-ed1e7a2470ba",
             "created": "2023-12-18T19:08:12.976Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T19:08:12.976Z",
+            "modified": "2025-04-16T21:48:47.869Z",
             "description": "[AhRat](https://attack.mitre.org/software/S1095) can track the device\u2019s location.(Citation: welivesecurity_ahrat_0523)",
             "relationship_type": "uses",
             "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--56a255a5-9fa2-45bb-8848-fd0a68514467.json b/mobile-attack/relationship/relationship--56a255a5-9fa2-45bb-8848-fd0a68514467.json
index 896d59b085..7920f1547b 100644
--- a/mobile-attack/relationship/relationship--56a255a5-9fa2-45bb-8848-fd0a68514467.json
+++ b/mobile-attack/relationship/relationship--56a255a5-9fa2-45bb-8848-fd0a68514467.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--45717305-51b8-4ff0-a926-1dec14f46867",
+    "id": "bundle--b6b00e5a-9a4d-42b2-9af4-988834ab9119",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--56a255a5-9fa2-45bb-8848-fd0a68514467",
             "created": "2022-04-11T20:06:56.034Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:48.065Z",
             "description": "",
-            "modified": "2022-04-11T20:06:56.034Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--2f0e8d80-4b8b-4f4a-b5cc-132afe7e057d",
             "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--56c8af86-2924-46f8-a1d7-8309ee6f0282.json b/mobile-attack/relationship/relationship--56c8af86-2924-46f8-a1d7-8309ee6f0282.json
index b29c09ceea..33ae30f029 100644
--- a/mobile-attack/relationship/relationship--56c8af86-2924-46f8-a1d7-8309ee6f0282.json
+++ b/mobile-attack/relationship/relationship--56c8af86-2924-46f8-a1d7-8309ee6f0282.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--1142212c-feb3-4b35-a4d7-6b66c7cbe31b",
+    "id": "bundle--0f0776c8-f32a-4f0d-a1a2-a518d6299989",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--56c8af86-2924-46f8-a1d7-8309ee6f0282",
             "created": "2023-07-21T19:36:35.822Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:36:35.822Z",
-            "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect network information, such as IP address, SIM card info, and Wi-Fi info.(Citation: lookout_bouldspy_0423)",
+            "modified": "2025-04-16T21:48:48.265Z",
+            "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect network information, such as IP address, SIM card information, and Wi-Fi information.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5706742b-733d-44e9-a032-62b81ba05bcf.json b/mobile-attack/relationship/relationship--5706742b-733d-44e9-a032-62b81ba05bcf.json
index 67f72a57b5..103eebf414 100644
--- a/mobile-attack/relationship/relationship--5706742b-733d-44e9-a032-62b81ba05bcf.json
+++ b/mobile-attack/relationship/relationship--5706742b-733d-44e9-a032-62b81ba05bcf.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--998e8b3c-d602-4f76-adbc-9ed05feef22e",
+    "id": "bundle--954464d7-0028-480b-9195-c2ee75220130",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:26:52.491Z",
+            "modified": "2025-04-16T21:48:48.465Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can retrieve SMS messages and iMessages.(Citation: Google Project Zero Insomnia)",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--57293fc9-8838-4acd-a16f-48f516d0921e.json b/mobile-attack/relationship/relationship--57293fc9-8838-4acd-a16f-48f516d0921e.json
index 35baa7a565..3c7a80791d 100644
--- a/mobile-attack/relationship/relationship--57293fc9-8838-4acd-a16f-48f516d0921e.json
+++ b/mobile-attack/relationship/relationship--57293fc9-8838-4acd-a16f-48f516d0921e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3ae91b4e-d2bb-4ed5-84c0-62bb7440a271",
+    "id": "bundle--4db25ce1-bb37-4641-8901-c2833b854c42",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:29:51.699Z",
+            "modified": "2025-04-16T21:48:48.694Z",
             "description": "[Ginp](https://attack.mitre.org/software/S0423) hides its icon after installation.(Citation: ThreatFabric Ginp)",
             "relationship_type": "uses",
             "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5738479d-47fb-4d6f-9f04-5ce988327694.json b/mobile-attack/relationship/relationship--5738479d-47fb-4d6f-9f04-5ce988327694.json
index 18a4432ca0..49af053b7e 100644
--- a/mobile-attack/relationship/relationship--5738479d-47fb-4d6f-9f04-5ce988327694.json
+++ b/mobile-attack/relationship/relationship--5738479d-47fb-4d6f-9f04-5ce988327694.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--d14ac599-deab-4b31-be79-1cd5473d1d9b",
+    "id": "bundle--3e8cdc3e-7580-462c-91b5-fd3b1cea4cca",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--5738479d-47fb-4d6f-9f04-5ce988327694",
             "created": "2023-12-18T19:07:31.393Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T19:07:31.393Z",
+            "modified": "2025-04-16T21:48:48.913Z",
             "description": "[AhRat](https://attack.mitre.org/software/S1095) can collect the device\u2019s call log.(Citation: welivesecurity_ahrat_0523)",
             "relationship_type": "uses",
             "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5749763a-0aef-460a-b081-849adba8d58f.json b/mobile-attack/relationship/relationship--5749763a-0aef-460a-b081-849adba8d58f.json
index 8ce5ec5db7..f3b24f1ef7 100644
--- a/mobile-attack/relationship/relationship--5749763a-0aef-460a-b081-849adba8d58f.json
+++ b/mobile-attack/relationship/relationship--5749763a-0aef-460a-b081-849adba8d58f.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--dceb1cc2-55fe-460b-86c7-45ef53e62963",
+    "id": "bundle--872149db-bc23-4b79-9a09-5c27286112bf",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--5749763a-0aef-460a-b081-849adba8d58f",
             "created": "2023-12-18T18:18:44.171Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:18:44.171Z",
+            "modified": "2025-04-16T21:48:49.117Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) has injected string contents into the device clipboard.(Citation: mcafee_brata_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--576dfa89-d400-4cac-b32d-8ee85a9de5d7.json b/mobile-attack/relationship/relationship--576dfa89-d400-4cac-b32d-8ee85a9de5d7.json
index 79a330e5ce..ffa83a0708 100644
--- a/mobile-attack/relationship/relationship--576dfa89-d400-4cac-b32d-8ee85a9de5d7.json
+++ b/mobile-attack/relationship/relationship--576dfa89-d400-4cac-b32d-8ee85a9de5d7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--88291d63-de24-4e4d-bd06-98ec055666a8",
+    "id": "bundle--bb50e9ad-67b3-40b5-8283-8ff8199e67ae",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T22:17:40.405Z",
+            "modified": "2025-04-16T21:48:49.332Z",
             "description": "Application vetting services can look for the use of the Android `MediaProjectionManager` class, applying extra scrutiny to applications that use the class.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--57881f4b-8463-430c-912a-0e3c961e7784.json b/mobile-attack/relationship/relationship--57881f4b-8463-430c-912a-0e3c961e7784.json
index 8b383422be..c06b004b22 100644
--- a/mobile-attack/relationship/relationship--57881f4b-8463-430c-912a-0e3c961e7784.json
+++ b/mobile-attack/relationship/relationship--57881f4b-8463-430c-912a-0e3c961e7784.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--a2d91550-7919-4c98-8557-e36594f27831",
+    "id": "bundle--ebd83dff-7c1c-4ed8-98aa-cb8485540571",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--57881f4b-8463-430c-912a-0e3c961e7784",
             "created": "2023-07-21T19:52:30.528Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:52:30.529Z",
+            "modified": "2025-04-16T21:48:49.536Z",
             "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can copy and exfiltrate a device\u2019s contact list.(Citation: kaspersky_fakecalls_0422)",
             "relationship_type": "uses",
             "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--57a069a0-399f-43ab-9efc-50432a41b26b.json b/mobile-attack/relationship/relationship--57a069a0-399f-43ab-9efc-50432a41b26b.json
index 7ebea5c24e..5f38d3ee46 100644
--- a/mobile-attack/relationship/relationship--57a069a0-399f-43ab-9efc-50432a41b26b.json
+++ b/mobile-attack/relationship/relationship--57a069a0-399f-43ab-9efc-50432a41b26b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f7563e10-acc7-4b65-a557-abaee70e4b30",
+    "id": "bundle--515d0a1a-e6dd-4df9-9f07-332dbfeed67e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:36:12.585Z",
+            "modified": "2025-04-16T21:48:49.761Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has deleted or renamed specific files.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--57a5ae72-6932-45e6-83f2-609943902b35.json b/mobile-attack/relationship/relationship--57a5ae72-6932-45e6-83f2-609943902b35.json
index 90c9d8c650..217941825d 100644
--- a/mobile-attack/relationship/relationship--57a5ae72-6932-45e6-83f2-609943902b35.json
+++ b/mobile-attack/relationship/relationship--57a5ae72-6932-45e6-83f2-609943902b35.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--920c37f5-c8ab-44af-9fe4-ddb46baec2f9",
+    "id": "bundle--723d6d6c-0b4f-4f7a-90dd-a13a5b568a3c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T16:30:03.505Z",
+            "modified": "2025-04-16T21:48:49.967Z",
             "description": "In both Android (6.0 and up) and iOS, the user can view which applications have the permission to access the device location through the device settings screen and revoke permissions as necessary. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--57df3046-2f14-4bb8-93e9-84a9c8b46791.json b/mobile-attack/relationship/relationship--57df3046-2f14-4bb8-93e9-84a9c8b46791.json
index 72d424b1bb..3cf253d617 100644
--- a/mobile-attack/relationship/relationship--57df3046-2f14-4bb8-93e9-84a9c8b46791.json
+++ b/mobile-attack/relationship/relationship--57df3046-2f14-4bb8-93e9-84a9c8b46791.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--25438a92-9cef-429a-b6fe-cd2275ee0523",
+    "id": "bundle--f55ff567-c16d-4894-9f1a-e4209ef96f52",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--57df3046-2f14-4bb8-93e9-84a9c8b46791",
             "created": "2022-03-30T19:33:17.520Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:50.219Z",
             "description": "Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.",
-            "modified": "2022-03-30T19:33:17.520Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--57e441f8-6799-4d1b-8e2a-13d8ac1c8e78.json b/mobile-attack/relationship/relationship--57e441f8-6799-4d1b-8e2a-13d8ac1c8e78.json
index 2f443e3a42..6996c479bf 100644
--- a/mobile-attack/relationship/relationship--57e441f8-6799-4d1b-8e2a-13d8ac1c8e78.json
+++ b/mobile-attack/relationship/relationship--57e441f8-6799-4d1b-8e2a-13d8ac1c8e78.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--0efa3fbf-9700-490b-af74-22052c3f1bfa",
+    "id": "bundle--fee2d9fb-7548-417b-8257-00a313c2b943",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-31T22:08:37.122Z",
+            "modified": "2025-04-16T21:48:50.409Z",
             "description": "[FluBot](https://attack.mitre.org/software/S1067) can obfuscated class, string, and method names in newer malware versions.(Citation: proofpoint_flubot_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--583720d0-8b15-4662-822e-bb40bc1df940.json b/mobile-attack/relationship/relationship--583720d0-8b15-4662-822e-bb40bc1df940.json
index e88124dd11..6fbe4621b4 100644
--- a/mobile-attack/relationship/relationship--583720d0-8b15-4662-822e-bb40bc1df940.json
+++ b/mobile-attack/relationship/relationship--583720d0-8b15-4662-822e-bb40bc1df940.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--97850a2a-978c-4f31-abc4-4c15d8d0d176",
+    "id": "bundle--f5eb4205-42fb-4c88-86d2-cc93849f27f5",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--583720d0-8b15-4662-822e-bb40bc1df940",
             "created": "2023-12-18T18:09:02.735Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:09:02.735Z",
+            "modified": "2025-04-16T21:48:50.614Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can retrieve Android system and hardware information.(Citation: securelist_brata_0819)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72.json b/mobile-attack/relationship/relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72.json
index 192e915836..2fe1c649e3 100644
--- a/mobile-attack/relationship/relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72.json
+++ b/mobile-attack/relationship/relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--211dfa7c-a204-4d70-b84d-ad9deab9ff12",
+    "id": "bundle--35467e4f-c8a8-4f51-a99f-482618de4e1e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72",
             "type": "relationship",
+            "id": "relationship--58c0fe4b-612d-4fc6-973f-16914b0f4b72",
             "created": "2020-11-24T17:55:12.900Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos GPlayed",
-                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html",
-                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."
+                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.",
+                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"
                 }
             ],
-            "modified": "2020-11-24T17:55:12.900Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:50.825Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect the device\u2019s IMEI, phone number, and country.(Citation: Talos GPlayed)",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--58c15bce-1593-4be1-ae56-7e7b2634fc56.json b/mobile-attack/relationship/relationship--58c15bce-1593-4be1-ae56-7e7b2634fc56.json
index 62a16c1488..19ba82789a 100644
--- a/mobile-attack/relationship/relationship--58c15bce-1593-4be1-ae56-7e7b2634fc56.json
+++ b/mobile-attack/relationship/relationship--58c15bce-1593-4be1-ae56-7e7b2634fc56.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3700afbf-2498-4138-949c-f2e63626abe0",
+    "id": "bundle--1691c8cb-9135-4e53-88fb-8bc9cd9a8baa",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:27:05.040Z",
+            "modified": "2025-04-16T21:48:51.030Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect SMS messages from a device.(Citation: Threat Fabric Cerberus)",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--58c857f8-4f40-48e0-b3ac-41944d82b576.json b/mobile-attack/relationship/relationship--58c857f8-4f40-48e0-b3ac-41944d82b576.json
index 7b08856396..326bc128db 100644
--- a/mobile-attack/relationship/relationship--58c857f8-4f40-48e0-b3ac-41944d82b576.json
+++ b/mobile-attack/relationship/relationship--58c857f8-4f40-48e0-b3ac-41944d82b576.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--97682cdb-8e98-48f7-bba1-5347eceb8ec4",
+    "id": "bundle--98c0dba0-e7d1-4064-8483-90f320741642",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:54:02.223Z",
+            "modified": "2025-04-16T21:48:51.268Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected a list of contacts.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--592331d2-60a7-4264-b844-fbeb89b6386c.json b/mobile-attack/relationship/relationship--592331d2-60a7-4264-b844-fbeb89b6386c.json
index ded4804641..be6f93d662 100644
--- a/mobile-attack/relationship/relationship--592331d2-60a7-4264-b844-fbeb89b6386c.json
+++ b/mobile-attack/relationship/relationship--592331d2-60a7-4264-b844-fbeb89b6386c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--742cca04-30bf-4bf4-bc46-8953f620c097",
+    "id": "bundle--fc2de049-8dc6-4b69-90b7-e53b614d0062",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:53:16.626Z",
+            "modified": "2025-04-16T21:48:51.460Z",
             "description": "The user can view the default SMS handler in system settings.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--597579b4-7e2f-4843-8cd3-f9143eca34f2.json b/mobile-attack/relationship/relationship--597579b4-7e2f-4843-8cd3-f9143eca34f2.json
index 3a79bae264..324315b228 100644
--- a/mobile-attack/relationship/relationship--597579b4-7e2f-4843-8cd3-f9143eca34f2.json
+++ b/mobile-attack/relationship/relationship--597579b4-7e2f-4843-8cd3-f9143eca34f2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c002b894-a630-4247-9e73-0f84583bc54f",
+    "id": "bundle--c59a704a-4986-4640-906a-d53a7d797f4b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-17T13:11:49.039Z",
+            "modified": "2025-04-16T21:48:51.666Z",
             "description": "[AhRat](https://attack.mitre.org/software/S1095) can use an encryption key received from its C2 to encrypt and decrypt configuration files and exfiltrated data.(Citation: welivesecurity_ahrat_0523)",
             "relationship_type": "uses",
             "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5976af4f-2fd4-46a0-baab-a4ae69e98bc1.json b/mobile-attack/relationship/relationship--5976af4f-2fd4-46a0-baab-a4ae69e98bc1.json
new file mode 100644
index 0000000000..5207e25c4e
--- /dev/null
+++ b/mobile-attack/relationship/relationship--5976af4f-2fd4-46a0-baab-a4ae69e98bc1.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--7f180d5f-78f6-4bc0-9fff-f016bd69654d",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--5976af4f-2fd4-46a0-baab-a4ae69e98bc1",
+            "created": "2025-04-15T18:05:36.895Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:51.863Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has exfiltrated collected data to the C2.(Citation: LinkedIn Dmitry LightSpy 2025)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5977289e-d38f-4974-912b-2151fc00c850.json b/mobile-attack/relationship/relationship--5977289e-d38f-4974-912b-2151fc00c850.json
index 8dbcccd1af..b2688da7e6 100644
--- a/mobile-attack/relationship/relationship--5977289e-d38f-4974-912b-2151fc00c850.json
+++ b/mobile-attack/relationship/relationship--5977289e-d38f-4974-912b-2151fc00c850.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--79f3f0b3-1a41-45c6-b4bb-fb9f88863e9b",
+    "id": "bundle--6a368827-6d8f-42fc-9f93-351daf22e94d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--5977289e-d38f-4974-912b-2151fc00c850",
             "type": "relationship",
+            "id": "relationship--5977289e-d38f-4974-912b-2151fc00c850",
             "created": "2020-11-20T16:37:28.524Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Symantec GoldenCup",
-                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans",
-                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."
+                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.",
+                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"
                 }
             ],
-            "modified": "2020-11-20T16:37:28.524Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:52.068Z",
             "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect the device\u2019s phone number and IMSI.(Citation: Symantec GoldenCup)",
             "relationship_type": "uses",
             "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--59aaa62b-a629-42c8-9bd2-8e75810135a9.json b/mobile-attack/relationship/relationship--59aaa62b-a629-42c8-9bd2-8e75810135a9.json
index 323e00fc40..14a9ebe2b9 100644
--- a/mobile-attack/relationship/relationship--59aaa62b-a629-42c8-9bd2-8e75810135a9.json
+++ b/mobile-attack/relationship/relationship--59aaa62b-a629-42c8-9bd2-8e75810135a9.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--ad26b651-6c21-4c1c-89fb-439ed6fe846e",
+    "id": "bundle--c7c7c8c0-0d0c-4542-b7a1-b0f84d9ed5fd",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--59aaa62b-a629-42c8-9bd2-8e75810135a9",
             "created": "2022-04-05T19:52:32.201Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:52.319Z",
             "description": "",
-            "modified": "2022-04-05T19:52:32.201Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--3dd58c80-4c2e-458c-9503-1b2cd273c4d2",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--59c2bfb5-a55b-43d3-b1e9-3fbaff0fb7fc.json b/mobile-attack/relationship/relationship--59c2bfb5-a55b-43d3-b1e9-3fbaff0fb7fc.json
index 7df470f780..d17e60fbe0 100644
--- a/mobile-attack/relationship/relationship--59c2bfb5-a55b-43d3-b1e9-3fbaff0fb7fc.json
+++ b/mobile-attack/relationship/relationship--59c2bfb5-a55b-43d3-b1e9-3fbaff0fb7fc.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2dc6eb85-9484-46d6-a6af-7b4b73f7ff2e",
+    "id": "bundle--190775fd-ae63-4dd5-841b-431a35fb53aa",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T22:35:46.046Z",
+            "modified": "2025-04-16T21:48:52.520Z",
             "description": "Mobile security products can use attestation to detect compromised devices.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
             "target_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--59ccdf54-af53-45f2-9ada-549bbc9fb53f.json b/mobile-attack/relationship/relationship--59ccdf54-af53-45f2-9ada-549bbc9fb53f.json
new file mode 100644
index 0000000000..157c8d5459
--- /dev/null
+++ b/mobile-attack/relationship/relationship--59ccdf54-af53-45f2-9ada-549bbc9fb53f.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--1abfc17b-0ca1-4bed-9328-ebc3369f3a31",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--59ccdf54-af53-45f2-9ada-549bbc9fb53f",
+            "created": "2025-03-28T14:57:39.909Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 01Jun2023",
+                    "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/operation-triangulation/109842/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:52.727Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors deleted the initial exploitation message and exploit attachment.(Citation: SecureList OpTriangulation 01Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--59d463d3-3a41-4269-be9a-7a69f44eca78.json b/mobile-attack/relationship/relationship--59d463d3-3a41-4269-be9a-7a69f44eca78.json
index 1c8593f80f..e589d344dc 100644
--- a/mobile-attack/relationship/relationship--59d463d3-3a41-4269-be9a-7a69f44eca78.json
+++ b/mobile-attack/relationship/relationship--59d463d3-3a41-4269-be9a-7a69f44eca78.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--de39143d-2e43-47ab-9517-c4a69af9c24b",
+    "id": "bundle--436bcef6-700d-440d-8022-c2daa88a5a4e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:03:47.434Z",
+            "modified": "2025-04-16T21:48:52.929Z",
             "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has communicated with the C2 server using HTTP.(Citation: WeLiveSecurity AdDisplayAshas)",
             "relationship_type": "uses",
             "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--59e225fa-b181-4906-9f0b-ef8f6ce7f2ef.json b/mobile-attack/relationship/relationship--59e225fa-b181-4906-9f0b-ef8f6ce7f2ef.json
index 0246075304..c524ee892c 100644
--- a/mobile-attack/relationship/relationship--59e225fa-b181-4906-9f0b-ef8f6ce7f2ef.json
+++ b/mobile-attack/relationship/relationship--59e225fa-b181-4906-9f0b-ef8f6ce7f2ef.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--62e32f62-ea85-4386-8853-2ea0777d28f2",
+    "id": "bundle--cb2e7842-b99f-442c-a669-e47832d6c375",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--59e225fa-b181-4906-9f0b-ef8f6ce7f2ef",
             "created": "2022-04-05T20:14:17.442Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:53.152Z",
             "description": "",
-            "modified": "2022-04-05T20:14:17.442Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303",
             "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5a036fb8-9f72-4383-91c5-0f47b33b2c9d.json b/mobile-attack/relationship/relationship--5a036fb8-9f72-4383-91c5-0f47b33b2c9d.json
index 7496c2ddec..3a8e5f6cae 100644
--- a/mobile-attack/relationship/relationship--5a036fb8-9f72-4383-91c5-0f47b33b2c9d.json
+++ b/mobile-attack/relationship/relationship--5a036fb8-9f72-4383-91c5-0f47b33b2c9d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--291c8724-3046-42a6-b436-31b0e66400f0",
+    "id": "bundle--1b21dcd7-5585-44f7-8c69-49783e5053a2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:57:40.371Z",
+            "modified": "2025-04-16T21:48:53.358Z",
             "description": "[Pallas](https://attack.mitre.org/software/S0399) gathers and exfiltrates data about nearby Wi-Fi access points.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5a18e6c3-4bbf-4418-8815-55ebf283c8a1.json b/mobile-attack/relationship/relationship--5a18e6c3-4bbf-4418-8815-55ebf283c8a1.json
index e14c1a0d37..249d854b6c 100644
--- a/mobile-attack/relationship/relationship--5a18e6c3-4bbf-4418-8815-55ebf283c8a1.json
+++ b/mobile-attack/relationship/relationship--5a18e6c3-4bbf-4418-8815-55ebf283c8a1.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--a6de7f21-821e-4486-81c1-d7f0a3e54630",
+    "id": "bundle--880b8d35-cbe0-4e82-9814-ab0ef352f153",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--5a18e6c3-4bbf-4418-8815-55ebf283c8a1",
             "created": "2020-10-29T17:48:27.272Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Threat Fabric Exobot",
-                    "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html",
-                    "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020."
+                    "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:53.561Z",
             "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain a list of installed applications and can detect if an antivirus application is running, and close it if it is.(Citation: Threat Fabric Exobot)",
-            "modified": "2022-04-15T16:53:00.735Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98",
             "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5a277966-4559-487e-bdfb-7be6366ccdb6.json b/mobile-attack/relationship/relationship--5a277966-4559-487e-bdfb-7be6366ccdb6.json
index 92153b23f3..b4a93d5448 100644
--- a/mobile-attack/relationship/relationship--5a277966-4559-487e-bdfb-7be6366ccdb6.json
+++ b/mobile-attack/relationship/relationship--5a277966-4559-487e-bdfb-7be6366ccdb6.json
@@ -1,30 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--35cebf4f-5541-43ca-8fe3-b630fbe54cb8",
+    "id": "bundle--ba64a8a1-bbf3-481e-9c00-66d9565f3d27",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--5a277966-4559-487e-bdfb-7be6366ccdb6",
             "type": "relationship",
+            "id": "relationship--5a277966-4559-487e-bdfb-7be6366ccdb6",
             "created": "2019-09-03T19:45:48.508Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
-            "modified": "2019-09-11T13:25:19.114Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:53.773Z",
             "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can take pictures with the device cameras.(Citation: SWB Exodus March 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3.json b/mobile-attack/relationship/relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3.json
index a76f319706..c33a443f13 100644
--- a/mobile-attack/relationship/relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3.json
+++ b/mobile-attack/relationship/relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--78a62857-937c-446e-b93a-dc46a9b532a2",
+    "id": "bundle--cda26591-0e7f-49f4-abc5-fec37b2c8749",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3",
             "type": "relationship",
+            "id": "relationship--5a2bff26-f5e5-41f9-b3da-a558988ef3f3",
             "created": "2020-06-26T14:55:13.351Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Cybereason EventBot",
-                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
-                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
+                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.",
+                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"
                 }
             ],
-            "modified": "2020-06-26T14:55:13.351Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:53.975Z",
             "description": "[EventBot](https://attack.mitre.org/software/S0478) can collect a list of installed applications.(Citation: Cybereason EventBot)",
             "relationship_type": "uses",
             "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5a50d9da-3fa5-443e-8367-8a0520d58cae.json b/mobile-attack/relationship/relationship--5a50d9da-3fa5-443e-8367-8a0520d58cae.json
index e441fe78c7..ee5e743263 100644
--- a/mobile-attack/relationship/relationship--5a50d9da-3fa5-443e-8367-8a0520d58cae.json
+++ b/mobile-attack/relationship/relationship--5a50d9da-3fa5-443e-8367-8a0520d58cae.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a2e0b4ad-1d0c-4bdd-a02d-6ff045a67476",
+    "id": "bundle--065b431b-d3b5-4807-9340-a05cffe9359e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:04:02.992Z",
+            "modified": "2025-04-16T21:48:54.213Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has used HTTP POST requests for C2.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5a55b7a2-52ab-4cf8-abc1-8ec4e42102cb.json b/mobile-attack/relationship/relationship--5a55b7a2-52ab-4cf8-abc1-8ec4e42102cb.json
new file mode 100644
index 0000000000..808e551704
--- /dev/null
+++ b/mobile-attack/relationship/relationship--5a55b7a2-52ab-4cf8-abc1-8ec4e42102cb.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--84e34cd1-999e-4709-8a82-b0d173a3406e",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--5a55b7a2-52ab-4cf8-abc1-8ec4e42102cb",
+            "created": "2025-01-10T16:17:20.835Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SentinelLabs AridViper 2023",
+                    "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.",
+                    "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:54.420Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) can access the device's location.(Citation: SentinelLabs AridViper 2023)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5a64b957-32fb-4dd6-84ae-48a2c74c560f.json b/mobile-attack/relationship/relationship--5a64b957-32fb-4dd6-84ae-48a2c74c560f.json
index 7ee17d800c..dd4cdd88cf 100644
--- a/mobile-attack/relationship/relationship--5a64b957-32fb-4dd6-84ae-48a2c74c560f.json
+++ b/mobile-attack/relationship/relationship--5a64b957-32fb-4dd6-84ae-48a2c74c560f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2ee5b5f4-8bdf-49a9-9d1f-f994c925d003",
+    "id": "bundle--70b80f2f-9178-488b-94b2-f226555602bf",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T15:27:56.357Z",
+            "modified": "2025-04-16T21:48:54.649Z",
             "description": "Application vetting services can check for the string `BIND_DEVICE_ADMIN` in the application\u2019s manifest. This indicates it can prompt the user for device administrator permissions.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a.json b/mobile-attack/relationship/relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a.json
index a532c86aac..260427b30b 100644
--- a/mobile-attack/relationship/relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a.json
+++ b/mobile-attack/relationship/relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--fa236b15-5a38-4954-a515-9486f2586a71",
+    "id": "bundle--985c247e-629c-44c0-9070-248f4634ebbb",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--5a6df1dd-9aa4-4f67-9195-8c3a9f5c0f7a",
             "created": "2017-12-14T16:46:06.044Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Tripwire-MazarBOT",
-                    "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/",
-                    "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016."
+                    "description": "Graham Cluley. (2016, February 16). Android users warned of malware attack spreading via SMS. Retrieved December 23, 2016.",
+                    "url": "https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:54.849Z",
             "description": "[MazarBOT](https://attack.mitre.org/software/S0303) can send messages to premium-rate numbers.(Citation: Tripwire-MazarBOT)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0.json b/mobile-attack/relationship/relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0.json
index 83ff12f353..9ff6e3c349 100644
--- a/mobile-attack/relationship/relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0.json
+++ b/mobile-attack/relationship/relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--6991f8ca-395e-4dbe-9022-0298b6df3998",
+    "id": "bundle--99abc53b-5633-4af3-93c3-ef9c2bdc6609",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--5a7295a2-ad95-4362-8b2c-9265ad5c73b0",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Lookout-StealthMango",
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
-                    "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018."
+                    "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:55.051Z",
             "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uses commands received from text messages for C2.(Citation: Lookout-StealthMango)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5a836ae1-c2a0-49b8-a0b4-851b7f3939fb.json b/mobile-attack/relationship/relationship--5a836ae1-c2a0-49b8-a0b4-851b7f3939fb.json
new file mode 100644
index 0000000000..e032044ed6
--- /dev/null
+++ b/mobile-attack/relationship/relationship--5a836ae1-c2a0-49b8-a0b4-851b7f3939fb.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--db687ec6-4267-4f5a-97af-006d98ce703b",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--5a836ae1-c2a0-49b8-a0b4-851b7f3939fb",
+            "created": "2025-03-24T14:53:31.951Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "McAfee MoqHao 2019",
+                    "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.",
+                    "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:55.263Z",
+            "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214)\u2019s payload has obtained the C2 address via Twitter accounts.(Citation: McAfee MoqHao 2019) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42",
+            "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0.json b/mobile-attack/relationship/relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0.json
index c4a34efc69..c9e0f3f333 100644
--- a/mobile-attack/relationship/relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0.json
+++ b/mobile-attack/relationship/relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0.json
@@ -1,23 +1,23 @@
 {
     "type": "bundle",
-    "id": "bundle--fea01905-53cc-4b42-8dae-c13c89640c18",
+    "id": "bundle--4bd75227-ea8f-4171-a723-f17b42ddd13c",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0",
+            "created": "2019-09-15T15:32:17.563Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--5a96d87e-f70e-49dc-a272-c98aad672ce0",
-            "type": "relationship",
-            "created": "2019-09-15T15:32:17.563Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2020-07-09T14:07:02.315Z",
+            "modified": "2025-04-16T21:48:55.466Z",
             "description": "Application developers could be encouraged to avoid placing sensitive data in notification text.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5aa167b8-4166-440b-b49f-bf1bab597237.json b/mobile-attack/relationship/relationship--5aa167b8-4166-440b-b49f-bf1bab597237.json
index 7fbd93d4ec..3b9b50e64f 100644
--- a/mobile-attack/relationship/relationship--5aa167b8-4166-440b-b49f-bf1bab597237.json
+++ b/mobile-attack/relationship/relationship--5aa167b8-4166-440b-b49f-bf1bab597237.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6b9c59aa-4c7a-415f-a1dd-db5006b1b436",
+    "id": "bundle--d05d85f2-d7ee-4b09-8fe9-56883a5eebd9",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:39:13.309Z",
+            "modified": "2025-04-16T21:48:55.666Z",
             "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect the device\u2019s call log.(Citation: SecureList - ViceLeaker 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5b04c8d0-c026-4838-9383-e4146de36d4d.json b/mobile-attack/relationship/relationship--5b04c8d0-c026-4838-9383-e4146de36d4d.json
index f46a82db3e..98d3b80841 100644
--- a/mobile-attack/relationship/relationship--5b04c8d0-c026-4838-9383-e4146de36d4d.json
+++ b/mobile-attack/relationship/relationship--5b04c8d0-c026-4838-9383-e4146de36d4d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--91eb3e7b-2a17-4626-af88-70c8630e4d3e",
+    "id": "bundle--38f968a4-3ed2-40cb-a684-3adbb8602bc2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T15:34:11.221Z",
+            "modified": "2025-04-16T21:48:55.869Z",
             "description": "Application vetting services could detect usage of standard clipboard APIs.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5b235ed4-548d-49f2-ae01-1874666e6747.json b/mobile-attack/relationship/relationship--5b235ed4-548d-49f2-ae01-1874666e6747.json
index ae74c60e28..25aebc9140 100644
--- a/mobile-attack/relationship/relationship--5b235ed4-548d-49f2-ae01-1874666e6747.json
+++ b/mobile-attack/relationship/relationship--5b235ed4-548d-49f2-ae01-1874666e6747.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--a82e216a-f9b5-487b-8e85-deb303081d72",
+    "id": "bundle--fbdde142-a2a5-42f1-831f-41ce9d689ac0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--5b235ed4-548d-49f2-ae01-1874666e6747",
             "created": "2022-03-30T19:51:56.543Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:56.071Z",
             "description": "",
-            "modified": "2022-03-30T19:51:56.543Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
             "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5b37d94a-64a3-432a-b340-1c9a4f553d02.json b/mobile-attack/relationship/relationship--5b37d94a-64a3-432a-b340-1c9a4f553d02.json
index 4b401930b5..977d2b9084 100644
--- a/mobile-attack/relationship/relationship--5b37d94a-64a3-432a-b340-1c9a4f553d02.json
+++ b/mobile-attack/relationship/relationship--5b37d94a-64a3-432a-b340-1c9a4f553d02.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--bc96ad3d-8aaa-4184-8f69-2af4d7029da5",
+    "id": "bundle--40bbef16-3d47-4e8a-aac6-b0992c906d5f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--5b37d94a-64a3-432a-b340-1c9a4f553d02",
             "type": "relationship",
+            "id": "relationship--5b37d94a-64a3-432a-b340-1c9a4f553d02",
             "created": "2020-12-17T20:15:22.452Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Palo Alto HenBox",
-                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/",
-                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."
+                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.",
+                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
                 }
             ],
-            "modified": "2020-12-17T20:15:22.452Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:56.321Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) has obfuscated components using XOR, ZIP with a single-byte key or ZIP/Zlib compression wrapped with RC4 encryption.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5b4128cc-ae1b-4a1b-bc51-d4fdc507bc27.json b/mobile-attack/relationship/relationship--5b4128cc-ae1b-4a1b-bc51-d4fdc507bc27.json
new file mode 100644
index 0000000000..16e6ba6713
--- /dev/null
+++ b/mobile-attack/relationship/relationship--5b4128cc-ae1b-4a1b-bc51-d4fdc507bc27.json
@@ -0,0 +1,42 @@
+{
+    "type": "bundle",
+    "id": "bundle--7989fc42-7aa6-4b94-b090-00316040cd7d",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--5b4128cc-ae1b-4a1b-bc51-d4fdc507bc27",
+            "created": "2024-03-26T19:38:28.204Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "checkpoint_hamas_android_malware",
+                    "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"
+                },
+                {
+                    "source_name": "SentinelLabs AridViper 2023",
+                    "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.",
+                    "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/"
+                },
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:56.523Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) can download more malware to the victim device.(Citation: welivesecurity_apt-c-23)(Citation: checkpoint_hamas_android_malware)(Citation: SentinelLabs AridViper 2023)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5b5586b9-75ee-476f-b3eb-49878254302c.json b/mobile-attack/relationship/relationship--5b5586b9-75ee-476f-b3eb-49878254302c.json
index ed546071b0..4b09f67342 100644
--- a/mobile-attack/relationship/relationship--5b5586b9-75ee-476f-b3eb-49878254302c.json
+++ b/mobile-attack/relationship/relationship--5b5586b9-75ee-476f-b3eb-49878254302c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e1ac8c1f-549d-42b4-bf2d-d4659dd58384",
+    "id": "bundle--544d8e0e-c1b0-4173-80aa-b597cb78cbe0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--5b5586b9-75ee-476f-b3eb-49878254302c",
             "type": "relationship",
+            "id": "relationship--5b5586b9-75ee-476f-b3eb-49878254302c",
             "created": "2019-07-16T14:33:12.117Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Google Triada June 2019",
-                    "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
-                    "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."
+                    "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.",
+                    "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"
                 }
             ],
-            "modified": "2020-04-27T16:52:49.643Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:56.733Z",
             "description": "[Triada](https://attack.mitre.org/software/S0424) is able to modify code within the com.android.systemui application to gain access to `GET_REAL_TASKS` permissions. This permission enables access to information about applications currently on the foreground and other recently used apps.(Citation: Google Triada June 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5b670281-0054-42b4-8e54-ea01a692f5bf.json b/mobile-attack/relationship/relationship--5b670281-0054-42b4-8e54-ea01a692f5bf.json
index 5e3db40b69..91b79eca29 100644
--- a/mobile-attack/relationship/relationship--5b670281-0054-42b4-8e54-ea01a692f5bf.json
+++ b/mobile-attack/relationship/relationship--5b670281-0054-42b4-8e54-ea01a692f5bf.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ad5c68df-9e8c-4e4a-ad23-8f64f7bc315a",
+    "id": "bundle--63928384-9133-4678-bcfc-62a507a8b1ce",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--5b670281-0054-42b4-8e54-ea01a692f5bf",
             "type": "relationship",
+            "id": "relationship--5b670281-0054-42b4-8e54-ea01a692f5bf",
             "created": "2021-10-01T14:42:48.900Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList BusyGasper",
-                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/",
-                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021."
+                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.",
+                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"
                 }
             ],
-            "modified": "2021-10-01T14:42:48.900Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:56.952Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can open a hidden menu when a specific phone number is called from the infected device.(Citation: SecureList BusyGasper)",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5b7c73d3-a983-456e-82fe-1c823a282eb0.json b/mobile-attack/relationship/relationship--5b7c73d3-a983-456e-82fe-1c823a282eb0.json
index 1c7f2114b0..69be6600f8 100644
--- a/mobile-attack/relationship/relationship--5b7c73d3-a983-456e-82fe-1c823a282eb0.json
+++ b/mobile-attack/relationship/relationship--5b7c73d3-a983-456e-82fe-1c823a282eb0.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e08b89b3-2667-4b6c-a16a-f227766cffc5",
+    "id": "bundle--60e3258f-99ae-43b1-8564-107d2d85568d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,8 +12,8 @@
             "external_references": [
                 {
                     "source_name": "fb_arid_viper",
-                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
+                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
                 },
                 {
                     "source_name": "sentinelone_israel_hamas_war",
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T20:22:22.162Z",
+            "modified": "2025-04-16T21:48:57.156Z",
             "description": "(Citation: sentinelone_israel_hamas_war)(Citation: fb_arid_viper)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394",
             "target_ref": "malware--f97e2718-af50-41df-811f-215ebab45691",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5b87bb01-9587-42bd-aa6b-30158ca8f55f.json b/mobile-attack/relationship/relationship--5b87bb01-9587-42bd-aa6b-30158ca8f55f.json
index 6d6fcb82bb..152bec8f5e 100644
--- a/mobile-attack/relationship/relationship--5b87bb01-9587-42bd-aa6b-30158ca8f55f.json
+++ b/mobile-attack/relationship/relationship--5b87bb01-9587-42bd-aa6b-30158ca8f55f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4a71845d-8d08-4836-b193-046a0a664f29",
+    "id": "bundle--277e529c-0f95-47eb-b428-e06f87070cef",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.105Z",
+            "modified": "2025-04-16T21:48:57.384Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) can send, receive, and delete SMS messages.(Citation: Cofense Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5b9a2c93-95bf-4f39-aeac-b2af051faca9.json b/mobile-attack/relationship/relationship--5b9a2c93-95bf-4f39-aeac-b2af051faca9.json
index 118ba51625..b36f4826d1 100644
--- a/mobile-attack/relationship/relationship--5b9a2c93-95bf-4f39-aeac-b2af051faca9.json
+++ b/mobile-attack/relationship/relationship--5b9a2c93-95bf-4f39-aeac-b2af051faca9.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--4a5bc101-72bc-4e54-8db9-af249230b213",
+    "id": "bundle--2b1d17b2-8025-4bb3-8410-666740bd77b7",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--5b9a2c93-95bf-4f39-aeac-b2af051faca9",
             "created": "2023-08-23T22:50:55.591Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-23T22:50:55.591Z",
+            "modified": "2025-04-16T21:48:57.599Z",
             "description": "Application vetting services may detect API calls to `performGlobalAction(int)`. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c.json b/mobile-attack/relationship/relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c.json
index ad277adb56..a69c8f5272 100644
--- a/mobile-attack/relationship/relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c.json
+++ b/mobile-attack/relationship/relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--97f226d5-86af-4211-a7f6-aa8c34178b16",
+    "id": "bundle--53fd76f6-9267-4474-a96b-5eda41fb99ae",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c",
             "type": "relationship",
+            "id": "relationship--5c1e3aa9-160d-49fd-83a2-2ed2f8c5435c",
             "created": "2021-02-17T20:43:52.324Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout FrozenCell",
-                    "url": "https://blog.lookout.com/frozencell-mobile-threat",
-                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."
+                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.",
+                    "url": "https://blog.lookout.com/frozencell-mobile-threat"
                 }
             ],
-            "modified": "2021-02-17T20:43:52.324Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:57.822Z",
             "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has collected phone metadata such as cell location, mobile country code (MCC), and mobile network code (MNC).(Citation: Lookout FrozenCell)",
             "relationship_type": "uses",
             "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5c447471-2b97-4d96-b75f-1cbb574b39cf.json b/mobile-attack/relationship/relationship--5c447471-2b97-4d96-b75f-1cbb574b39cf.json
index adad3e525f..7dde6ea7fe 100644
--- a/mobile-attack/relationship/relationship--5c447471-2b97-4d96-b75f-1cbb574b39cf.json
+++ b/mobile-attack/relationship/relationship--5c447471-2b97-4d96-b75f-1cbb574b39cf.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b5fcd728-66f4-4300-a695-1c3ad87a7b1f",
+    "id": "bundle--9ac864aa-6a68-471c-885e-011ad5b40b0e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T15:39:37.117Z",
+            "modified": "2025-04-16T21:48:58.017Z",
             "description": "Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5c746ac8-4034-4ae3-98c3-66d89f5a6d6a.json b/mobile-attack/relationship/relationship--5c746ac8-4034-4ae3-98c3-66d89f5a6d6a.json
index a9150cc890..5a837ee372 100644
--- a/mobile-attack/relationship/relationship--5c746ac8-4034-4ae3-98c3-66d89f5a6d6a.json
+++ b/mobile-attack/relationship/relationship--5c746ac8-4034-4ae3-98c3-66d89f5a6d6a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--15f9dbb0-74d3-4613-acd8-c41fecbabd99",
+    "id": "bundle--944b0c97-669e-426c-930f-92e4ce049d39",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:19:00.199Z",
+            "modified": "2025-04-16T21:48:58.260Z",
             "description": "[Zen](https://attack.mitre.org/software/S0494) can inject code into the Setup Wizard at runtime to extract CAPTCHA images. [Zen](https://attack.mitre.org/software/S0494) can inject code into the `libc` of running processes to infect them with the malware.(Citation: Google Security Zen)",
             "relationship_type": "uses",
             "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
             "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5c7508ae-5d05-49fd-a489-b944d3b45dd0.json b/mobile-attack/relationship/relationship--5c7508ae-5d05-49fd-a489-b944d3b45dd0.json
index aa27f2e48f..fb643d5d17 100644
--- a/mobile-attack/relationship/relationship--5c7508ae-5d05-49fd-a489-b944d3b45dd0.json
+++ b/mobile-attack/relationship/relationship--5c7508ae-5d05-49fd-a489-b944d3b45dd0.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--fe8d8092-0ec7-41bc-b14a-7cf19ed6d8f0",
+    "id": "bundle--50f4ca3a-7793-468e-bf33-f39a295489cc",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--5c7508ae-5d05-49fd-a489-b944d3b45dd0",
             "type": "relationship",
+            "id": "relationship--5c7508ae-5d05-49fd-a489-b944d3b45dd0",
             "created": "2020-12-24T22:04:27.997Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T22:04:27.997Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:58.459Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has tracked location.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5ceb24c4-f32d-4eca-ad91-aed9ef8d459b.json b/mobile-attack/relationship/relationship--5ceb24c4-f32d-4eca-ad91-aed9ef8d459b.json
new file mode 100644
index 0000000000..ce63f74f7b
--- /dev/null
+++ b/mobile-attack/relationship/relationship--5ceb24c4-f32d-4eca-ad91-aed9ef8d459b.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--8fffbcb0-1560-43d2-9899-0cb19f056b83",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--5ceb24c4-f32d-4eca-ad91-aed9ef8d459b",
+            "created": "2025-04-10T19:58:19.002Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:58.676Z",
+            "description": "(Citation: MelikovBlackBerry LightSpy 2024)",
+            "relationship_type": "uses",
+            "source_ref": "intrusion-set--18854f55-ac7c-4634-bd9a-352dd07613b7",
+            "target_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5ced57a7-b674-40d4-98b8-a090963a6ade.json b/mobile-attack/relationship/relationship--5ced57a7-b674-40d4-98b8-a090963a6ade.json
index 9386cbc9f8..dd475dae94 100644
--- a/mobile-attack/relationship/relationship--5ced57a7-b674-40d4-98b8-a090963a6ade.json
+++ b/mobile-attack/relationship/relationship--5ced57a7-b674-40d4-98b8-a090963a6ade.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--adbc0b60-1332-48d7-a893-a9bf6fc3e3c0",
+    "id": "bundle--c2c37344-a36e-48ec-bb85-160452580642",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--5ced57a7-b674-40d4-98b8-a090963a6ade",
             "type": "relationship",
+            "id": "relationship--5ced57a7-b674-40d4-98b8-a090963a6ade",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
+                    "source_name": "PaloAlto-SpyDealer",
                     "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
-                    "source_name": "PaloAlto-SpyDealer"
+                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
                 }
             ],
-            "modified": "2019-09-18T13:45:58.872Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:58.890Z",
             "description": "[SpyDealer](https://attack.mitre.org/software/S0324) abuses Accessibility features to steal messages from popular apps such as WeChat, Skype, Viber, and QQ.(Citation: PaloAlto-SpyDealer)",
             "relationship_type": "uses",
             "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5d0fdc8a-af17-4334-88e6-111aa290b22f.json b/mobile-attack/relationship/relationship--5d0fdc8a-af17-4334-88e6-111aa290b22f.json
index 4b6892cba5..959427a594 100644
--- a/mobile-attack/relationship/relationship--5d0fdc8a-af17-4334-88e6-111aa290b22f.json
+++ b/mobile-attack/relationship/relationship--5d0fdc8a-af17-4334-88e6-111aa290b22f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--9f3c0a7d-b5de-42a1-8b48-44e27b69b5af",
+    "id": "bundle--696d8303-5ee3-4a49-ba7a-2f8cd8648187",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T21:18:54.014Z",
+            "modified": "2025-04-16T21:48:59.093Z",
             "description": "The user can see a list of applications that can use accessibility services in the device settings.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5d2a3a9f-2467-4ac6-ab64-ffe91ec584da.json b/mobile-attack/relationship/relationship--5d2a3a9f-2467-4ac6-ab64-ffe91ec584da.json
index 70b07f6020..11d077be06 100644
--- a/mobile-attack/relationship/relationship--5d2a3a9f-2467-4ac6-ab64-ffe91ec584da.json
+++ b/mobile-attack/relationship/relationship--5d2a3a9f-2467-4ac6-ab64-ffe91ec584da.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4cdf80ae-8ffd-4917-a476-6e9992182740",
+    "id": "bundle--667de6d3-eafa-4cd9-a2a1-4ae98abd17a7",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--5d2a3a9f-2467-4ac6-ab64-ffe91ec584da",
             "type": "relationship",
+            "id": "relationship--5d2a3a9f-2467-4ac6-ab64-ffe91ec584da",
             "created": "2021-09-24T14:52:41.308Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Lookout-Monokle",
                     "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
-                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
-                    "source_name": "Lookout-Monokle"
+                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
                 }
             ],
-            "modified": "2021-09-24T14:52:41.308Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:48:59.321Z",
             "description": " [Monokle](https://attack.mitre.org/software/S0407) can hook itself to appear invisible to the Process Manager.(Citation: Lookout-Monokle) ",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5d37400f-80f9-4500-9357-185650e5a7b2.json b/mobile-attack/relationship/relationship--5d37400f-80f9-4500-9357-185650e5a7b2.json
index 141603bac6..28294cbc94 100644
--- a/mobile-attack/relationship/relationship--5d37400f-80f9-4500-9357-185650e5a7b2.json
+++ b/mobile-attack/relationship/relationship--5d37400f-80f9-4500-9357-185650e5a7b2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--107ecce7-5018-4cc5-9181-5cebd10c30c8",
+    "id": "bundle--9b5e6882-4eed-46e7-bf60-ef34a2f1eddf",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:14:02.866Z",
+            "modified": "2025-04-16T21:48:59.525Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can use HTTP to communicate with the C2 server.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5dc4eaca-ff82-412a-a8dd-168de1857d8c.json b/mobile-attack/relationship/relationship--5dc4eaca-ff82-412a-a8dd-168de1857d8c.json
index 54e6759071..2edef7e3d6 100644
--- a/mobile-attack/relationship/relationship--5dc4eaca-ff82-412a-a8dd-168de1857d8c.json
+++ b/mobile-attack/relationship/relationship--5dc4eaca-ff82-412a-a8dd-168de1857d8c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--eded3c03-846b-4b91-8993-c19d410e02a0",
+    "id": "bundle--1fc35273-ce8b-4ab2-b0f1-c3d7b740d884",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:49:16.069Z",
+            "modified": "2025-04-16T21:48:59.762Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use input injection via Accessibility Services to simulate user touch inputs, prevent applications from opening, change device settings, and bypass MFA protections.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5dd9e0aa-e4dc-4776-9580-5a765c2cc08d.json b/mobile-attack/relationship/relationship--5dd9e0aa-e4dc-4776-9580-5a765c2cc08d.json
index 99701e1a73..0b28818711 100644
--- a/mobile-attack/relationship/relationship--5dd9e0aa-e4dc-4776-9580-5a765c2cc08d.json
+++ b/mobile-attack/relationship/relationship--5dd9e0aa-e4dc-4776-9580-5a765c2cc08d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7d7e9d01-4627-4dad-ac2c-9dfb9439c339",
+    "id": "bundle--5b125413-31c1-4d9e-9a17-7717e4862752",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:14:41.449Z",
+            "modified": "2025-04-16T21:48:59.979Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can intercept SMS messages containing two factor authentication codes.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5de0caa8-81f8-453c-b70c-a74e7ea9e5c2.json b/mobile-attack/relationship/relationship--5de0caa8-81f8-453c-b70c-a74e7ea9e5c2.json
index 41761bf4f0..e3d9e37bf8 100644
--- a/mobile-attack/relationship/relationship--5de0caa8-81f8-453c-b70c-a74e7ea9e5c2.json
+++ b/mobile-attack/relationship/relationship--5de0caa8-81f8-453c-b70c-a74e7ea9e5c2.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--19afea13-67e3-4bde-9e7b-585626a7db43",
+    "id": "bundle--308b9f53-d3d9-4aa5-b6fe-6bc5d7a0614d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--5de0caa8-81f8-453c-b70c-a74e7ea9e5c2",
             "created": "2022-03-30T19:12:31.481Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:00.213Z",
             "description": "",
-            "modified": "2022-03-30T19:12:31.481Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee",
             "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5e360913-4986-4423-8d3c-46d3202b7787.json b/mobile-attack/relationship/relationship--5e360913-4986-4423-8d3c-46d3202b7787.json
index 97d466bb13..3e4bd4ab92 100644
--- a/mobile-attack/relationship/relationship--5e360913-4986-4423-8d3c-46d3202b7787.json
+++ b/mobile-attack/relationship/relationship--5e360913-4986-4423-8d3c-46d3202b7787.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a4c7ef4a-be31-47b6-9500-f5e63d67f89a",
+    "id": "bundle--bc7f7891-d0fb-4218-9941-ca9b3dfc7ed9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--5e360913-4986-4423-8d3c-46d3202b7787",
             "type": "relationship",
+            "id": "relationship--5e360913-4986-4423-8d3c-46d3202b7787",
             "created": "2019-09-04T14:28:15.471Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Lookout-Monokle",
                     "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
-                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
-                    "source_name": "Lookout-Monokle"
+                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
                 }
             ],
-            "modified": "2019-10-14T17:51:37.979Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:00.409Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve the salt used when storing the user\u2019s password, aiding an adversary in computing the user\u2019s plaintext password/PIN from the stored password hash. [Monokle](https://attack.mitre.org/software/S0407) can also capture the user\u2019s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5e6cb0d7-6e82-450a-bcf5-e0113e7ad41e.json b/mobile-attack/relationship/relationship--5e6cb0d7-6e82-450a-bcf5-e0113e7ad41e.json
index 2415f698a1..b81eec4bfb 100644
--- a/mobile-attack/relationship/relationship--5e6cb0d7-6e82-450a-bcf5-e0113e7ad41e.json
+++ b/mobile-attack/relationship/relationship--5e6cb0d7-6e82-450a-bcf5-e0113e7ad41e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--33665816-40eb-46c3-a07c-93ac406fd634",
+    "id": "bundle--a50b0770-0156-481b-9369-6b62bf7986ea",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--5e6cb0d7-6e82-450a-bcf5-e0113e7ad41e",
             "created": "2024-03-29T15:05:17.290Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-29T15:05:17.290Z",
+            "modified": "2025-04-16T21:49:00.609Z",
             "description": "Users should be advised to not trust or install self-signed certificates.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5e74f4f8-5057-42f4-9796-aee60122cf6d.json b/mobile-attack/relationship/relationship--5e74f4f8-5057-42f4-9796-aee60122cf6d.json
index de9b1c460a..c8d6aba109 100644
--- a/mobile-attack/relationship/relationship--5e74f4f8-5057-42f4-9796-aee60122cf6d.json
+++ b/mobile-attack/relationship/relationship--5e74f4f8-5057-42f4-9796-aee60122cf6d.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--3d8647a3-d117-4063-a7ae-9e25c1736f94",
+    "id": "bundle--b455cf57-c62f-419c-a054-1798bb3ecad8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--5e74f4f8-5057-42f4-9796-aee60122cf6d",
             "created": "2019-09-23T13:36:08.451Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "securelist rotexy 2018",
-                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
-                    "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019."
+                    "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
+                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:00.826Z",
             "description": "[Rotexy](https://attack.mitre.org/software/S0411) procedurally generates subdomains for command and control communication.(Citation: securelist rotexy 2018)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5e95ca90-bf75-4031-a28f-f8565c02185c.json b/mobile-attack/relationship/relationship--5e95ca90-bf75-4031-a28f-f8565c02185c.json
index 7437823648..4164ca043d 100644
--- a/mobile-attack/relationship/relationship--5e95ca90-bf75-4031-a28f-f8565c02185c.json
+++ b/mobile-attack/relationship/relationship--5e95ca90-bf75-4031-a28f-f8565c02185c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--05cabf4c-3e13-4f35-9cdd-d632a1243799",
+    "id": "bundle--c99718b4-c2dc-4e0f-9ed0-aeea1f3c7b3b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:23:49.569Z",
+            "modified": "2025-04-16T21:49:01.026Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) can lock the user out of the device by showing a persistent overlay.(Citation: Talos GPlayed)",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5ec3fcbb-d2ac-44ba-a2d4-99e7ddacf3a2.json b/mobile-attack/relationship/relationship--5ec3fcbb-d2ac-44ba-a2d4-99e7ddacf3a2.json
index 4a4e62ad32..4df740668f 100644
--- a/mobile-attack/relationship/relationship--5ec3fcbb-d2ac-44ba-a2d4-99e7ddacf3a2.json
+++ b/mobile-attack/relationship/relationship--5ec3fcbb-d2ac-44ba-a2d4-99e7ddacf3a2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f877119a-b5d6-4592-9004-f0d79a3a8c1a",
+    "id": "bundle--23f97beb-632b-44cd-8926-5cf05a5f6a11",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T17:05:08.407Z",
+            "modified": "2025-04-16T21:49:01.259Z",
             "description": "The user can examine the list of all installed applications in the device settings. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--fc53309d-ebd5-4573-9242-57024ebdad4f",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--5fb59cf9-9af5-4dd5-9878-dda2ba228ae5.json b/mobile-attack/relationship/relationship--5fb59cf9-9af5-4dd5-9878-dda2ba228ae5.json
index 42dc397371..e8371fb227 100644
--- a/mobile-attack/relationship/relationship--5fb59cf9-9af5-4dd5-9878-dda2ba228ae5.json
+++ b/mobile-attack/relationship/relationship--5fb59cf9-9af5-4dd5-9878-dda2ba228ae5.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--9f824e00-7523-4616-b75b-2cc478ff18c8",
+    "id": "bundle--7d7a65df-2644-4b4b-b2a1-de210c58f1d7",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--5fb59cf9-9af5-4dd5-9878-dda2ba228ae5",
             "created": "2023-12-18T18:12:37.010Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -23,16 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:12:37.010Z",
+            "modified": "2025-04-16T21:49:01.459Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) has employed code obfuscation and encryption of configuration files.(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6001f77a-da30-4ebc-85fd-5bf9afe5f0a1.json b/mobile-attack/relationship/relationship--6001f77a-da30-4ebc-85fd-5bf9afe5f0a1.json
index e82e5685e5..b482f157ae 100644
--- a/mobile-attack/relationship/relationship--6001f77a-da30-4ebc-85fd-5bf9afe5f0a1.json
+++ b/mobile-attack/relationship/relationship--6001f77a-da30-4ebc-85fd-5bf9afe5f0a1.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--89575430-1cd7-4033-ad3d-caa5cb0e778f",
+    "id": "bundle--6138b139-795c-4a2b-99dc-5fe273627864",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T15:26:59.132Z",
+            "modified": "2025-04-16T21:49:01.672Z",
             "description": "Application vetting services can detect when an application requests administrator permission.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--603df08f-22d3-4418-9151-4b3a3c9c7c24.json b/mobile-attack/relationship/relationship--603df08f-22d3-4418-9151-4b3a3c9c7c24.json
index 0ad0a17fab..205228c47a 100644
--- a/mobile-attack/relationship/relationship--603df08f-22d3-4418-9151-4b3a3c9c7c24.json
+++ b/mobile-attack/relationship/relationship--603df08f-22d3-4418-9151-4b3a3c9c7c24.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--075ab202-09ae-4c4e-852a-35e10247c8f7",
+    "id": "bundle--760183cc-ed04-4267-b691-ab3d55701b60",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T21:03:10.023Z",
+            "modified": "2025-04-16T21:49:01.873Z",
             "description": "Mobile security products can potentially detect rogue Wi-Fi access points if the adversary is attempting to decrypt traffic using an untrusted SSL certificate. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
             "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--60439118-3ceb-490b-9df5-e35e7fca9009.json b/mobile-attack/relationship/relationship--60439118-3ceb-490b-9df5-e35e7fca9009.json
index c3205184a1..654ab8b0e7 100644
--- a/mobile-attack/relationship/relationship--60439118-3ceb-490b-9df5-e35e7fca9009.json
+++ b/mobile-attack/relationship/relationship--60439118-3ceb-490b-9df5-e35e7fca9009.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e62515d9-7c2d-4392-a949-4feb25ac3037",
+    "id": "bundle--76ccae75-4aa2-4144-8f63-2f3ce7bae068",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T21:39:13.963Z",
+            "modified": "2025-04-16T21:49:02.072Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to receive the following broadcast events to establish persistence: `BOOT_COMPLETED`, `BATTERY_LOW`,`USER_PRESENT`, `SCREEN_ON`, `SCREEN_OFF`, or `CONNECTIVITY_CHANGE`.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--605d95a1-0493-418e-9d81-de58531c4421.json b/mobile-attack/relationship/relationship--605d95a1-0493-418e-9d81-de58531c4421.json
index 50d24a9351..8b6d540091 100644
--- a/mobile-attack/relationship/relationship--605d95a1-0493-418e-9d81-de58531c4421.json
+++ b/mobile-attack/relationship/relationship--605d95a1-0493-418e-9d81-de58531c4421.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--1a2553c7-f836-43fb-972d-0e03fe8d4398",
+    "id": "bundle--12eabae9-8103-49e3-890b-d358c1b0e79d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:04:31.136Z",
+            "modified": "2025-04-16T21:49:02.283Z",
             "description": "[Concipit1248](https://attack.mitre.org/software/S0426) communicates with the C2 server using HTTP requests.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--606b07b9-b5a4-464f-8381-062e2134d0ab.json b/mobile-attack/relationship/relationship--606b07b9-b5a4-464f-8381-062e2134d0ab.json
index c293958645..5c44a5688d 100644
--- a/mobile-attack/relationship/relationship--606b07b9-b5a4-464f-8381-062e2134d0ab.json
+++ b/mobile-attack/relationship/relationship--606b07b9-b5a4-464f-8381-062e2134d0ab.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--8412ea25-b1ed-4685-9ec0-92fe6da67929",
+    "id": "bundle--0539f1b9-85aa-45d3-bb4a-d89baeb557dd",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--606b07b9-b5a4-464f-8381-062e2134d0ab",
             "created": "2023-12-18T18:14:22.223Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -23,16 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:14:22.223Z",
+            "modified": "2025-04-16T21:49:02.491Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can remove installed antivirus applications as well as disable Google Play Protect.(Citation: cleafy_brata_0122)(Citation: mcafee_brata_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--60782df8-1e96-48eb-a6b7-843c94b32b59.json b/mobile-attack/relationship/relationship--60782df8-1e96-48eb-a6b7-843c94b32b59.json
index fb5881b37d..d27977c6bc 100644
--- a/mobile-attack/relationship/relationship--60782df8-1e96-48eb-a6b7-843c94b32b59.json
+++ b/mobile-attack/relationship/relationship--60782df8-1e96-48eb-a6b7-843c94b32b59.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e8704c02-0ae2-4469-b4c1-9ef697fb3bf6",
+    "id": "bundle--d689739b-d210-48f8-9d35-aec1898411f5",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:33:52.290Z",
+            "modified": "2025-04-16T21:49:02.710Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can hide its application icon.(Citation: threatfabric_sova_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7.json b/mobile-attack/relationship/relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7.json
index 9a7e9fd7c2..41eee425d0 100644
--- a/mobile-attack/relationship/relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7.json
+++ b/mobile-attack/relationship/relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--ffa6bc1b-13cf-45e0-a320-3b6efdb8a02c",
+    "id": "bundle--55066c4f-b136-4eea-a4cb-9365df1bdb6e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--6086e1e2-1b39-4ff2-910e-4a4eb86d57b7",
             "created": "2017-12-14T16:46:06.044Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Lookout-BrainTest",
-                    "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/",
-                    "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016."
+                    "description": "Chris Dehghanpoor. (2016, January 6). Brain Test re-emerges: 13 apps found in Google Play  Read more: Brain Test re-emerges: 13 apps found in Google Play. Retrieved December 21, 2016.",
+                    "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:02.920Z",
             "description": "[BrainTest](https://attack.mitre.org/software/S0293) provided capabilities that allowed developers to use compromised devices to post positive reviews on their own malicious applications as well as download other malicious applications they had submitted to the Play Store.(Citation: Lookout-BrainTest)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--609ec9f8-f702-444b-b837-72a0880d429b.json b/mobile-attack/relationship/relationship--609ec9f8-f702-444b-b837-72a0880d429b.json
index 6a7d8a78f1..814fa171b5 100644
--- a/mobile-attack/relationship/relationship--609ec9f8-f702-444b-b837-72a0880d429b.json
+++ b/mobile-attack/relationship/relationship--609ec9f8-f702-444b-b837-72a0880d429b.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--9cc970bc-2f16-4747-b6f3-716d696ed9d7",
+    "id": "bundle--c1f7dbae-2528-47d4-8253-edd227cbf264",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--609ec9f8-f702-444b-b837-72a0880d429b",
             "created": "2023-09-22T19:17:01.704Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-22T19:17:01.704Z",
+            "modified": "2025-04-16T21:49:03.127Z",
             "description": "The user may view applications with administrator access through the device settings and may also notice if user data is inexplicably missing. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--60ad088f-3133-4b0c-a441-e1e06fff1765.json b/mobile-attack/relationship/relationship--60ad088f-3133-4b0c-a441-e1e06fff1765.json
index ef60917201..61123f2ddc 100644
--- a/mobile-attack/relationship/relationship--60ad088f-3133-4b0c-a441-e1e06fff1765.json
+++ b/mobile-attack/relationship/relationship--60ad088f-3133-4b0c-a441-e1e06fff1765.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e5d00d81-611e-4dc6-a73a-3238676e25b9",
+    "id": "bundle--682dbaf3-a3bf-42ad-a327-262a137ec495",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:34:29.147Z",
+            "modified": "2025-04-16T21:49:03.367Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can gather data about the device.(Citation: threatfabric_sova_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--60da837d-a635-4533-b96a-db2689cc4771.json b/mobile-attack/relationship/relationship--60da837d-a635-4533-b96a-db2689cc4771.json
new file mode 100644
index 0000000000..4f17ad67a4
--- /dev/null
+++ b/mobile-attack/relationship/relationship--60da837d-a635-4533-b96a-db2689cc4771.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--8c632ef3-29c7-41d8-94e4-7dfaa0c482d6",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--60da837d-a635-4533-b96a-db2689cc4771",
+            "created": "2024-04-02T19:39:49.029Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:03.578Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) can send SMS messages.(Citation: welivesecurity_apt-c-23)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb.json b/mobile-attack/relationship/relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb.json
index 912c49a722..8ce368c75b 100644
--- a/mobile-attack/relationship/relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb.json
+++ b/mobile-attack/relationship/relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--75eabf0c-d1df-4aa9-a730-a537d65a7e81",
+    "id": "bundle--63f86768-b2ea-4ce1-9c2d-a92c42d3e505",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb",
             "type": "relationship",
+            "id": "relationship--60db521a-ae2d-4a9a-8c6d-47a5528f1ecb",
             "created": "2020-01-27T17:05:58.308Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Trend Micro Bouncing Golf 2019",
                     "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
-                    "source_name": "Trend Micro Bouncing Golf 2019"
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
                 }
             ],
-            "modified": "2020-01-27T17:05:58.308Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:03.803Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) encodes its configurations using a customized algorithm.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--60e2ebd0-90dc-4131-ba4f-adc9b49ec113.json b/mobile-attack/relationship/relationship--60e2ebd0-90dc-4131-ba4f-adc9b49ec113.json
index 9d1be9eae0..f084fd6c09 100644
--- a/mobile-attack/relationship/relationship--60e2ebd0-90dc-4131-ba4f-adc9b49ec113.json
+++ b/mobile-attack/relationship/relationship--60e2ebd0-90dc-4131-ba4f-adc9b49ec113.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--16283f33-db4d-46de-a8e9-52c8f83a5e1b",
+    "id": "bundle--a8e81b8c-a4e2-451a-83f9-73cfb14839f8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--60e2ebd0-90dc-4131-ba4f-adc9b49ec113",
             "created": "2020-06-26T15:32:25.032Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Threat Fabric Cerberus",
-                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
-                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
+                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:04.024Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) can generate fake notifications and launch overlay attacks against attacker-specified applications.(Citation: Threat Fabric Cerberus)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3.json b/mobile-attack/relationship/relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3.json
index 5a72e642a0..d647b8f045 100644
--- a/mobile-attack/relationship/relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3.json
+++ b/mobile-attack/relationship/relationship--60ecd154-e907-419a-b41d-1a9a1f59e7c3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d85d3a20-93e0-438b-9528-71d8a1396350",
+    "id": "bundle--16570885-9440-41e3-983a-2a012eca9f29",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:36:27.557Z",
+            "modified": "2025-04-16T21:49:04.258Z",
             "description": "[Pallas](https://attack.mitre.org/software/S0399) has the ability to delete attacker-specified files from compromised devices.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71.json b/mobile-attack/relationship/relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71.json
index 33b22f6cdc..b5c7bdfa0b 100644
--- a/mobile-attack/relationship/relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71.json
+++ b/mobile-attack/relationship/relationship--61071d73-fcdf-4820-afd0-e3f0983e0a71.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f47fd9c2-6911-4f6e-b760-af5fb2c56cd8",
+    "id": "bundle--84feb0a3-5537-4fca-8470-407b29b2b0eb",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:01:46.513Z",
+            "modified": "2025-04-16T21:49:04.468Z",
             "description": "[Dark Caracal](https://attack.mitre.org/groups/G0070) controls implants using standard HTTP communication.(Citation: Lookout Dark Caracal Jan 2018) ",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--8a831aaa-f3e0-47a3-bed8-a9ced744dd12",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--61550ef4-41f0-4354-af5c-f47db8aca654.json b/mobile-attack/relationship/relationship--61550ef4-41f0-4354-af5c-f47db8aca654.json
index e292383cfc..9d882c9b98 100644
--- a/mobile-attack/relationship/relationship--61550ef4-41f0-4354-af5c-f47db8aca654.json
+++ b/mobile-attack/relationship/relationship--61550ef4-41f0-4354-af5c-f47db8aca654.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--06b95524-300e-4b53-ab6d-eca5e4c64fe7",
+    "id": "bundle--87ef7dba-47ad-46c2-9245-58d5102e0191",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--61550ef4-41f0-4354-af5c-f47db8aca654",
             "type": "relationship",
+            "id": "relationship--61550ef4-41f0-4354-af5c-f47db8aca654",
             "created": "2020-06-02T14:32:31.910Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Google Project Zero Insomnia",
-                    "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
-                    "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."
+                    "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.",
+                    "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"
                 }
             ],
-            "modified": "2020-06-02T14:32:31.910Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:04.696Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).(Citation: Google Project Zero Insomnia)",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c.json b/mobile-attack/relationship/relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c.json
index 1264fb02cf..201794658d 100644
--- a/mobile-attack/relationship/relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c.json
+++ b/mobile-attack/relationship/relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--c11dd68d-b897-4569-b2d8-64d0cdfb613b",
+    "id": "bundle--032d7ced-8501-4bfe-94cc-166131a32f17",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c",
             "type": "relationship",
+            "id": "relationship--6176a297-3097-42e2-b1c2-815e7fd8c81c",
             "created": "2020-01-21T15:29:27.041Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList - ViceLeaker 2019",
-                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
-                    "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."
+                    "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.",
+                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"
                 }
             ],
-            "modified": "2020-01-21T15:29:27.041Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:04.893Z",
             "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can download attacker-specified files.(Citation: SecureList - ViceLeaker 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--618ec7db-fb08-4693-905b-49e9e2a0ad95.json b/mobile-attack/relationship/relationship--618ec7db-fb08-4693-905b-49e9e2a0ad95.json
new file mode 100644
index 0000000000..2e91f796ad
--- /dev/null
+++ b/mobile-attack/relationship/relationship--618ec7db-fb08-4693-905b-49e9e2a0ad95.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--a40cb578-b17e-4f2f-ab59-37f736bc4967",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--618ec7db-fb08-4693-905b-49e9e2a0ad95",
+            "created": "2025-03-28T15:06:20.821Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:05.096Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have obtained a list of processes.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6209cccd-2877-4941-ac0c-bec3ba7a5544.json b/mobile-attack/relationship/relationship--6209cccd-2877-4941-ac0c-bec3ba7a5544.json
index 57288e689b..99be51b062 100644
--- a/mobile-attack/relationship/relationship--6209cccd-2877-4941-ac0c-bec3ba7a5544.json
+++ b/mobile-attack/relationship/relationship--6209cccd-2877-4941-ac0c-bec3ba7a5544.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--0fae0da6-faa5-4212-9c1a-e4b5c7587a08",
+    "id": "bundle--24c07245-4549-4468-acd1-08dc60356b5c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--6209cccd-2877-4941-ac0c-bec3ba7a5544",
             "created": "2022-04-05T19:40:25.071Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:05.321Z",
             "description": "",
-            "modified": "2022-04-05T19:40:25.071Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--6f86d346-f092-4abc-80df-8558a90c426a",
             "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--62623afc-8222-4d59-b5d0-7bc1ccc7fadc.json b/mobile-attack/relationship/relationship--62623afc-8222-4d59-b5d0-7bc1ccc7fadc.json
index ba1137ba0e..f6114ccdc5 100644
--- a/mobile-attack/relationship/relationship--62623afc-8222-4d59-b5d0-7bc1ccc7fadc.json
+++ b/mobile-attack/relationship/relationship--62623afc-8222-4d59-b5d0-7bc1ccc7fadc.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b5c2eb48-05bd-4fd1-8aed-73bb2884738e",
+    "id": "bundle--4f538ffb-1ad6-4b82-b5f1-689ab58ca042",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:35:04.072Z",
+            "modified": "2025-04-16T21:49:05.526Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can silently intercept and manipulate notifications. [S.O.V.A.](https://attack.mitre.org/software/S1062) can also inject cookies via push notifications.(Citation: threatfabric_sova_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--626d4c6c-97e4-4aa3-922b-c1a81e677213.json b/mobile-attack/relationship/relationship--626d4c6c-97e4-4aa3-922b-c1a81e677213.json
index b520a8c6d4..6dd7daa6b6 100644
--- a/mobile-attack/relationship/relationship--626d4c6c-97e4-4aa3-922b-c1a81e677213.json
+++ b/mobile-attack/relationship/relationship--626d4c6c-97e4-4aa3-922b-c1a81e677213.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3b8bf40a-9d91-42d8-b5ec-aa6aace592c4",
+    "id": "bundle--fef2a31c-1911-437f-8a09-e5f10d19b84a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T17:18:06.656Z",
+            "modified": "2025-04-16T21:49:05.752Z",
             "description": "Application vetting services can detect malicious code in applications.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--628435f7-7d1e-40f1-a29a-7c5861b14c7d.json b/mobile-attack/relationship/relationship--628435f7-7d1e-40f1-a29a-7c5861b14c7d.json
index 29bf5f5831..08a6e94197 100644
--- a/mobile-attack/relationship/relationship--628435f7-7d1e-40f1-a29a-7c5861b14c7d.json
+++ b/mobile-attack/relationship/relationship--628435f7-7d1e-40f1-a29a-7c5861b14c7d.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--eaf86ecc-aee3-4186-9f0c-94510a27a099",
+    "id": "bundle--7e112c10-ea4f-429b-9c14-5dd01eaaf356",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--628435f7-7d1e-40f1-a29a-7c5861b14c7d",
             "created": "2022-03-30T20:13:40.625Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:05.962Z",
             "description": "Users should be shown what a synthetic activity looks like so they can scrutinize them in the future.",
-            "modified": "2022-03-30T20:13:40.625Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6294e276-e4ac-4097-a5cd-3b81e0d4498f.json b/mobile-attack/relationship/relationship--6294e276-e4ac-4097-a5cd-3b81e0d4498f.json
index 8265d90c04..6487dd7df1 100644
--- a/mobile-attack/relationship/relationship--6294e276-e4ac-4097-a5cd-3b81e0d4498f.json
+++ b/mobile-attack/relationship/relationship--6294e276-e4ac-4097-a5cd-3b81e0d4498f.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--1bf97698-4785-44fb-860f-bae011f63ad0",
+    "id": "bundle--060b9e63-286c-4693-a975-d171b9f55f6a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6294e276-e4ac-4097-a5cd-3b81e0d4498f",
             "type": "relationship",
+            "id": "relationship--6294e276-e4ac-4097-a5cd-3b81e0d4498f",
             "created": "2020-12-14T15:02:35.287Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Securelist Asacub",
-                    "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/",
-                    "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020."
+                    "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.",
+                    "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"
                 }
             ],
-            "modified": "2020-12-14T15:02:35.290Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:06.166Z",
             "description": "[Asacub](https://attack.mitre.org/software/S0540) has implemented functions in native code.(Citation: Securelist Asacub)",
             "relationship_type": "uses",
             "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4",
             "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--62cc60d9-1581-4a0f-b7e2-a18d386511e6.json b/mobile-attack/relationship/relationship--62cc60d9-1581-4a0f-b7e2-a18d386511e6.json
index 8d57f3962c..1e8d83e21d 100644
--- a/mobile-attack/relationship/relationship--62cc60d9-1581-4a0f-b7e2-a18d386511e6.json
+++ b/mobile-attack/relationship/relationship--62cc60d9-1581-4a0f-b7e2-a18d386511e6.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--413a76bc-5ba6-4d77-96ac-bb37443a9dcb",
+    "id": "bundle--29c171f6-5d00-43cc-a021-c32420eb7cb2",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--62cc60d9-1581-4a0f-b7e2-a18d386511e6",
             "created": "2022-03-30T13:48:43.977Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:06.375Z",
             "description": "Mobile security products can typically detect jailbroken or rooted devices. ",
-            "modified": "2022-03-30T13:48:43.977Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
             "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6315b6ec-35f8-4b28-8603-664664311a33.json b/mobile-attack/relationship/relationship--6315b6ec-35f8-4b28-8603-664664311a33.json
index 218420e8d6..e7a5cd8639 100644
--- a/mobile-attack/relationship/relationship--6315b6ec-35f8-4b28-8603-664664311a33.json
+++ b/mobile-attack/relationship/relationship--6315b6ec-35f8-4b28-8603-664664311a33.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--817bf0e9-d6e5-4855-8bac-6437ac643545",
+    "id": "bundle--f07a7d82-d42c-41c8-9851-17bee05ffc89",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--6315b6ec-35f8-4b28-8603-664664311a33",
             "created": "2023-08-16T16:44:53.770Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:44:53.770Z",
+            "modified": "2025-04-16T21:49:06.578Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can read the name of application packages.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--634071ce-d386-4143-8e6e-b88bc077de6d.json b/mobile-attack/relationship/relationship--634071ce-d386-4143-8e6e-b88bc077de6d.json
index 01a5c09ca1..5c0bf573a0 100644
--- a/mobile-attack/relationship/relationship--634071ce-d386-4143-8e6e-b88bc077de6d.json
+++ b/mobile-attack/relationship/relationship--634071ce-d386-4143-8e6e-b88bc077de6d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--1152e802-cd52-4c95-a22e-f25912a7f246",
+    "id": "bundle--766f9cf5-6618-4388-b4c2-7a255beed5c1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--634071ce-d386-4143-8e6e-b88bc077de6d",
             "type": "relationship",
+            "id": "relationship--634071ce-d386-4143-8e6e-b88bc077de6d",
             "created": "2020-07-27T14:14:56.961Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Google Security Zen",
-                    "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
-                    "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
+                    "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.",
+                    "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"
                 }
             ],
-            "modified": "2020-08-10T22:18:20.782Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:06.813Z",
             "description": "[Zen](https://attack.mitre.org/software/S0494) can dynamically load executable code from remote sources.(Citation: Google Security Zen)",
             "relationship_type": "uses",
             "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a.json b/mobile-attack/relationship/relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a.json
index dbda1a8041..d7a6fcdfe1 100644
--- a/mobile-attack/relationship/relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a.json
+++ b/mobile-attack/relationship/relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--4fb970ac-8baa-489a-9f6a-0c5882707baa",
+    "id": "bundle--3f147f99-d3d0-4200-86ad-6092d7b196cc",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a",
             "type": "relationship",
+            "id": "relationship--638f3d4b-f1d4-4c61-91a0-7c125ef8437a",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:07.013Z",
             "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) was distributed through a web site by exploiting vulnerabilities in the Safari web browser on iOS devices.(Citation: Lookout-Pegasus)",
             "relationship_type": "uses",
             "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
             "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--63e67cba-4eae-4495-8897-2610103a0c41.json b/mobile-attack/relationship/relationship--63e67cba-4eae-4495-8897-2610103a0c41.json
index 94974550f2..2e54a8a4e0 100644
--- a/mobile-attack/relationship/relationship--63e67cba-4eae-4495-8897-2610103a0c41.json
+++ b/mobile-attack/relationship/relationship--63e67cba-4eae-4495-8897-2610103a0c41.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--1d217d6a-7d1e-4d80-8c28-99558ab47c90",
+    "id": "bundle--b76ed39c-191a-48eb-b49b-3c84abf58572",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--63e67cba-4eae-4495-8897-2610103a0c41",
             "type": "relationship",
+            "id": "relationship--63e67cba-4eae-4495-8897-2610103a0c41",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:07.226Z",
             "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) exploits iOS vulnerabilities to escalate privileges.(Citation: Lookout-Pegasus)",
             "relationship_type": "uses",
             "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--642a2599-a50c-480c-8e07-2a3a217f4a46.json b/mobile-attack/relationship/relationship--642a2599-a50c-480c-8e07-2a3a217f4a46.json
index bfce4cd79f..ad92686923 100644
--- a/mobile-attack/relationship/relationship--642a2599-a50c-480c-8e07-2a3a217f4a46.json
+++ b/mobile-attack/relationship/relationship--642a2599-a50c-480c-8e07-2a3a217f4a46.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--f738e3f6-24dc-4d1d-b37e-693171704073",
+    "id": "bundle--eb5dd1fa-5397-4b81-8b5c-d29e7fc97421",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--642a2599-a50c-480c-8e07-2a3a217f4a46",
             "created": "2023-07-21T19:52:13.807Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:52:13.807Z",
+            "modified": "2025-04-16T21:49:07.434Z",
             "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can turn on a device\u2019s microphone to capture audio.(Citation: kaspersky_fakecalls_0422)",
             "relationship_type": "uses",
             "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--64489abc-5c2f-4620-833d-9ac010040955.json b/mobile-attack/relationship/relationship--64489abc-5c2f-4620-833d-9ac010040955.json
index 306ca53eb9..c548176ba8 100644
--- a/mobile-attack/relationship/relationship--64489abc-5c2f-4620-833d-9ac010040955.json
+++ b/mobile-attack/relationship/relationship--64489abc-5c2f-4620-833d-9ac010040955.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--80ee2bb5-a9cc-4b14-82e0-352984ff71a6",
+    "id": "bundle--6a93eebf-f56d-46e9-a8e3-d5c98559bc5b",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--64489abc-5c2f-4620-833d-9ac010040955",
             "created": "2023-08-14T16:19:54.684Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -23,16 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:19:54.684Z",
+            "modified": "2025-04-16T21:49:07.649Z",
             "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
             "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--644a19d3-c94f-40d9-87ac-02ef20b14eda.json b/mobile-attack/relationship/relationship--644a19d3-c94f-40d9-87ac-02ef20b14eda.json
index 69e2dc8ad8..7262d78433 100644
--- a/mobile-attack/relationship/relationship--644a19d3-c94f-40d9-87ac-02ef20b14eda.json
+++ b/mobile-attack/relationship/relationship--644a19d3-c94f-40d9-87ac-02ef20b14eda.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--83aeb17d-47a8-44b1-807f-899b9f7a5fc1",
+    "id": "bundle--a27c09b5-56ea-40ac-987a-3a3223f452ea",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:16:28.481Z",
+            "modified": "2025-04-16T21:49:07.852Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself microphone permissions.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65.json b/mobile-attack/relationship/relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65.json
index bb69f8cb4e..45a0d48377 100644
--- a/mobile-attack/relationship/relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65.json
+++ b/mobile-attack/relationship/relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a3d6d1fc-d023-4edd-a1f0-adc4fadebdfd",
+    "id": "bundle--212379f1-148f-4fbc-a191-de5d40e5d629",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65",
             "type": "relationship",
+            "id": "relationship--64ddcf35-dbf0-4b9f-bf07-1e0bde8bbe65",
             "created": "2021-04-19T17:05:42.574Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2021-04-19T17:05:42.574Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:08.065Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has collected files from the infected device.(Citation: Lookout Uyghur Campaign)\t",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff.json b/mobile-attack/relationship/relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff.json
index fe04b2bdf9..f5018ccfd6 100644
--- a/mobile-attack/relationship/relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff.json
+++ b/mobile-attack/relationship/relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ba70d7a2-6cd7-4456-9550-e25afb43a2cc",
+    "id": "bundle--885302b2-9c5d-4f2e-9d64-917c91ce5dad",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff",
             "type": "relationship",
+            "id": "relationship--6556536c-d5ea-4a3d-ae48-4016d4d762ff",
             "created": "2019-09-04T14:28:16.478Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Lookout-Monokle",
                     "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
-                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
-                    "source_name": "Lookout-Monokle"
+                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
                 }
             ],
-            "modified": "2019-10-14T17:52:48.001Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:08.277Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can record the screen as the user unlocks the device and can take screenshots of any application in the foreground. [Monokle](https://attack.mitre.org/software/S0407) can also abuse accessibility features to read the screen to capture data from a large number of popular applications.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e.json b/mobile-attack/relationship/relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e.json
index 658e3d0a82..ceb7825817 100644
--- a/mobile-attack/relationship/relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e.json
+++ b/mobile-attack/relationship/relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--bf6d62c8-efe2-4e39-95d7-4c4b5f951acc",
+    "id": "bundle--4e9d5516-75c9-4074-a239-2ffedcadf1b7",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e",
             "type": "relationship",
+            "id": "relationship--657f1d8c-3982-4ee5-95dc-c8ec3164cb2e",
             "created": "2020-07-15T20:20:59.382Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "modified": "2020-07-15T20:20:59.382Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:08.491Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) has communicated with the C2 server over TCP port 7777.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4.json b/mobile-attack/relationship/relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4.json
index 7ade411ec0..21e8bbaf7d 100644
--- a/mobile-attack/relationship/relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4.json
+++ b/mobile-attack/relationship/relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--58c4a755-fa1d-4b8b-8ef8-09c682c4d0f6",
+    "id": "bundle--6b28b97a-d417-453f-b5fa-81bebf8f120a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4",
             "type": "relationship",
+            "id": "relationship--65803bfa-7601-44ad-95ea-64d8bfd778a4",
             "created": "2020-04-08T15:51:25.157Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "ThreatFabric Ginp",
-                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
-                    "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."
+                    "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"
                 }
             ],
-            "modified": "2020-04-08T15:51:25.157Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:08.711Z",
             "description": "[Ginp](https://attack.mitre.org/software/S0423) can capture device screenshots and stream them back to the C2.(Citation: ThreatFabric Ginp)",
             "relationship_type": "uses",
             "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6588186c-2fa1-408d-bef4-2d63ccf49c28.json b/mobile-attack/relationship/relationship--6588186c-2fa1-408d-bef4-2d63ccf49c28.json
index 5aeb6ecb9f..9a347c00c5 100644
--- a/mobile-attack/relationship/relationship--6588186c-2fa1-408d-bef4-2d63ccf49c28.json
+++ b/mobile-attack/relationship/relationship--6588186c-2fa1-408d-bef4-2d63ccf49c28.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--710c8964-4023-461f-ac20-c8dfd7814b48",
+    "id": "bundle--136c9e91-02f5-48ce-9d12-4cc024c84ce3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:58.533Z",
+            "modified": "2025-04-16T21:49:08.913Z",
             "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has masqueraded as popular South Korean applications.(Citation: CYBERWARCON CHEMISTGAMES)",
             "relationship_type": "uses",
             "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6588914f-d270-47d3-b889-046564ad616f.json b/mobile-attack/relationship/relationship--6588914f-d270-47d3-b889-046564ad616f.json
index 079e9af6f7..6ea272578b 100644
--- a/mobile-attack/relationship/relationship--6588914f-d270-47d3-b889-046564ad616f.json
+++ b/mobile-attack/relationship/relationship--6588914f-d270-47d3-b889-046564ad616f.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--790f11c2-d276-4bf1-87d5-8ef54a915eca",
+    "id": "bundle--6fcf35f1-4446-4b2d-919d-7d0d9bf08351",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--6588914f-d270-47d3-b889-046564ad616f",
             "created": "2023-08-16T16:35:21.853Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:35:21.853Z",
+            "modified": "2025-04-16T21:49:09.125Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can gather SMS messages.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61.json b/mobile-attack/relationship/relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61.json
index 2786e0b8a3..64e483074f 100644
--- a/mobile-attack/relationship/relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61.json
+++ b/mobile-attack/relationship/relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--c79a996e-a5be-48d6-88fd-2fad5251b414",
+    "id": "bundle--b8c2a0f1-57f4-404b-a1b2-00888e24ff2e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61",
             "type": "relationship",
+            "id": "relationship--65a24b75-4bb0-441a-8cb2-a34077b13f61",
             "created": "2020-01-27T17:05:58.201Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Trend Micro Bouncing Golf 2019",
                     "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
-                    "source_name": "Trend Micro Bouncing Golf 2019"
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
                 }
             ],
-            "modified": "2020-03-26T20:50:07.154Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:09.377Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can collect local accounts on the device, pictures, bookmarks/histories of the default browser, and files stored on the SD card. [GolfSpy](https://attack.mitre.org/software/S0421) can list image, audio, video, and other files stored on the device. [GolfSpy](https://attack.mitre.org/software/S0421) can copy arbitrary files from the device.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--65acbbe2-48e1-4fba-a781-39fb040a711d.json b/mobile-attack/relationship/relationship--65acbbe2-48e1-4fba-a781-39fb040a711d.json
index 8d0a2f44d8..8b25fbf1dc 100644
--- a/mobile-attack/relationship/relationship--65acbbe2-48e1-4fba-a781-39fb040a711d.json
+++ b/mobile-attack/relationship/relationship--65acbbe2-48e1-4fba-a781-39fb040a711d.json
@@ -1,30 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--7b48c855-7afe-498d-8c70-e5d4b5b95734",
+    "id": "bundle--8f5c3b3d-1b3c-45a3-8f8f-f36ea7fbfb28",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--65acbbe2-48e1-4fba-a781-39fb040a711d",
             "type": "relationship",
+            "id": "relationship--65acbbe2-48e1-4fba-a781-39fb040a711d",
             "created": "2019-09-03T19:45:48.505Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
-            "modified": "2019-09-11T13:25:19.178Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:09.582Z",
             "description": " [Exodus](https://attack.mitre.org/software/S0405) One, after checking in, sends a POST request and then downloads  [Exodus](https://attack.mitre.org/software/S0405) Two, the second stage binaries.(Citation: SWB Exodus March 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--65dc7cc1-e047-4087-8b2b-7d0d0f67576a.json b/mobile-attack/relationship/relationship--65dc7cc1-e047-4087-8b2b-7d0d0f67576a.json
index a590ec6760..78bb5eef69 100644
--- a/mobile-attack/relationship/relationship--65dc7cc1-e047-4087-8b2b-7d0d0f67576a.json
+++ b/mobile-attack/relationship/relationship--65dc7cc1-e047-4087-8b2b-7d0d0f67576a.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--6a0ba6c6-bdb6-4379-8a57-3ad0e9f9071d",
+    "id": "bundle--d4f8475e-8e3a-4a1f-81aa-795cb6aeb542",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--65dc7cc1-e047-4087-8b2b-7d0d0f67576a",
             "created": "2023-08-16T16:34:14.088Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:34:14.088Z",
+            "modified": "2025-04-16T21:49:09.807Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can perform overlay attacks against a device by injecting HTML phishing pages into a webview.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6603a556-9732-4f8b-ac9c-5c3949b251ed.json b/mobile-attack/relationship/relationship--6603a556-9732-4f8b-ac9c-5c3949b251ed.json
index b661794c9e..4e47e347a6 100644
--- a/mobile-attack/relationship/relationship--6603a556-9732-4f8b-ac9c-5c3949b251ed.json
+++ b/mobile-attack/relationship/relationship--6603a556-9732-4f8b-ac9c-5c3949b251ed.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5d8da42d-1405-409c-9f02-50cbfed3ab1b",
+    "id": "bundle--cbb595ef-768b-44e2-bb49-c18f317f2305",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-21T22:25:08.129Z",
+            "modified": "2025-04-16T21:49:10.017Z",
             "description": "Android 11 and above implement application hibernation, which can hibernate an application that has not been used for a few months and can reset the application\u2019s permission requests.(Citation: app_hibernation)",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6609b892-d388-4b8a-ac21-5cbf12e0d574.json b/mobile-attack/relationship/relationship--6609b892-d388-4b8a-ac21-5cbf12e0d574.json
index 2826cbaa68..305180b9ed 100644
--- a/mobile-attack/relationship/relationship--6609b892-d388-4b8a-ac21-5cbf12e0d574.json
+++ b/mobile-attack/relationship/relationship--6609b892-d388-4b8a-ac21-5cbf12e0d574.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f181829a-f2ea-4c8f-9ad7-81be0238a57a",
+    "id": "bundle--3414dba7-361b-466d-8462-4f3e60ac2669",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:58.701Z",
+            "modified": "2025-04-16T21:49:10.271Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) has pretended to be an Adobe Flash Player installer.(Citation: Forbes Cerberus)",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--66132260-65d1-4bf5-8200-abdb2014be6f.json b/mobile-attack/relationship/relationship--66132260-65d1-4bf5-8200-abdb2014be6f.json
index 5d60a7e134..b6b161ae21 100644
--- a/mobile-attack/relationship/relationship--66132260-65d1-4bf5-8200-abdb2014be6f.json
+++ b/mobile-attack/relationship/relationship--66132260-65d1-4bf5-8200-abdb2014be6f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--37fefc73-d851-4a3a-a2d8-2c689d1c6961",
+    "id": "bundle--4481311f-2258-425a-9ccd-0abc55381fb7",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:51:12.881Z",
+            "modified": "2025-04-16T21:49:10.474Z",
             "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can detect if it is running in an emulator and adjust its behavior accordingly.(Citation: Cybereason FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6661823b-4fdd-4879-ad5d-64c9a4b12519.json b/mobile-attack/relationship/relationship--6661823b-4fdd-4879-ad5d-64c9a4b12519.json
index f455ac2cc2..4f5c03bf03 100644
--- a/mobile-attack/relationship/relationship--6661823b-4fdd-4879-ad5d-64c9a4b12519.json
+++ b/mobile-attack/relationship/relationship--6661823b-4fdd-4879-ad5d-64c9a4b12519.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--28f94bd0-62a2-4c71-a532-ce66c88eae62",
+    "id": "bundle--f39080bb-668c-4704-9909-86ca91835925",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--6661823b-4fdd-4879-ad5d-64c9a4b12519",
             "created": "2022-04-05T17:03:53.457Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:10.690Z",
             "description": "",
-            "modified": "2022-04-05T17:03:53.457Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--66ba3094-7c14-41b9-b7c1-814d026156b9.json b/mobile-attack/relationship/relationship--66ba3094-7c14-41b9-b7c1-814d026156b9.json
index f609a9011b..45d4d30691 100644
--- a/mobile-attack/relationship/relationship--66ba3094-7c14-41b9-b7c1-814d026156b9.json
+++ b/mobile-attack/relationship/relationship--66ba3094-7c14-41b9-b7c1-814d026156b9.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a6833622-d1eb-4c75-87c1-4909829e1fda",
+    "id": "bundle--7c5fca47-8498-4ffe-ba83-bd2e48ea8a6a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--66ba3094-7c14-41b9-b7c1-814d026156b9",
             "type": "relationship",
+            "id": "relationship--66ba3094-7c14-41b9-b7c1-814d026156b9",
             "created": "2020-09-11T15:58:40.846Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos-WolfRAT",
-                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
-                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."
+                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.",
+                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"
                 }
             ],
-            "modified": "2020-09-11T15:58:40.846Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:10.890Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can delete and send SMS messages.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42.json b/mobile-attack/relationship/relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42.json
index a30c103989..43e592b452 100644
--- a/mobile-attack/relationship/relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42.json
+++ b/mobile-attack/relationship/relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--0c2f85c2-18c0-4d4f-b832-3b5c56ecad97",
+    "id": "bundle--aadbcb93-ce1d-4ab8-b4ca-66953456f58b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42",
             "type": "relationship",
+            "id": "relationship--66c7fdcf-b9ef-429e-81b2-e97e971cfb42",
             "created": "2020-11-10T17:08:35.593Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-11-10T17:08:35.593Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:11.097Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has seen native libraries used in some reported samples (Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--66fb8a34-9d48-4599-a56e-19b057380030.json b/mobile-attack/relationship/relationship--66fb8a34-9d48-4599-a56e-19b057380030.json
index b5c20fe006..b3bec9ffa8 100644
--- a/mobile-attack/relationship/relationship--66fb8a34-9d48-4599-a56e-19b057380030.json
+++ b/mobile-attack/relationship/relationship--66fb8a34-9d48-4599-a56e-19b057380030.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--063a74db-01a4-40e7-a3b6-de6fe8f2b4ce",
+    "id": "bundle--9790c4e8-6e7d-4d17-a0be-2be6262ede7b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T15:04:38.833Z",
+            "modified": "2025-04-16T21:49:11.315Z",
             "description": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
             "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6701f90c-6fce-4f7b-a785-a585601d366a.json b/mobile-attack/relationship/relationship--6701f90c-6fce-4f7b-a785-a585601d366a.json
new file mode 100644
index 0000000000..8f449bf422
--- /dev/null
+++ b/mobile-attack/relationship/relationship--6701f90c-6fce-4f7b-a785-a585601d366a.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--29919c5f-d213-451b-b8bb-b2194cf226c8",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--6701f90c-6fce-4f7b-a785-a585601d366a",
+            "created": "2025-03-24T14:58:02.964Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "McAfee MoqHao 2019",
+                    "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.",
+                    "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:11.542Z",
+            "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has exfiltrated SMS and MMS messages.(Citation: McAfee MoqHao 2019) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42",
+            "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--670a0995-a789-4674-9e91-c74316cdef90.json b/mobile-attack/relationship/relationship--670a0995-a789-4674-9e91-c74316cdef90.json
index 7c9c1cab0f..f024b114a3 100644
--- a/mobile-attack/relationship/relationship--670a0995-a789-4674-9e91-c74316cdef90.json
+++ b/mobile-attack/relationship/relationship--670a0995-a789-4674-9e91-c74316cdef90.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--aa06dd61-c606-4d15-9fc1-79002b4f5845",
+    "id": "bundle--5fb98517-15ad-497a-8479-e9b2cfb5d564",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--670a0995-a789-4674-9e91-c74316cdef90",
             "type": "relationship",
+            "id": "relationship--670a0995-a789-4674-9e91-c74316cdef90",
             "created": "2020-09-11T14:54:16.621Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Desert Scorpion",
-                    "url": "https://blog.lookout.com/desert-scorpion-google-play",
-                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
+                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/desert-scorpion-google-play"
                 }
             ],
-            "modified": "2020-09-11T14:54:16.621Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:11.764Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can record audio from phone calls and the device microphone.(Citation: Lookout Desert Scorpion)",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--67aa692c-24e4-483e-996e-02ce1e861ec8.json b/mobile-attack/relationship/relationship--67aa692c-24e4-483e-996e-02ce1e861ec8.json
index 7624dd5ef4..76c560b6c1 100644
--- a/mobile-attack/relationship/relationship--67aa692c-24e4-483e-996e-02ce1e861ec8.json
+++ b/mobile-attack/relationship/relationship--67aa692c-24e4-483e-996e-02ce1e861ec8.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7e13eb9e-66f1-48cd-9395-b0a95a2d6676",
+    "id": "bundle--01e579ca-92e9-4ab5-ac62-cf55ccae97d6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-31T22:09:02.129Z",
+            "modified": "2025-04-16T21:49:11.965Z",
             "description": "[FluBot](https://attack.mitre.org/software/S1067) can add display overlays onto banking apps to capture credit card information.(Citation: proofpoint_flubot_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--67c2b73d-cd51-4894-a7bd-fdd5d14b33a2.json b/mobile-attack/relationship/relationship--67c2b73d-cd51-4894-a7bd-fdd5d14b33a2.json
index 5b6b014e46..efc1f884b3 100644
--- a/mobile-attack/relationship/relationship--67c2b73d-cd51-4894-a7bd-fdd5d14b33a2.json
+++ b/mobile-attack/relationship/relationship--67c2b73d-cd51-4894-a7bd-fdd5d14b33a2.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--b9f54d65-ce93-4c46-bb99-da627815f12e",
+    "id": "bundle--982d089a-db7c-474d-a509-fe04bee620a0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--67c2b73d-cd51-4894-a7bd-fdd5d14b33a2",
             "created": "2019-09-03T20:08:00.704Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Talos Gustuff Apr 2019",
-                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
-                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."
+                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
+                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:12.172Z",
             "description": "[Gustuff](https://attack.mitre.org/software/S0406) code is both obfuscated and packed with an FTT packer.(Citation: Talos Gustuff Apr 2019)",
-            "modified": "2022-04-15T17:18:58.074Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
             "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--67db22d4-6f89-40c6-b31b-737c1e3dec3f.json b/mobile-attack/relationship/relationship--67db22d4-6f89-40c6-b31b-737c1e3dec3f.json
index 6368c9a5e6..15e9406f43 100644
--- a/mobile-attack/relationship/relationship--67db22d4-6f89-40c6-b31b-737c1e3dec3f.json
+++ b/mobile-attack/relationship/relationship--67db22d4-6f89-40c6-b31b-737c1e3dec3f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8b21c28a-1122-4347-b819-74b5dd85b319",
+    "id": "bundle--50015fbb-1813-4de9-9b19-a992e711a3cb",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:17:07.374Z",
+            "modified": "2025-04-16T21:49:12.371Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) has used motion sensor data  to attempt to determine if it is running in an emulator.(Citation: Trend Micro Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--681161b2-4e30-4d49-8524-6cc0d94585cb.json b/mobile-attack/relationship/relationship--681161b2-4e30-4d49-8524-6cc0d94585cb.json
index 82b556333e..4da6f3c65f 100644
--- a/mobile-attack/relationship/relationship--681161b2-4e30-4d49-8524-6cc0d94585cb.json
+++ b/mobile-attack/relationship/relationship--681161b2-4e30-4d49-8524-6cc0d94585cb.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b21ba026-f098-4780-a96c-acdd1167c6a9",
+    "id": "bundle--23ca5b3d-7730-42ea-bdc9-6cfd0ccabcd7",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:34:55.830Z",
+            "modified": "2025-04-16T21:49:12.572Z",
             "description": "Many properly configured firewalls may naturally block bidirectional command and control traffic.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
             "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c.json b/mobile-attack/relationship/relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c.json
index 5382d1d3f6..62e60ee0a4 100644
--- a/mobile-attack/relationship/relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c.json
+++ b/mobile-attack/relationship/relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--43d0f0e6-183c-4697-ab8d-213da7dd7fc3",
+    "id": "bundle--8e2f3c34-bd6f-4ec3-9129-6e161f31c352",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--681d5e61-9412-4c58-bef1-c6ef7bffcb0c",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "",
-            "modified": "2022-04-06T15:42:13.445Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:12.773Z",
+            "description": "",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--c91c304a-975d-4501-9789-0db1c57afd3f",
             "target_ref": "attack-pattern--2d646840-f6f5-4619-a5a8-29c8316bbac5",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6846dc09-b66a-42d3-aea2-c80b51f22952.json b/mobile-attack/relationship/relationship--6846dc09-b66a-42d3-aea2-c80b51f22952.json
index e69280e6f6..195c93b195 100644
--- a/mobile-attack/relationship/relationship--6846dc09-b66a-42d3-aea2-c80b51f22952.json
+++ b/mobile-attack/relationship/relationship--6846dc09-b66a-42d3-aea2-c80b51f22952.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--a90909d6-1f61-40f3-a7e8-05045df31c84",
+    "id": "bundle--87bd54fe-23b2-4cb0-886b-51a6d30319bb",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--6846dc09-b66a-42d3-aea2-c80b51f22952",
             "created": "2023-02-28T21:42:31.008Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-28T21:42:31.008Z",
+            "modified": "2025-04-16T21:49:12.992Z",
             "description": "[TangleBot](https://attack.mitre.org/software/S1069) can record audio using the device microphone.(Citation: cloudmark_tanglebot_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--684c17bb-2075-4e1f-9fcb-17408511222d.json b/mobile-attack/relationship/relationship--684c17bb-2075-4e1f-9fcb-17408511222d.json
index 457aff67da..71a42aa371 100644
--- a/mobile-attack/relationship/relationship--684c17bb-2075-4e1f-9fcb-17408511222d.json
+++ b/mobile-attack/relationship/relationship--684c17bb-2075-4e1f-9fcb-17408511222d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e9e5d581-198a-4b93-af90-2b38e63b7ae2",
+    "id": "bundle--f22086a4-0eb6-482e-8d0e-917786541afa",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--684c17bb-2075-4e1f-9fcb-17408511222d",
             "type": "relationship",
+            "id": "relationship--684c17bb-2075-4e1f-9fcb-17408511222d",
             "created": "2021-09-20T13:54:19.957Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2021-09-20T13:54:19.957Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:13.220Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can silently accept an incoming phone call.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6859be95-c11a-4085-b8d3-c4ea4e2add44.json b/mobile-attack/relationship/relationship--6859be95-c11a-4085-b8d3-c4ea4e2add44.json
index 9b2edc0d6e..83a7c6efd1 100644
--- a/mobile-attack/relationship/relationship--6859be95-c11a-4085-b8d3-c4ea4e2add44.json
+++ b/mobile-attack/relationship/relationship--6859be95-c11a-4085-b8d3-c4ea4e2add44.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--7a18062f-d83f-495d-bec9-505e36e5c2af",
+    "id": "bundle--1bd00518-5d65-4197-b3ce-e60b1c749290",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--6859be95-c11a-4085-b8d3-c4ea4e2add44",
             "created": "2024-04-02T19:14:16.279Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-02T19:14:16.279Z",
+            "modified": "2025-04-16T21:49:13.424Z",
             "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can access and retrieve files on a device.(Citation: Meta Adversarial Threat Report 2022)",
             "relationship_type": "uses",
             "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--686a6bc8-d660-40ad-97bc-9c900195cd5b.json b/mobile-attack/relationship/relationship--686a6bc8-d660-40ad-97bc-9c900195cd5b.json
new file mode 100644
index 0000000000..6869ff6a75
--- /dev/null
+++ b/mobile-attack/relationship/relationship--686a6bc8-d660-40ad-97bc-9c900195cd5b.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--452c305c-1e7e-4c9b-a498-d9280a65c544",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--686a6bc8-d660-40ad-97bc-9c900195cd5b",
+            "created": "2025-03-28T15:09:23.738Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:13.621Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have obtained a list of files in a specified directory using the `fts` API.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6885280e-5423-422a-94f1-e91d557e043e.json b/mobile-attack/relationship/relationship--6885280e-5423-422a-94f1-e91d557e043e.json
index af4e4d5dbe..eee9845caf 100644
--- a/mobile-attack/relationship/relationship--6885280e-5423-422a-94f1-e91d557e043e.json
+++ b/mobile-attack/relationship/relationship--6885280e-5423-422a-94f1-e91d557e043e.json
@@ -1,38 +1,37 @@
 {
     "type": "bundle",
-    "id": "bundle--f74d5c52-6b4d-4c6a-81a5-b73b66283612",
+    "id": "bundle--eae0c3fc-e239-4bc3-8752-dcf2d5524c08",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--6885280e-5423-422a-94f1-e91d557e043e",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "PaloAlto-XcodeGhost1",
-                    "url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/",
-                    "description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016."
+                    "description": "Claud Xiao. (2015, September 17). Novel Malware XcodeGhost Modifies Xcode, Infects Apple iOS Apps and Hits App Store. Retrieved December 21, 2016.",
+                    "url": "http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/"
                 },
                 {
                     "source_name": "PaloAlto-XcodeGhost",
-                    "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/",
-                    "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016."
+                    "description": "Claud Xiao. (2015, September 18). Update: XcodeGhost Attacker Can Phish Passwords and Open URLs through Infected Apps. Retrieved December 21, 2016.",
+                    "url": "http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:13.816Z",
             "description": "[XcodeGhost](https://attack.mitre.org/software/S0297) was injected into apps by a modified version of Xcode (Apple's software development tool).(Citation: PaloAlto-XcodeGhost1)(Citation: PaloAlto-XcodeGhost)",
-            "modified": "2022-04-15T15:10:16.607Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--d9e07aea-baad-4b68-bdca-90c77647d7f9",
             "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--68c17e9b-1fda-49dd-982b-566d473cc32b.json b/mobile-attack/relationship/relationship--68c17e9b-1fda-49dd-982b-566d473cc32b.json
index 5290aa67d7..8ac747d677 100644
--- a/mobile-attack/relationship/relationship--68c17e9b-1fda-49dd-982b-566d473cc32b.json
+++ b/mobile-attack/relationship/relationship--68c17e9b-1fda-49dd-982b-566d473cc32b.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--c04fbd0e-4a7f-4b16-95e4-069fb7855960",
+    "id": "bundle--0b369cb4-82ed-44ee-aa58-7c2b8fe496bf",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--68c17e9b-1fda-49dd-982b-566d473cc32b",
             "created": "2022-04-06T15:51:11.939Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:14.017Z",
             "description": "",
-            "modified": "2022-04-06T15:51:11.939Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--633baf01-6de4-4963-bb54-ff6c6357bed3",
             "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--68e5789c-9f60-421e-9c79-fae207a29e83.json b/mobile-attack/relationship/relationship--68e5789c-9f60-421e-9c79-fae207a29e83.json
index 3e89e63d0f..a4e98da8d6 100644
--- a/mobile-attack/relationship/relationship--68e5789c-9f60-421e-9c79-fae207a29e83.json
+++ b/mobile-attack/relationship/relationship--68e5789c-9f60-421e-9c79-fae207a29e83.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6b1452aa-0134-4fbf-80db-ea945af96263",
+    "id": "bundle--409bcf06-b3a5-4bba-a38d-dfe2318948fb",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:27:20.839Z",
+            "modified": "2025-04-16T21:49:14.225Z",
             "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole SMS message content.(Citation: Kaspersky-WUC)",
             "relationship_type": "uses",
             "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6920d0d0-27f4-4d29-8622-c8a92090eec3.json b/mobile-attack/relationship/relationship--6920d0d0-27f4-4d29-8622-c8a92090eec3.json
index 6eadf49c20..982fe9e232 100644
--- a/mobile-attack/relationship/relationship--6920d0d0-27f4-4d29-8622-c8a92090eec3.json
+++ b/mobile-attack/relationship/relationship--6920d0d0-27f4-4d29-8622-c8a92090eec3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c9565b17-9532-46da-a55a-ca8d247bd7cf",
+    "id": "bundle--947eb02d-827d-40e9-a53d-c51875f02ffb",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:54:25.851Z",
+            "modified": "2025-04-16T21:49:14.432Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect the device\u2019s contact list.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6935752c-e400-4dfa-863f-1d44a8f6dd50.json b/mobile-attack/relationship/relationship--6935752c-e400-4dfa-863f-1d44a8f6dd50.json
index 1321c26a23..81422afb82 100644
--- a/mobile-attack/relationship/relationship--6935752c-e400-4dfa-863f-1d44a8f6dd50.json
+++ b/mobile-attack/relationship/relationship--6935752c-e400-4dfa-863f-1d44a8f6dd50.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--86c54f7b-2f8d-4e1c-8716-7e61fffb0616",
+    "id": "bundle--3ec73293-0543-402a-b3b2-bfd1086193d2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.105Z",
+            "modified": "2025-04-16T21:49:14.667Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) can make phone calls.(Citation: Cofense Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6945812f-959b-4f4c-9bf4-6dbdc6d9f7c8.json b/mobile-attack/relationship/relationship--6945812f-959b-4f4c-9bf4-6dbdc6d9f7c8.json
new file mode 100644
index 0000000000..55bc10cb63
--- /dev/null
+++ b/mobile-attack/relationship/relationship--6945812f-959b-4f4c-9bf4-6dbdc6d9f7c8.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--64f31a3a-9495-4876-a00d-0fc0f559018b",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--6945812f-959b-4f4c-9bf4-6dbdc6d9f7c8",
+            "created": "2025-03-28T15:08:25.021Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                },
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:14.876Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have dumped the device\u2019s keychain.(Citation: SecureList OpTriangulation 21Jun2023)(Citation: SecureList OpTriangulation 23Oct2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--694857ba-92e8-462e-8900-a9f6fdcf495d.json b/mobile-attack/relationship/relationship--694857ba-92e8-462e-8900-a9f6fdcf495d.json
index ee3ae2b714..1f6bd37a31 100644
--- a/mobile-attack/relationship/relationship--694857ba-92e8-462e-8900-a9f6fdcf495d.json
+++ b/mobile-attack/relationship/relationship--694857ba-92e8-462e-8900-a9f6fdcf495d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--7b6c11cb-0ab2-4b2b-86da-3ae064e63901",
+    "id": "bundle--dc90ec4e-01eb-47aa-b692-68d747af623c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--694857ba-92e8-462e-8900-a9f6fdcf495d",
             "type": "relationship",
+            "id": "relationship--694857ba-92e8-462e-8900-a9f6fdcf495d",
             "created": "2020-12-31T18:25:05.133Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "CYBERWARCON CHEMISTGAMES",
-                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w",
-                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."
+                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.",
+                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"
                 }
             ],
-            "modified": "2020-12-31T18:25:05.133Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:15.085Z",
             "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has encrypted its DEX payload.(Citation: CYBERWARCON CHEMISTGAMES)",
             "relationship_type": "uses",
             "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6961eec4-8e31-4be1-88d9-dca682e38b8c.json b/mobile-attack/relationship/relationship--6961eec4-8e31-4be1-88d9-dca682e38b8c.json
index 4572214950..0101473f24 100644
--- a/mobile-attack/relationship/relationship--6961eec4-8e31-4be1-88d9-dca682e38b8c.json
+++ b/mobile-attack/relationship/relationship--6961eec4-8e31-4be1-88d9-dca682e38b8c.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--6e7adb6e-36de-42b9-84a9-db4910f3c3e6",
+    "id": "bundle--1475e641-46df-4567-b3da-8f6e1cbfa16b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--6961eec4-8e31-4be1-88d9-dca682e38b8c",
             "created": "2019-08-09T18:02:06.688Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Zscaler-SuperMarioRun",
-                    "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat",
-                    "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017."
+                    "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
+                    "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:15.306Z",
             "description": "[DroidJack](https://attack.mitre.org/software/S0320) can capture video using device cameras.(Citation: Zscaler-SuperMarioRun)",
-            "modified": "2022-05-20T17:13:16.507Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4.json b/mobile-attack/relationship/relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4.json
index 7e2bf8ca8b..c2362e00cc 100644
--- a/mobile-attack/relationship/relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4.json
+++ b/mobile-attack/relationship/relationship--69718f1d-7761-41ae-b9d0-12c45f6b4ac4.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4d2806e1-2842-4fbb-a0bf-0ea4e3a91929",
+    "id": "bundle--5b7340d5-7eec-421f-9f46-8e7d2bbe9d00",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:33:51.882Z",
+            "modified": "2025-04-16T21:49:15.508Z",
             "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) modifies the system partition to maintain persistence.(Citation: Lookout-Pegasus)",
             "relationship_type": "uses",
             "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
             "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--697f5584-667f-4489-a535-586dd1a8b48c.json b/mobile-attack/relationship/relationship--697f5584-667f-4489-a535-586dd1a8b48c.json
index dda16b0606..950ce092d3 100644
--- a/mobile-attack/relationship/relationship--697f5584-667f-4489-a535-586dd1a8b48c.json
+++ b/mobile-attack/relationship/relationship--697f5584-667f-4489-a535-586dd1a8b48c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--0cf3f8aa-4bd1-4327-89a9-188798861e2f",
+    "id": "bundle--45989ff0-de54-4c6f-9b48-fd7d8e4b4704",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:59.823Z",
+            "modified": "2025-04-16T21:49:15.722Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has inserted trojan functionality into legitimate apps, including popular apps within the Uyghur community, VPNs, instant messaging apps, social networking, games, adult media, and Google searching.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2.json b/mobile-attack/relationship/relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2.json
index 9321d57041..aebab4e636 100644
--- a/mobile-attack/relationship/relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2.json
+++ b/mobile-attack/relationship/relationship--69bb264a-3f44-4132-9248-dd80a9f5efa2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5273a956-1c72-4454-971c-bf2d6feffa49",
+    "id": "bundle--b880f2f3-868b-4beb-b370-664a2ee91e59",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:17:53.923Z",
+            "modified": "2025-04-16T21:49:15.925Z",
             "description": "[Charger](https://attack.mitre.org/software/S0323) locks the device if it is granted admin permissions, displaying a message demanding a ransom payment.(Citation: CheckPoint-Charger)",
             "relationship_type": "uses",
             "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
             "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--69de3f7e-faa7-4342-b755-4777a68fd89b.json b/mobile-attack/relationship/relationship--69de3f7e-faa7-4342-b755-4777a68fd89b.json
index e76d7835f5..0fbb5ae1f8 100644
--- a/mobile-attack/relationship/relationship--69de3f7e-faa7-4342-b755-4777a68fd89b.json
+++ b/mobile-attack/relationship/relationship--69de3f7e-faa7-4342-b755-4777a68fd89b.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--05ca6711-b4c9-462a-9591-7074019d3f73",
+    "id": "bundle--bc8ea626-343d-4a34-a231-2bee4683ace4",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--69de3f7e-faa7-4342-b755-4777a68fd89b",
             "created": "2017-12-14T16:46:06.044Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Zscaler-SuperMarioRun",
-                    "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat",
-                    "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017."
+                    "description": "Viral Gandhi. (2017, January 12). Super Mario Run Malware #2 \u2013 DroidJack RAT. Retrieved January 20, 2017.",
+                    "url": "https://www.zscaler.com/blogs/security-research/super-mario-run-malware-2-droidjack-rat"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:16.144Z",
             "description": "[DroidJack](https://attack.mitre.org/software/S0320) is capable of recording device phone calls.(Citation: Zscaler-SuperMarioRun)",
-            "modified": "2022-05-20T17:13:16.508Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6a1d8b2f-9007-46ba-b559-356b81632cee.json b/mobile-attack/relationship/relationship--6a1d8b2f-9007-46ba-b559-356b81632cee.json
index acdc685361..96204f6a9a 100644
--- a/mobile-attack/relationship/relationship--6a1d8b2f-9007-46ba-b559-356b81632cee.json
+++ b/mobile-attack/relationship/relationship--6a1d8b2f-9007-46ba-b559-356b81632cee.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--61233de0-633c-4b92-b514-99bb9e035d18",
+    "id": "bundle--49642933-f0ea-413a-aa1f-6c38a7203248",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:58.444Z",
+            "modified": "2025-04-16T21:49:16.362Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has masqueraded as TikTok.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b.json b/mobile-attack/relationship/relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b.json
index 76b2ccb9f1..ce15308898 100644
--- a/mobile-attack/relationship/relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b.json
+++ b/mobile-attack/relationship/relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e184f11d-f52b-4335-9601-c0eab8cfd3ce",
+    "id": "bundle--526c863a-0f17-4e40-ab39-b33667a27343",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b",
             "type": "relationship",
+            "id": "relationship--6a4fd7bd-b73b-403b-aff9-8be6bc0afc7b",
             "created": "2020-09-14T14:13:45.259Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout eSurv",
-                    "url": "https://blog.lookout.com/esurv-research",
-                    "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
+                    "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/esurv-research"
                 }
             ],
-            "modified": "2020-09-14T14:13:45.259Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:16.565Z",
             "description": "[eSurv](https://attack.mitre.org/software/S0507) can exfiltrate device pictures.(Citation: Lookout eSurv)",
             "relationship_type": "uses",
             "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6a5926f3-8c44-4806-83c2-e8ed0be36bc2.json b/mobile-attack/relationship/relationship--6a5926f3-8c44-4806-83c2-e8ed0be36bc2.json
index b7c6bdc244..f86b353cfb 100644
--- a/mobile-attack/relationship/relationship--6a5926f3-8c44-4806-83c2-e8ed0be36bc2.json
+++ b/mobile-attack/relationship/relationship--6a5926f3-8c44-4806-83c2-e8ed0be36bc2.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--cba294ad-8392-4a3e-bb00-a1d1cf84e3a4",
+    "id": "bundle--931094e5-c352-4fc2-84d6-c9f1e649e60c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--6a5926f3-8c44-4806-83c2-e8ed0be36bc2",
             "created": "2022-04-01T15:13:55.124Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:16.772Z",
             "description": "Users should be instructed to not open links in applications they don\u2019t recognize.",
-            "modified": "2022-04-01T15:13:55.124Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6a5f151f-36cb-496a-9d0c-d726f1b00d4e.json b/mobile-attack/relationship/relationship--6a5f151f-36cb-496a-9d0c-d726f1b00d4e.json
index 3570407eac..e5321726db 100644
--- a/mobile-attack/relationship/relationship--6a5f151f-36cb-496a-9d0c-d726f1b00d4e.json
+++ b/mobile-attack/relationship/relationship--6a5f151f-36cb-496a-9d0c-d726f1b00d4e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4ac5caa3-e40a-48b5-8886-fb8c5918280c",
+    "id": "bundle--45ba5ee8-cb2e-469a-8a44-8e7c273e5be2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T15:21:42.253Z",
+            "modified": "2025-04-16T21:49:16.980Z",
             "description": "On Android, Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android's SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromise devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
             "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6a715733-cde6-4903-b967-35562b584c6f.json b/mobile-attack/relationship/relationship--6a715733-cde6-4903-b967-35562b584c6f.json
index bdf652a731..35a4c4a71c 100644
--- a/mobile-attack/relationship/relationship--6a715733-cde6-4903-b967-35562b584c6f.json
+++ b/mobile-attack/relationship/relationship--6a715733-cde6-4903-b967-35562b584c6f.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--28cd0ca6-febe-4b12-bbc7-fa302314b874",
+    "id": "bundle--eaa734c1-5abe-47b6-8524-c8a19d9ad4c9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6a715733-cde6-4903-b967-35562b584c6f",
             "type": "relationship",
+            "id": "relationship--6a715733-cde6-4903-b967-35562b584c6f",
             "created": "2020-06-02T14:32:31.878Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Google Project Zero Insomnia",
-                    "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
-                    "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."
+                    "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.",
+                    "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"
                 }
             ],
-            "modified": "2020-06-02T14:32:31.878Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:17.225Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can obtain a list of installed non-Apple applications.(Citation: Google Project Zero Insomnia)",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6a813057-5fe0-46b5-89a3-c804d223568c.json b/mobile-attack/relationship/relationship--6a813057-5fe0-46b5-89a3-c804d223568c.json
index 8d932fe9a5..96469b0537 100644
--- a/mobile-attack/relationship/relationship--6a813057-5fe0-46b5-89a3-c804d223568c.json
+++ b/mobile-attack/relationship/relationship--6a813057-5fe0-46b5-89a3-c804d223568c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5bcfd656-9cbc-4946-b08e-9fe9f176a535",
+    "id": "bundle--b6de1170-1d53-47e7-9405-1ba065f6472f",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-26T12:54:10.319Z",
+            "modified": "2025-04-16T21:49:17.437Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate the victim device ID, model, manufacturer, and Android version.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6a821e14-8247-408b-af37-9cecbba616ec.json b/mobile-attack/relationship/relationship--6a821e14-8247-408b-af37-9cecbba616ec.json
index 2c513435e7..2f4a597b5c 100644
--- a/mobile-attack/relationship/relationship--6a821e14-8247-408b-af37-9cecbba616ec.json
+++ b/mobile-attack/relationship/relationship--6a821e14-8247-408b-af37-9cecbba616ec.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--01c3f734-96c0-446b-b846-dc172ce6f129",
+    "id": "bundle--df25a48d-a0fe-4938-bdc3-d0b3a9756599",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6a821e14-8247-408b-af37-9cecbba616ec",
             "type": "relationship",
+            "id": "relationship--6a821e14-8247-408b-af37-9cecbba616ec",
             "created": "2020-05-07T15:33:32.945Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "CheckPoint Agent Smith",
-                    "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
-                    "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
+                    "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.",
+                    "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"
                 }
             ],
-            "modified": "2020-05-07T15:33:32.945Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:17.666Z",
             "description": "[Agent Smith](https://attack.mitre.org/software/S0440) obtains the device\u2019s application list.(Citation: CheckPoint Agent Smith)",
             "relationship_type": "uses",
             "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6a87a107-e607-460b-a08c-cc693b15268c.json b/mobile-attack/relationship/relationship--6a87a107-e607-460b-a08c-cc693b15268c.json
new file mode 100644
index 0000000000..50676f53c3
--- /dev/null
+++ b/mobile-attack/relationship/relationship--6a87a107-e607-460b-a08c-cc693b15268c.json
@@ -0,0 +1,42 @@
+{
+    "type": "bundle",
+    "id": "bundle--db24ef88-66b3-4553-a29f-e67fbaecc020",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--6a87a107-e607-460b-a08c-cc693b15268c",
+            "created": "2024-03-26T19:31:52.738Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "sophos_android_apt_spyware",
+                    "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"
+                },
+                {
+                    "source_name": "threatpost AndroidSpyware 2020",
+                    "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.",
+                    "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/"
+                },
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:17.864Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) can exfiltrate the victim device\u2019s contact list.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: threatpost AndroidSpyware 2020)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6a924f93-6a3a-4931-b0b3-b8bc37f0587a.json b/mobile-attack/relationship/relationship--6a924f93-6a3a-4931-b0b3-b8bc37f0587a.json
index ef197dd3cf..dbd0c7c243 100644
--- a/mobile-attack/relationship/relationship--6a924f93-6a3a-4931-b0b3-b8bc37f0587a.json
+++ b/mobile-attack/relationship/relationship--6a924f93-6a3a-4931-b0b3-b8bc37f0587a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--935fa30c-3538-4962-b6ba-ab59e91c600d",
+    "id": "bundle--b1fa7cb9-777a-4369-9430-0de1243133f9",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "fb_arid_viper",
-                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
+                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-16T16:03:22.664Z",
+            "modified": "2025-04-16T21:49:18.072Z",
             "description": "[Phenakite](https://attack.mitre.org/software/S1126) can masquerade as the chat application \"Magic Smile.\"(Citation: fb_arid_viper)",
             "relationship_type": "uses",
             "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6ac2d9a5-248b-42c5-af71-3ffad7bc7f3e.json b/mobile-attack/relationship/relationship--6ac2d9a5-248b-42c5-af71-3ffad7bc7f3e.json
index 4bac3963ca..bdda7c11b6 100644
--- a/mobile-attack/relationship/relationship--6ac2d9a5-248b-42c5-af71-3ffad7bc7f3e.json
+++ b/mobile-attack/relationship/relationship--6ac2d9a5-248b-42c5-af71-3ffad7bc7f3e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--1eb31744-e6f6-4975-ab02-36ae334a902d",
+    "id": "bundle--9ce1ebfc-55f2-474e-8b9f-ea77458d6f6d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-22T19:39:19.069Z",
+            "modified": "2025-04-16T21:49:18.278Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) initially poses as a benign application, then malware is downloaded and executed after an application update.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6ad4f199-99fe-4366-87be-7a462f6c89b0.json b/mobile-attack/relationship/relationship--6ad4f199-99fe-4366-87be-7a462f6c89b0.json
index c36e787eec..a22af5ce40 100644
--- a/mobile-attack/relationship/relationship--6ad4f199-99fe-4366-87be-7a462f6c89b0.json
+++ b/mobile-attack/relationship/relationship--6ad4f199-99fe-4366-87be-7a462f6c89b0.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--75bda66a-d723-4293-843b-7d5f1a87b77a",
+    "id": "bundle--a81f1719-3e0d-440a-8089-5b5a4bd2eb08",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-22T20:48:41.487Z",
+            "modified": "2025-04-16T21:49:18.482Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can access a device\u2019s location and check if GPS is enabled. [Hornbill](https://attack.mitre.org/software/S1077) has logic to only log location changes greater than 70 meters.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6b41d649-bcd0-4427-baa1-15a145bace6e.json b/mobile-attack/relationship/relationship--6b41d649-bcd0-4427-baa1-15a145bace6e.json
index 775d47d245..7f00b48a1a 100644
--- a/mobile-attack/relationship/relationship--6b41d649-bcd0-4427-baa1-15a145bace6e.json
+++ b/mobile-attack/relationship/relationship--6b41d649-bcd0-4427-baa1-15a145bace6e.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--79442b61-4839-43f2-aec8-5f0bf093bac7",
+    "id": "bundle--5a4a21f8-2872-415d-a58a-defdd92e3ac9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6b41d649-bcd0-4427-baa1-15a145bace6e",
             "type": "relationship",
+            "id": "relationship--6b41d649-bcd0-4427-baa1-15a145bace6e",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
+                    "source_name": "PaloAlto-SpyDealer",
                     "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
-                    "source_name": "PaloAlto-SpyDealer"
+                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
                 }
             ],
-            "modified": "2019-08-09T17:56:05.642Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:18.710Z",
             "description": "[SpyDealer](https://attack.mitre.org/software/S0324) downloads and executes root exploits from a remote server.(Citation: PaloAlto-SpyDealer)",
             "relationship_type": "uses",
             "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6b623a18-a3cf-4f94-b3a8-19f7369a2b61.json b/mobile-attack/relationship/relationship--6b623a18-a3cf-4f94-b3a8-19f7369a2b61.json
index 3e8cee1ee3..606b1cc268 100644
--- a/mobile-attack/relationship/relationship--6b623a18-a3cf-4f94-b3a8-19f7369a2b61.json
+++ b/mobile-attack/relationship/relationship--6b623a18-a3cf-4f94-b3a8-19f7369a2b61.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--26a1b48c-da16-430c-adef-1fc496c9fe7d",
+    "id": "bundle--ac77d283-f83c-4dd4-8785-d64879b6d22c",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--6b623a18-a3cf-4f94-b3a8-19f7369a2b61",
             "created": "2024-03-26T18:43:59.377Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T18:43:59.377Z",
+            "modified": "2025-04-16T21:49:18.928Z",
             "description": "",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394",
             "target_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6b64d3f4-96d6-48e5-a57e-b5cf897670f9.json b/mobile-attack/relationship/relationship--6b64d3f4-96d6-48e5-a57e-b5cf897670f9.json
index ed613bea41..7a64a39795 100644
--- a/mobile-attack/relationship/relationship--6b64d3f4-96d6-48e5-a57e-b5cf897670f9.json
+++ b/mobile-attack/relationship/relationship--6b64d3f4-96d6-48e5-a57e-b5cf897670f9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--879c52ab-b9fb-495d-a838-d03f761d6eea",
+    "id": "bundle--73144c46-dc8c-4927-b9e7-03a26b7e0b5a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:27:33.948Z",
+            "modified": "2025-04-16T21:49:19.127Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect SMS messages from the device.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6b74d347-4d28-401f-9ac2-b3e1c9428bab.json b/mobile-attack/relationship/relationship--6b74d347-4d28-401f-9ac2-b3e1c9428bab.json
index 4aecf0f768..3a25e78080 100644
--- a/mobile-attack/relationship/relationship--6b74d347-4d28-401f-9ac2-b3e1c9428bab.json
+++ b/mobile-attack/relationship/relationship--6b74d347-4d28-401f-9ac2-b3e1c9428bab.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c6e6a618-5ab0-4b93-b3bd-b2ef00766bf0",
+    "id": "bundle--8b99cba3-1d97-43cc-9f16-1b50df2fa3f3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "cyble_drinik_1022",
-                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.",
-                    "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:54:10.458Z",
+            "modified": "2025-04-16T21:49:19.364Z",
             "description": "[Drinik](https://attack.mitre.org/software/S1054) can use keylogging to steal user banking credentials.(Citation: cyble_drinik_1022)",
             "relationship_type": "uses",
             "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6ba09d73-4ed5-4a37-8191-fc54a8f01696.json b/mobile-attack/relationship/relationship--6ba09d73-4ed5-4a37-8191-fc54a8f01696.json
index bc0dff7d2a..229f5e7ffc 100644
--- a/mobile-attack/relationship/relationship--6ba09d73-4ed5-4a37-8191-fc54a8f01696.json
+++ b/mobile-attack/relationship/relationship--6ba09d73-4ed5-4a37-8191-fc54a8f01696.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--a444b0b5-e955-42c2-b603-dd163538507d",
+    "id": "bundle--d403445d-5587-46cf-9773-80f7e6d47700",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--6ba09d73-4ed5-4a37-8191-fc54a8f01696",
             "created": "2022-03-28T19:38:23.189Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:19.571Z",
             "description": "",
-            "modified": "2022-03-28T19:38:23.190Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3",
             "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6bac4ccd-d810-40f4-937e-3ac4bfa959ec.json b/mobile-attack/relationship/relationship--6bac4ccd-d810-40f4-937e-3ac4bfa959ec.json
new file mode 100644
index 0000000000..b19b3c4fd6
--- /dev/null
+++ b/mobile-attack/relationship/relationship--6bac4ccd-d810-40f4-937e-3ac4bfa959ec.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--eb233800-8d24-4b76-8d7c-daef0742751e",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--6bac4ccd-d810-40f4-937e-3ac4bfa959ec",
+            "created": "2025-03-14T17:57:19.692Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Promon FjordPhantom Oct2024",
+                    "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.",
+                    "url": "https://promon.io/security-news/fjordphantom-android-malware"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:19.805Z",
+            "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) uses a virtualization solution to steal credentials.(Citation: Promon FjordPhantom Oct2024)",
+            "relationship_type": "uses",
+            "source_ref": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4",
+            "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6bb4de7d-1ef9-4bc8-8d34-62e176d4188a.json b/mobile-attack/relationship/relationship--6bb4de7d-1ef9-4bc8-8d34-62e176d4188a.json
index ef86fb2004..521fb9c150 100644
--- a/mobile-attack/relationship/relationship--6bb4de7d-1ef9-4bc8-8d34-62e176d4188a.json
+++ b/mobile-attack/relationship/relationship--6bb4de7d-1ef9-4bc8-8d34-62e176d4188a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3dd9a086-5658-4610-9111-5ff4223285d5",
+    "id": "bundle--e7d8b7d1-80d6-4f12-a290-f7e7cc8710c2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:17:24.417Z",
+            "modified": "2025-04-16T21:49:20.011Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can send large amounts of device data over its C2 channel, including the device\u2019s manufacturer, model, version and serial number, telephone number, and IP address.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6bdc24f1-36a7-4cf8-8a3e-f7f36840a7b2.json b/mobile-attack/relationship/relationship--6bdc24f1-36a7-4cf8-8a3e-f7f36840a7b2.json
new file mode 100644
index 0000000000..9413d74d37
--- /dev/null
+++ b/mobile-attack/relationship/relationship--6bdc24f1-36a7-4cf8-8a3e-f7f36840a7b2.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--58269454-b509-4b14-be0d-d2cfbf70594a",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--6bdc24f1-36a7-4cf8-8a3e-f7f36840a7b2",
+            "created": "2025-03-27T22:49:03.986Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:20.220Z",
+            "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has obtained a list of installed applications.(Citation: SecureList OpTriangulation 23Oct2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20",
+            "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6c0105f3-e919-499d-b080-d127394d2837.json b/mobile-attack/relationship/relationship--6c0105f3-e919-499d-b080-d127394d2837.json
index 46515b7ec7..7e77a70a2d 100644
--- a/mobile-attack/relationship/relationship--6c0105f3-e919-499d-b080-d127394d2837.json
+++ b/mobile-attack/relationship/relationship--6c0105f3-e919-499d-b080-d127394d2837.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--ecb93aba-9c49-480f-ac1c-b0bd6436dc08",
+    "id": "bundle--f9823a6c-ec7f-4887-983e-b6e0b3a555c5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--6c0105f3-e919-499d-b080-d127394d2837",
             "created": "2022-03-30T18:14:23.210Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:20.419Z",
             "description": "Typically, insecure or malicious configuration settings are not installed without the user's consent. Users should be advised not to install unexpected configuration settings (CA certificates, iOS Configuration Profiles, Mobile Device Management server provisioning). ",
-            "modified": "2022-03-30T18:14:23.210Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6c35f99c-153d-4023-a29a-821488ce5418.json b/mobile-attack/relationship/relationship--6c35f99c-153d-4023-a29a-821488ce5418.json
index c0d269cf32..ab61281d7a 100644
--- a/mobile-attack/relationship/relationship--6c35f99c-153d-4023-a29a-821488ce5418.json
+++ b/mobile-attack/relationship/relationship--6c35f99c-153d-4023-a29a-821488ce5418.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--0e9fdb40-f2bb-4c66-ba29-ec57062e22e3",
+    "id": "bundle--7e8364db-c92e-4761-b7d6-7b4e13bc7c19",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.107Z",
+            "modified": "2025-04-16T21:49:20.617Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) can collect a list of installed applications to compare to a list of targeted applications.(Citation: Cofense Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82.json b/mobile-attack/relationship/relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82.json
index 4379228b89..aa7e251ad0 100644
--- a/mobile-attack/relationship/relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82.json
+++ b/mobile-attack/relationship/relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4cc947d4-77ff-45ba-9f2c-62a477d51075",
+    "id": "bundle--973b1259-1677-40ef-8786-2873a0c15414",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82",
             "type": "relationship",
+            "id": "relationship--6c859d6b-28b1-409d-90ea-d4eba64edf82",
             "created": "2020-09-11T16:22:03.301Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout ViperRAT",
-                    "url": "https://blog.lookout.com/viperrat-mobile-apt",
-                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
+                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/viperrat-mobile-apt"
                 }
             ],
-            "modified": "2020-09-11T16:22:03.301Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:20.824Z",
             "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect system information, including brand, manufacturer, and serial number.(Citation: Lookout ViperRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6c887e1b-ff9a-4d7f-baec-7d19e1c982bd.json b/mobile-attack/relationship/relationship--6c887e1b-ff9a-4d7f-baec-7d19e1c982bd.json
index 455c84752c..2b2c9084a3 100644
--- a/mobile-attack/relationship/relationship--6c887e1b-ff9a-4d7f-baec-7d19e1c982bd.json
+++ b/mobile-attack/relationship/relationship--6c887e1b-ff9a-4d7f-baec-7d19e1c982bd.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--8e1b0182-cf80-4a9b-8203-94b9c8a71d6a",
+    "id": "bundle--8b352243-fab0-40a9-a722-91ff574d5ed6",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--6c887e1b-ff9a-4d7f-baec-7d19e1c982bd",
             "created": "2023-08-07T22:48:30.275Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T22:48:30.275Z",
+            "modified": "2025-04-16T21:49:21.032Z",
             "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to newly created processes and their parameters, potentially detecting unwanted or malicious shells.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
             "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e.json b/mobile-attack/relationship/relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e.json
index a219d92d23..ac541115a4 100644
--- a/mobile-attack/relationship/relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e.json
+++ b/mobile-attack/relationship/relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--5b2bd3be-4d87-4ef8-8d73-e58b2b4f8b53",
+    "id": "bundle--99e50bbf-ca11-48ed-bdbd-2e372472f725",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e",
             "type": "relationship",
+            "id": "relationship--6ca3e3d9-2db9-4bed-98a0-417ff1e6a78e",
             "created": "2021-02-08T16:36:20.692Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "BlackBerry Bahamut",
-                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf",
-                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."
+                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.",
+                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"
                 }
             ],
-            "modified": "2021-05-24T13:16:56.443Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:21.257Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included system information enumeration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6cace9e3-f095-4914-bddc-24cec8bcc859.json b/mobile-attack/relationship/relationship--6cace9e3-f095-4914-bddc-24cec8bcc859.json
index 87dc91516d..517c64558f 100644
--- a/mobile-attack/relationship/relationship--6cace9e3-f095-4914-bddc-24cec8bcc859.json
+++ b/mobile-attack/relationship/relationship--6cace9e3-f095-4914-bddc-24cec8bcc859.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--678c362f-e869-470c-a5f9-53c4712f330e",
+    "id": "bundle--505ebc1b-2a7b-4716-a764-560304c9e188",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6cace9e3-f095-4914-bddc-24cec8bcc859",
             "type": "relationship",
+            "id": "relationship--6cace9e3-f095-4914-bddc-24cec8bcc859",
             "created": "2020-09-24T15:34:51.276Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
                 }
             ],
-            "modified": "2020-09-24T15:34:51.276Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:21.450Z",
             "description": "[Dendroid](https://attack.mitre.org/software/S0301) can collect the device\u2019s photos, browser history, bookmarks, and accounts stored on the device.(Citation: Lookout-Dendroid)",
             "relationship_type": "uses",
             "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6ce36374-2ff6-4b41-8493-148416153232.json b/mobile-attack/relationship/relationship--6ce36374-2ff6-4b41-8493-148416153232.json
index c734ed353b..3315e9593a 100644
--- a/mobile-attack/relationship/relationship--6ce36374-2ff6-4b41-8493-148416153232.json
+++ b/mobile-attack/relationship/relationship--6ce36374-2ff6-4b41-8493-148416153232.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--d7c8ecb2-7ac9-45dd-a178-34552ba6c2e2",
+    "id": "bundle--e44096a1-5760-4fd2-b29e-678c84acbd2b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6ce36374-2ff6-4b41-8493-148416153232",
             "type": "relationship",
+            "id": "relationship--6ce36374-2ff6-4b41-8493-148416153232",
             "created": "2020-07-20T13:27:33.443Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos-WolfRAT",
-                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
-                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."
+                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.",
+                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"
                 }
             ],
-            "modified": "2020-08-10T21:57:54.526Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:21.666Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can collect user account, photos, browser history, and arbitrary files.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6d2c7743-fc75-4524-b217-13867ca1dd10.json b/mobile-attack/relationship/relationship--6d2c7743-fc75-4524-b217-13867ca1dd10.json
index b4d27afe27..de7103379a 100644
--- a/mobile-attack/relationship/relationship--6d2c7743-fc75-4524-b217-13867ca1dd10.json
+++ b/mobile-attack/relationship/relationship--6d2c7743-fc75-4524-b217-13867ca1dd10.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--92d08a2a-1ce6-4675-98a4-ed93412cf02f",
+    "id": "bundle--7c046d84-9f22-4ed3-a419-bee6f16ca33f",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:32:04.659Z",
+            "modified": "2025-04-16T21:49:21.878Z",
             "description": "[Gustuff](https://attack.mitre.org/software/S0406) can collect the contact list.(Citation: Talos Gustuff Apr 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6d38782e-2c88-411b-8328-72347d4c6024.json b/mobile-attack/relationship/relationship--6d38782e-2c88-411b-8328-72347d4c6024.json
new file mode 100644
index 0000000000..4cd3c01fde
--- /dev/null
+++ b/mobile-attack/relationship/relationship--6d38782e-2c88-411b-8328-72347d4c6024.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--2cf93ec7-3a49-47c4-a761-b4055a3a75cb",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--6d38782e-2c88-411b-8328-72347d4c6024",
+            "created": "2025-03-14T18:01:12.030Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Promon FjordPhantom Oct2024",
+                    "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.",
+                    "url": "https://promon.io/security-news/fjordphantom-android-malware"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:22.088Z",
+            "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) has injected malicious code   and a hooking framework through a virtualization solution, i.e. [Virtualization Solution](https://attack.mitre.org/techniques/T1670), into the process of the hosted application.(Citation: Promon FjordPhantom Oct2024) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4",
+            "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6d659130-545b-4917-891c-6c1b7d54ed07.json b/mobile-attack/relationship/relationship--6d659130-545b-4917-891c-6c1b7d54ed07.json
index 2a319fac66..0629dace5c 100644
--- a/mobile-attack/relationship/relationship--6d659130-545b-4917-891c-6c1b7d54ed07.json
+++ b/mobile-attack/relationship/relationship--6d659130-545b-4917-891c-6c1b7d54ed07.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--af45904f-1c43-4e03-8c66-048bb07a5062",
+    "id": "bundle--bfe2aba7-47de-4e84-9cea-295de44f3890",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6d659130-545b-4917-891c-6c1b7d54ed07",
             "type": "relationship",
+            "id": "relationship--6d659130-545b-4917-891c-6c1b7d54ed07",
             "created": "2021-01-05T20:16:20.505Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Zscaler TikTok Spyware",
-                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware",
-                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."
+                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.",
+                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"
                 }
             ],
-            "modified": "2021-01-05T20:16:20.505Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:22.322Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can send SMS messages.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6d88242f-e45b-481c-bd41-b66a662618ce.json b/mobile-attack/relationship/relationship--6d88242f-e45b-481c-bd41-b66a662618ce.json
index 3b4e151962..b2ac9724d3 100644
--- a/mobile-attack/relationship/relationship--6d88242f-e45b-481c-bd41-b66a662618ce.json
+++ b/mobile-attack/relationship/relationship--6d88242f-e45b-481c-bd41-b66a662618ce.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--43b17c7e-0b98-4b70-bb31-70db9930d6db",
+    "id": "bundle--bc17188b-70ad-48bf-8e2c-e933d2481cec",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--6d88242f-e45b-481c-bd41-b66a662618ce",
             "created": "2022-04-06T13:57:24.730Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:22.521Z",
             "description": "",
-            "modified": "2022-04-06T13:57:24.730Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--76c12fc8-a4eb-45d6-a3b7-e371a7248f69",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6d8ffc4a-6496-423e-a44d-d5a973ee1acf.json b/mobile-attack/relationship/relationship--6d8ffc4a-6496-423e-a44d-d5a973ee1acf.json
new file mode 100644
index 0000000000..c201cfadd7
--- /dev/null
+++ b/mobile-attack/relationship/relationship--6d8ffc4a-6496-423e-a44d-d5a973ee1acf.json
@@ -0,0 +1,52 @@
+{
+    "type": "bundle",
+    "id": "bundle--9e308e09-bca7-4d60-878a-8ec2e8686264",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--6d8ffc4a-6496-423e-a44d-d5a973ee1acf",
+            "created": "2024-03-26T19:32:59.976Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Cyware APT-C-23 2020",
+                    "description": "Cyware. (2020, October 2). APT\u2011C\u201123 is Still Active and Enhancing its Mobile Spying Capabilities. Retrieved December 2, 2024.",
+                    "url": "https://social.cyware.com/news/aptc23-is-still-active-and-enhancing-its-mobile-spying-capabilities-82e0cea4"
+                },
+                {
+                    "source_name": "SentinelLabs AridViper 2023",
+                    "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.",
+                    "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/"
+                },
+                {
+                    "source_name": "sophos_android_apt_spyware",
+                    "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"
+                },
+                {
+                    "source_name": "threatpost AndroidSpyware 2020",
+                    "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.",
+                    "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/"
+                },
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:22.718Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) can record phone calls and audio.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: SentinelLabs AridViper 2023)(Citation: Cyware APT-C-23 2020)(Citation: threatpost AndroidSpyware 2020)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6d910b1c-df72-4fcb-9d9e-0bb666c9c108.json b/mobile-attack/relationship/relationship--6d910b1c-df72-4fcb-9d9e-0bb666c9c108.json
index ec137557a6..68ac9a36f7 100644
--- a/mobile-attack/relationship/relationship--6d910b1c-df72-4fcb-9d9e-0bb666c9c108.json
+++ b/mobile-attack/relationship/relationship--6d910b1c-df72-4fcb-9d9e-0bb666c9c108.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--42ef6eb2-fc85-41c7-8eed-44ad88a7416c",
+    "id": "bundle--a2c19037-9e72-44a4-9ee4-74797de8503b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T20:53:47.270Z",
+            "modified": "2025-04-16T21:49:22.920Z",
             "description": "On Android, the user can review which applications can use premium SMS features in the \"Special access\" page within application settings. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6dada572-9e79-4835-9f8c-fcb6a94947af.json b/mobile-attack/relationship/relationship--6dada572-9e79-4835-9f8c-fcb6a94947af.json
new file mode 100644
index 0000000000..0d7b123423
--- /dev/null
+++ b/mobile-attack/relationship/relationship--6dada572-9e79-4835-9f8c-fcb6a94947af.json
@@ -0,0 +1,42 @@
+{
+    "type": "bundle",
+    "id": "bundle--3f3bb9b8-ed53-47d3-807a-29035dea3aec",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--6dada572-9e79-4835-9f8c-fcb6a94947af",
+            "created": "2025-03-28T14:55:59.605Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                },
+                {
+                    "source_name": "SecureList OpTriangulation 01Jun2023",
+                    "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/operation-triangulation/109842/"
+                },
+                {
+                    "source_name": "SecureList OpTriangulation Dec2023",
+                    "description": "Larin, B. (2023, December 27). Operation Triangulation: The last (hardware) mystery. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:23.125Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors sent iMessage messages with malicious exploits that executed without user interaction.(Citation: SecureList OpTriangulation 01Jun2023)(Citation: SecureList OpTriangulation 23Oct2023)(Citation: SecureList OpTriangulation Dec2023) Additionally, the threat actors have used various exploits, such as CVE-2023-41990, CVE-2023-32435, CVE-2023-32434 and CVE-2023-38606, to obtain privilege escalation.(Citation: SecureList OpTriangulation Dec2023)   ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6db7839a-5699-4e2a-8410-4e33bf88ba05.json b/mobile-attack/relationship/relationship--6db7839a-5699-4e2a-8410-4e33bf88ba05.json
index 783ccb3076..e55ffe0fe2 100644
--- a/mobile-attack/relationship/relationship--6db7839a-5699-4e2a-8410-4e33bf88ba05.json
+++ b/mobile-attack/relationship/relationship--6db7839a-5699-4e2a-8410-4e33bf88ba05.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--5170804c-682b-46fe-835d-92986beb06ff",
+    "id": "bundle--f3083b16-ffdb-4463-9f1d-0a1279527084",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--6db7839a-5699-4e2a-8410-4e33bf88ba05",
             "created": "2023-12-18T18:18:56.785Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:18:56.785Z",
+            "modified": "2025-04-16T21:49:23.364Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) has performed country and language checks.(Citation: mcafee_brata_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23.json b/mobile-attack/relationship/relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23.json
index 0168775ea7..fe5e7d4c83 100644
--- a/mobile-attack/relationship/relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23.json
+++ b/mobile-attack/relationship/relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--b74e5632-1d33-4aa6-a7cb-c5f6da592e35",
+    "id": "bundle--00ffb1cd-fb97-485c-89c4-8e04d4278376",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23",
             "type": "relationship",
+            "id": "relationship--6de29595-e63e-4d7e-992f-b4622b7b8e23",
             "created": "2020-09-11T14:54:16.566Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Desert Scorpion",
-                    "url": "https://blog.lookout.com/desert-scorpion-google-play",
-                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
+                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/desert-scorpion-google-play"
                 }
             ],
-            "modified": "2020-09-11T14:54:16.566Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:23.581Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect device metadata and can check if the device is rooted.(Citation: Lookout Desert Scorpion)",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6e642c09-751c-43d8-9b99-aabb1703cad7.json b/mobile-attack/relationship/relationship--6e642c09-751c-43d8-9b99-aabb1703cad7.json
new file mode 100644
index 0000000000..b7a6ac8e16
--- /dev/null
+++ b/mobile-attack/relationship/relationship--6e642c09-751c-43d8-9b99-aabb1703cad7.json
@@ -0,0 +1,47 @@
+{
+    "type": "bundle",
+    "id": "bundle--1ee51805-7a71-4097-a87d-722d7be753b4",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--6e642c09-751c-43d8-9b99-aabb1703cad7",
+            "created": "2025-03-24T17:57:15.381Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "FirshSecureList LightSpy 2020",
+                    "description": "Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.",
+                    "url": "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/"
+                },
+                {
+                    "source_name": "Shoshin_Kaspersky LightSpy 2020",
+                    "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.",
+                    "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:23.803Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) gains initial execution when a victim visits a compromised or adversary-controlled website, including those mimicking legitimate sources such as a Hong Kong newspaper. Upon loading `index.html`, a Safari WebKit exploit is triggered, leading to the download of a Mach-O binary disguised with a `.png` extension.(Citation: FirshSecureList LightSpy 2020)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6e811d89-6526-480f-be40-1ad6483182ff.json b/mobile-attack/relationship/relationship--6e811d89-6526-480f-be40-1ad6483182ff.json
index abf86701d0..1212b27034 100644
--- a/mobile-attack/relationship/relationship--6e811d89-6526-480f-be40-1ad6483182ff.json
+++ b/mobile-attack/relationship/relationship--6e811d89-6526-480f-be40-1ad6483182ff.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--275d9c26-668e-425b-9229-0006cef29e17",
+    "id": "bundle--775932a2-1f16-41d8-b2b0-afa3cea5f98a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:58.801Z",
+            "modified": "2025-04-16T21:49:24.013Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) has used the Play Store icon as well as the name \u201cGoogle Play Marketplace\u201d.(Citation: Talos GPlayed)",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6ee69225-7c42-49e6-bfe4-c7009c82e76a.json b/mobile-attack/relationship/relationship--6ee69225-7c42-49e6-bfe4-c7009c82e76a.json
index 4b1ae4fa85..7e6d8a977c 100644
--- a/mobile-attack/relationship/relationship--6ee69225-7c42-49e6-bfe4-c7009c82e76a.json
+++ b/mobile-attack/relationship/relationship--6ee69225-7c42-49e6-bfe4-c7009c82e76a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e09f0666-ebbe-432f-839b-d0ab1e34b4ce",
+    "id": "bundle--478c09ed-540b-486b-b3f3-4146a573a60d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T15:56:10.432Z",
+            "modified": "2025-04-16T21:49:24.260Z",
             "description": "The user can view and manage installed third-party keyboards.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6f240b1d-de8f-465d-a0f1-f75e828493c3.json b/mobile-attack/relationship/relationship--6f240b1d-de8f-465d-a0f1-f75e828493c3.json
index e4b75d9697..14c18d9374 100644
--- a/mobile-attack/relationship/relationship--6f240b1d-de8f-465d-a0f1-f75e828493c3.json
+++ b/mobile-attack/relationship/relationship--6f240b1d-de8f-465d-a0f1-f75e828493c3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--bbfc5691-9494-45e7-b30d-e2c0e62dd774",
+    "id": "bundle--ffa70cb9-733b-430e-a21b-7b87daea2efe",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-22T20:42:54.574Z",
+            "modified": "2025-04-16T21:49:24.455Z",
             "description": "(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f",
             "target_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60.json b/mobile-attack/relationship/relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60.json
index 7bb15ccc24..359456556e 100644
--- a/mobile-attack/relationship/relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60.json
+++ b/mobile-attack/relationship/relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--34dcbb14-42ce-4464-b8d8-38a509214de9",
+    "id": "bundle--04a99025-04a8-48a1-9874-cb2db8ec7422",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60",
             "type": "relationship",
+            "id": "relationship--6f27a13d-b353-47f3-8a71-a13e8c4c3d60",
             "created": "2020-09-11T14:54:16.585Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Desert Scorpion",
-                    "url": "https://blog.lookout.com/desert-scorpion-google-play",
-                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
+                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/desert-scorpion-google-play"
                 }
             ],
-            "modified": "2021-04-19T17:11:50.418Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:24.665Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect attacker-specified files, including files located on external storage.(Citation: Lookout Desert Scorpion)\t",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87.json b/mobile-attack/relationship/relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87.json
index cdae7f33ff..7d511a0894 100644
--- a/mobile-attack/relationship/relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87.json
+++ b/mobile-attack/relationship/relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--43f4200d-d2e1-4764-9916-987f02609240",
+    "id": "bundle--d8c4c7e6-2c64-4f35-96f5-4bdeca42fc8e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87",
             "type": "relationship",
+            "id": "relationship--6f30b02b-5d88-453d-af1e-305a75bfaf87",
             "created": "2020-06-26T15:12:40.098Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "ESET DEFENSOR ID",
-                    "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/",
-                    "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020."
+                    "description": "L. Stefanko. (2020, May 22). Insidious Android malware gives up all malicious features but one to gain stealth. Retrieved June 26, 2020.",
+                    "url": "https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/"
                 }
             ],
-            "modified": "2020-06-26T15:12:40.098Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:24.873Z",
             "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) can retrieve a list of installed applications.(Citation: ESET DEFENSOR ID)",
             "relationship_type": "uses",
             "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d.json b/mobile-attack/relationship/relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d.json
index 80ed6541e8..3b5b683f7b 100644
--- a/mobile-attack/relationship/relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d.json
+++ b/mobile-attack/relationship/relationship--6f63395f-a826-45e2-8d3b-dccd6375f54d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--32b18129-1093-4fbd-8350-34aaab07714d",
+    "id": "bundle--873daa68-cdb4-49ac-a496-f3b7d63eb28d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:39:29.860Z",
+            "modified": "2025-04-16T21:49:25.092Z",
             "description": "[FinFisher](https://attack.mitre.org/software/S0182) accesses and exfiltrates the call log.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c.json b/mobile-attack/relationship/relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c.json
index 43e007add5..c366390c0f 100644
--- a/mobile-attack/relationship/relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c.json
+++ b/mobile-attack/relationship/relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--44f11e83-9871-4e4e-b60f-8289db8049b7",
+    "id": "bundle--1d9d42c4-aab0-49b1-b8eb-e324c0e87d98",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c",
             "type": "relationship",
+            "id": "relationship--6f9f892e-56ec-480b-aa40-337f20f2bb9c",
             "created": "2020-11-10T17:08:35.624Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-11-10T17:08:35.624Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:25.312Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can dynamically load additional functionality.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--6faacfdd-d17d-4c6e-a33e-5fdea2cc3998.json b/mobile-attack/relationship/relationship--6faacfdd-d17d-4c6e-a33e-5fdea2cc3998.json
index de8610e594..d9f561c99d 100644
--- a/mobile-attack/relationship/relationship--6faacfdd-d17d-4c6e-a33e-5fdea2cc3998.json
+++ b/mobile-attack/relationship/relationship--6faacfdd-d17d-4c6e-a33e-5fdea2cc3998.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d54ef224-5def-4cb8-ab3e-dba578d916e8",
+    "id": "bundle--5fc2fc95-3318-475b-aba6-433fad5bfb66",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.107Z",
+            "modified": "2025-04-16T21:49:25.519Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) can create overlays to capture user credentials for targeted applications.(Citation: Cofense Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--70000e5a-cdff-4ff8-a565-5f7db60f8c49.json b/mobile-attack/relationship/relationship--70000e5a-cdff-4ff8-a565-5f7db60f8c49.json
index c31e3c6276..c1848fbccf 100644
--- a/mobile-attack/relationship/relationship--70000e5a-cdff-4ff8-a565-5f7db60f8c49.json
+++ b/mobile-attack/relationship/relationship--70000e5a-cdff-4ff8-a565-5f7db60f8c49.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--07c4c8ea-2f59-4797-8f7a-279884d2dc8b",
+    "id": "bundle--129ff271-5a9e-445e-acac-ef014005815e",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--70000e5a-cdff-4ff8-a565-5f7db60f8c49",
             "created": "2024-04-02T19:13:36.178Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-02T19:13:36.178Z",
+            "modified": "2025-04-16T21:49:25.720Z",
             "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can activate a device\u2019s microphone.(Citation: Meta Adversarial Threat Report 2022)",
             "relationship_type": "uses",
             "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7017085c-c612-48b2-b655-e18d7822d0e7.json b/mobile-attack/relationship/relationship--7017085c-c612-48b2-b655-e18d7822d0e7.json
index b5a3ca392b..63f231b26f 100644
--- a/mobile-attack/relationship/relationship--7017085c-c612-48b2-b655-e18d7822d0e7.json
+++ b/mobile-attack/relationship/relationship--7017085c-c612-48b2-b655-e18d7822d0e7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5d1f1020-53c7-4b90-81eb-8a32a3eb2741",
+    "id": "bundle--9a1f70ab-3ac2-4ad2-96ea-752ccc85b188",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:39:48.895Z",
+            "modified": "2025-04-16T21:49:25.930Z",
             "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests phone call history from victims.(Citation: PaloAlto-SpyDealer)",
             "relationship_type": "uses",
             "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30.json b/mobile-attack/relationship/relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30.json
index e9241ce2a9..08da868d98 100644
--- a/mobile-attack/relationship/relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30.json
+++ b/mobile-attack/relationship/relationship--70367e5c-15e0-4bcd-b538-7a90c4eefd30.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--02901447-9275-4d0f-bb06-4129d731ceb1",
+    "id": "bundle--cc36088a-d854-44d2-ba4a-317ce7d08a11",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:26:35.443Z",
+            "modified": "2025-04-16T21:49:26.141Z",
             "description": "[SpyDealer](https://attack.mitre.org/software/S0324) maintains persistence by installing an Android application package (APK) on the system partition.(Citation: PaloAlto-SpyDealer)",
             "relationship_type": "uses",
             "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
             "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c.json b/mobile-attack/relationship/relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c.json
index 1c802e2837..b6e9518f36 100644
--- a/mobile-attack/relationship/relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c.json
+++ b/mobile-attack/relationship/relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--a8c5e1df-ea82-4097-b449-af1cdc3e5a8e",
+    "id": "bundle--49e39187-9841-45f4-963e-2d45e6733b6c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c",
             "type": "relationship",
+            "id": "relationship--706c698c-aa8d-4fac-a6c1-2e047c3f965c",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:26.375Z",
             "description": "Original samples of [BrainTest](https://attack.mitre.org/software/S0293) download their exploit packs for rooting from a remote server after installation.(Citation: Lookout-BrainTest)",
             "relationship_type": "uses",
             "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e.json b/mobile-attack/relationship/relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e.json
index 881cde7df2..288699c5a6 100644
--- a/mobile-attack/relationship/relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e.json
+++ b/mobile-attack/relationship/relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--d4412898-fc11-4b7d-a3f9-69181bb243b5",
+    "id": "bundle--c50b3fdd-3888-4a23-a81e-e8c5b8105b66",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e",
             "type": "relationship",
+            "id": "relationship--70ec9e67-b755-41ee-a1db-71d250a90b4e",
             "created": "2020-01-14T17:47:08.826Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList DVMap June 2017",
-                    "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/",
-                    "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019."
+                    "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.",
+                    "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"
                 }
             ],
-            "modified": "2020-01-14T17:47:08.826Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:26.584Z",
             "description": "[Dvmap](https://attack.mitre.org/software/S0420) checks the Android version to determine which system library to patch.(Citation: SecureList DVMap June 2017)",
             "relationship_type": "uses",
             "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159.json b/mobile-attack/relationship/relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159.json
index d43f758a9a..368a4e5b47 100644
--- a/mobile-attack/relationship/relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159.json
+++ b/mobile-attack/relationship/relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--d2d914c4-21b0-4a86-8554-63d259b5ebf7",
+    "id": "bundle--d0790c12-9f00-4acc-8498-4e01a27b1c1b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159",
             "type": "relationship",
+            "id": "relationship--70f8cbed-b20d-4ff2-ad02-8d78e7d49159",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:26.808Z",
             "description": "[Xbot](https://attack.mitre.org/software/S0298) can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.(Citation: PaloAlto-Xbot)",
             "relationship_type": "uses",
             "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
             "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--70fa8498-6117-4e15-ae3c-f53d63996826.json b/mobile-attack/relationship/relationship--70fa8498-6117-4e15-ae3c-f53d63996826.json
index 554060b8ec..938859d218 100644
--- a/mobile-attack/relationship/relationship--70fa8498-6117-4e15-ae3c-f53d63996826.json
+++ b/mobile-attack/relationship/relationship--70fa8498-6117-4e15-ae3c-f53d63996826.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--f976c80a-84d5-45db-abd5-1d9a90520cff",
+    "id": "bundle--48f7b214-e03d-4572-9045-f7d82bb67260",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--70fa8498-6117-4e15-ae3c-f53d63996826",
             "type": "relationship",
+            "id": "relationship--70fa8498-6117-4e15-ae3c-f53d63996826",
             "created": "2020-06-26T15:32:25.050Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Threat Fabric Cerberus",
-                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
-                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
+                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
                 }
             ],
-            "modified": "2020-06-26T15:32:25.050Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:27.012Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect the device\u2019s location.(Citation: Threat Fabric Cerberus)",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--71490fdb-e271-4a67-b932-5288924b1dae.json b/mobile-attack/relationship/relationship--71490fdb-e271-4a67-b932-5288924b1dae.json
index 2324fb7be8..e3fe666fee 100644
--- a/mobile-attack/relationship/relationship--71490fdb-e271-4a67-b932-5288924b1dae.json
+++ b/mobile-attack/relationship/relationship--71490fdb-e271-4a67-b932-5288924b1dae.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--08dd8e4f-64a8-45dd-9ae4-556000abbde5",
+    "id": "bundle--28007671-2342-4958-9ad4-bc7476efebf4",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--71490fdb-e271-4a67-b932-5288924b1dae",
             "type": "relationship",
+            "id": "relationship--71490fdb-e271-4a67-b932-5288924b1dae",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:27.216Z",
             "description": "[DualToy](https://attack.mitre.org/software/S0315) collects the connected iOS device\u2019s information including IMEI, IMSI, ICCID, serial number and phone number.(Citation: PaloAlto-DualToy)",
             "relationship_type": "uses",
             "source_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--716f68ee-1e77-4254-8f67-d8f3c71db678.json b/mobile-attack/relationship/relationship--716f68ee-1e77-4254-8f67-d8f3c71db678.json
index 5d2bddc9e1..3e6dc3c50d 100644
--- a/mobile-attack/relationship/relationship--716f68ee-1e77-4254-8f67-d8f3c71db678.json
+++ b/mobile-attack/relationship/relationship--716f68ee-1e77-4254-8f67-d8f3c71db678.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--d0e10e4d-9aed-4c46-af2d-6f24f6ab482e",
+    "id": "bundle--74c4a8e5-1107-4f6e-806e-1bda817cbf34",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--716f68ee-1e77-4254-8f67-d8f3c71db678",
             "type": "relationship",
+            "id": "relationship--716f68ee-1e77-4254-8f67-d8f3c71db678",
             "created": "2021-09-20T13:59:00.498Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Lookout-Monokle",
                     "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
-                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
-                    "source_name": "Lookout-Monokle"
+                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
                 }
             ],
-            "modified": "2021-09-20T13:59:00.498Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:27.417Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can be controlled via phone call from a set of \"control phones.\"(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--717feaf1-493b-4a3e-b886-40652f41168d.json b/mobile-attack/relationship/relationship--717feaf1-493b-4a3e-b886-40652f41168d.json
index 0c637fa30d..022d107f86 100644
--- a/mobile-attack/relationship/relationship--717feaf1-493b-4a3e-b886-40652f41168d.json
+++ b/mobile-attack/relationship/relationship--717feaf1-493b-4a3e-b886-40652f41168d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c8e8d1a7-2eef-44fe-89bf-7cf01b4fc253",
+    "id": "bundle--1ba103a5-4c97-4e70-af77-88704e7bd1de",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T21:39:23.615Z",
+            "modified": "2025-04-16T21:49:27.621Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to obtain a list of installed applications.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--718a612e-50c5-40ab-9081-b88cefeafcb6.json b/mobile-attack/relationship/relationship--718a612e-50c5-40ab-9081-b88cefeafcb6.json
index a98e6d35a9..b39317e477 100644
--- a/mobile-attack/relationship/relationship--718a612e-50c5-40ab-9081-b88cefeafcb6.json
+++ b/mobile-attack/relationship/relationship--718a612e-50c5-40ab-9081-b88cefeafcb6.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--f8821c95-9353-4d39-b61b-7540addc2100",
+    "id": "bundle--3baa6e6b-0ce3-4c11-a67a-c994a0c15be0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--718a612e-50c5-40ab-9081-b88cefeafcb6",
             "created": "2021-04-26T15:33:55.905Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "CitizenLab Circles",
-                    "url": "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/",
-                    "description": "Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020."
+                    "description": "Bill Marczak, John Scott-Railton, Siddharth Prakash Rao, Siena Anstis, and Ron Deibert. (2020, December 1). Running in Circles Uncovering the Clients of Cyberespionage Firm Circles. Retrieved December 23, 2020.",
+                    "url": "https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:27.836Z",
             "description": "[Circles](https://attack.mitre.org/software/S0602) can track the location of mobile devices.(Citation: CitizenLab Circles)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--c6a07c89-a24c-4c7e-9e3e-6153cc595e24",
             "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--71fbb52a-1808-45a1-8cc2-13b461376e4a.json b/mobile-attack/relationship/relationship--71fbb52a-1808-45a1-8cc2-13b461376e4a.json
index 8d84c70d37..16e2d5b544 100644
--- a/mobile-attack/relationship/relationship--71fbb52a-1808-45a1-8cc2-13b461376e4a.json
+++ b/mobile-attack/relationship/relationship--71fbb52a-1808-45a1-8cc2-13b461376e4a.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--7923066b-7d28-4a29-ba0d-43530a7f1ba5",
+    "id": "bundle--6252ba5b-cbe2-4109-9b1e-708576631d34",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--71fbb52a-1808-45a1-8cc2-13b461376e4a",
             "created": "2024-02-20T23:53:09.490Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:53:09.490Z",
+            "modified": "2025-04-16T21:49:28.073Z",
             "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can collect IP address and network configuration information.(Citation: Trend Micro FlyTrap)",
             "relationship_type": "uses",
             "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1.json b/mobile-attack/relationship/relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1.json
index 6772e7b5e6..24a2791325 100644
--- a/mobile-attack/relationship/relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1.json
+++ b/mobile-attack/relationship/relationship--721cc30c-74cf-4eed-89a8-7a8e63e6c0e1.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a677a7c9-1cc7-44d7-ab44-d6450b20931e",
+    "id": "bundle--b90810d7-2290-43d0-9a43-caaaef3df6eb",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:27:47.788Z",
+            "modified": "2025-04-16T21:49:28.317Z",
             "description": "[MazarBOT](https://attack.mitre.org/software/S0303) can intercept two-factor authentication codes sent by online banking apps.(Citation: Tripwire-MazarBOT)",
             "relationship_type": "uses",
             "source_ref": "malware--5ddf81ea-2c06-497b-8c30-5f1ab89a40f9",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--724e1b64-7c9b-4a8f-a2ab-3f9cab539e68.json b/mobile-attack/relationship/relationship--724e1b64-7c9b-4a8f-a2ab-3f9cab539e68.json
index 511975b678..cc0d3adc61 100644
--- a/mobile-attack/relationship/relationship--724e1b64-7c9b-4a8f-a2ab-3f9cab539e68.json
+++ b/mobile-attack/relationship/relationship--724e1b64-7c9b-4a8f-a2ab-3f9cab539e68.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f9813f17-9452-4aa3-b935-c2bc2f41ca7c",
+    "id": "bundle--2fb091ec-96b4-49eb-b702-1b97b87a8738",
     "spec_version": "2.0",
     "objects": [
         {
@@ -18,15 +18,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T19:19:38.654Z",
+            "modified": "2025-04-16T21:49:28.530Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) has exfiltrated cached data from infected devices.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7258542e-029b-45b9-be69-6e76d9c93b35.json b/mobile-attack/relationship/relationship--7258542e-029b-45b9-be69-6e76d9c93b35.json
index f87b5a761f..7d611f12c4 100644
--- a/mobile-attack/relationship/relationship--7258542e-029b-45b9-be69-6e76d9c93b35.json
+++ b/mobile-attack/relationship/relationship--7258542e-029b-45b9-be69-6e76d9c93b35.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8ee10cc5-6bbb-48a0-b87b-d546d5c14428",
+    "id": "bundle--32987fd4-9dc8-4031-a24b-ddcedc77212b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:43:03.565Z",
+            "modified": "2025-04-16T21:49:28.749Z",
             "description": "[Twitoor](https://attack.mitre.org/software/S0302) can hide its presence on the system.(Citation: ESET-Twitoor)",
             "relationship_type": "uses",
             "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--725dc68b-e56d-42ac-b35e-651a7b3a2db8.json b/mobile-attack/relationship/relationship--725dc68b-e56d-42ac-b35e-651a7b3a2db8.json
index 8ebac97cf7..8b06cb7a78 100644
--- a/mobile-attack/relationship/relationship--725dc68b-e56d-42ac-b35e-651a7b3a2db8.json
+++ b/mobile-attack/relationship/relationship--725dc68b-e56d-42ac-b35e-651a7b3a2db8.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--3407ca57-a715-49e5-9e72-db8e49254f0c",
+    "id": "bundle--6814ec01-1e57-470b-84a2-7b67c38c59a3",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--725dc68b-e56d-42ac-b35e-651a7b3a2db8",
             "created": "2024-03-26T16:18:25.630Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T16:18:25.630Z",
+            "modified": "2025-04-16T21:49:28.952Z",
             "description": "[AndroRAT](https://attack.mitre.org/software/S0292) can take photos and videos using the device cameras.(Citation: forcepoint_bitter) ",
             "relationship_type": "uses",
             "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0.json b/mobile-attack/relationship/relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0.json
index 455bf8002a..b7e8c0c882 100644
--- a/mobile-attack/relationship/relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0.json
+++ b/mobile-attack/relationship/relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--790173b1-450f-49d6-98bb-15a0f416e2f7",
+    "id": "bundle--6155b204-80c3-4b73-8df7-6bac1039a81a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--7260c8fe-6b3b-48a2-889f-f329fb5b4ef0",
             "created": "2017-10-25T14:48:53.741Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents.",
-            "modified": "2022-03-30T20:25:46.994Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:29.149Z",
+            "description": "Security architecture improvements in each new version of Android and iOS make it more difficult to escalate privileges. Additionally, newer versions of Android have strengthened the sandboxing applied to applications, restricting their ability to enumerate file system contents.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af.json b/mobile-attack/relationship/relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af.json
index 0a2994614b..918fb97ce2 100644
--- a/mobile-attack/relationship/relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af.json
+++ b/mobile-attack/relationship/relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--db1d18f3-6da3-4652-a29f-3474628e24e0",
+    "id": "bundle--f4c9fd3b-0b8c-4d09-b7a6-4bbaf7a7f56c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af",
             "type": "relationship",
+            "id": "relationship--72a5350f-f0cf-4f44-82d5-28a25492c6af",
             "created": "2020-04-24T15:06:33.531Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "TrendMicro Coronavirus Updates",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
-                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
+                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"
                 }
             ],
-            "modified": "2020-04-24T17:55:55.049Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:29.367Z",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can take pictures using the camera and can record MP4 files.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--72a88d43-4144-444e-8f71-ac0d19ae3710.json b/mobile-attack/relationship/relationship--72a88d43-4144-444e-8f71-ac0d19ae3710.json
index 9aae281212..fb40806766 100644
--- a/mobile-attack/relationship/relationship--72a88d43-4144-444e-8f71-ac0d19ae3710.json
+++ b/mobile-attack/relationship/relationship--72a88d43-4144-444e-8f71-ac0d19ae3710.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--2928ca75-8696-450c-8c79-9092945403e1",
+    "id": "bundle--9729e484-b642-4a9a-ae21-b241e363c320",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--72a88d43-4144-444e-8f71-ac0d19ae3710",
             "type": "relationship",
+            "id": "relationship--72a88d43-4144-444e-8f71-ac0d19ae3710",
             "created": "2020-09-14T14:13:45.256Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout eSurv",
-                    "url": "https://blog.lookout.com/esurv-research",
-                    "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
+                    "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/esurv-research"
                 }
             ],
-            "modified": "2020-09-14T14:13:45.256Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:29.568Z",
             "description": "[eSurv](https://attack.mitre.org/software/S0507) can track the device\u2019s location.(Citation: Lookout eSurv)",
             "relationship_type": "uses",
             "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--732ca9b5-961d-4734-9f8d-339078457457.json b/mobile-attack/relationship/relationship--732ca9b5-961d-4734-9f8d-339078457457.json
index 2a18cf1a4a..ea720c29fe 100644
--- a/mobile-attack/relationship/relationship--732ca9b5-961d-4734-9f8d-339078457457.json
+++ b/mobile-attack/relationship/relationship--732ca9b5-961d-4734-9f8d-339078457457.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--b516511a-e69c-40d5-879f-896622ab179c",
+    "id": "bundle--90682a68-48e1-4ad6-8c4d-3319b65bd199",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--732ca9b5-961d-4734-9f8d-339078457457",
             "created": "2024-04-02T19:15:19.864Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-02T19:15:19.864Z",
+            "modified": "2025-04-16T21:49:29.779Z",
             "description": "(Citation: Meta Adversarial Threat Report 2022)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258",
             "target_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--73410b22-5aca-4b86-8efc-98c1ad75399a.json b/mobile-attack/relationship/relationship--73410b22-5aca-4b86-8efc-98c1ad75399a.json
index 63c653b780..c5ff098ae2 100644
--- a/mobile-attack/relationship/relationship--73410b22-5aca-4b86-8efc-98c1ad75399a.json
+++ b/mobile-attack/relationship/relationship--73410b22-5aca-4b86-8efc-98c1ad75399a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--03a81a35-ab36-416b-8a07-c49f850b4bab",
+    "id": "bundle--b3ef493b-4b25-4aae-9fbf-b9d5e7cf6ae6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:59.572Z",
+            "modified": "2025-04-16T21:49:29.977Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) has masqueraded as \u201cGoogle service\u201d, \u201cGooglePlay\u201d, and \u201cFlash update\u201d.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9.json b/mobile-attack/relationship/relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9.json
index 16e821d5d0..66cc882848 100644
--- a/mobile-attack/relationship/relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9.json
+++ b/mobile-attack/relationship/relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a6eb0b38-4cb4-4d76-b4b3-21c1350e5c52",
+    "id": "bundle--46efeb60-2b79-47e3-b33a-5aa30074dfd6",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9",
             "type": "relationship",
+            "id": "relationship--734fa2bf-17af-4e54-8d83-4cf9759e4ba9",
             "created": "2020-09-11T15:52:12.520Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "modified": "2020-09-11T15:52:12.520Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:30.206Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can block, forward, hide, and send SMS messages.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--73d22490-4043-42d7-ad25-74e4a642bf6a.json b/mobile-attack/relationship/relationship--73d22490-4043-42d7-ad25-74e4a642bf6a.json
index 9c30268379..dc2f8950c0 100644
--- a/mobile-attack/relationship/relationship--73d22490-4043-42d7-ad25-74e4a642bf6a.json
+++ b/mobile-attack/relationship/relationship--73d22490-4043-42d7-ad25-74e4a642bf6a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--fd314de7-352e-4c67-b1c8-43b13f9dbea4",
+    "id": "bundle--38b01209-8e18-4f3a-b958-b84a64649cbc",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-15T15:06:03.429Z",
+            "modified": "2025-04-16T21:49:30.417Z",
             "description": "Network carriers may be able to use firewalls, Intrusion Detection Systems (IDS), or Intrusion Prevention Systems (IPS) to detect and/or block SS7 exploitation.(Citation: CSRIC5-WG10-FinalReport) The CSRIC also suggests threat information sharing between telecommunications industry members.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
             "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3.json b/mobile-attack/relationship/relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3.json
index 79f9f83c09..a540718152 100644
--- a/mobile-attack/relationship/relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3.json
+++ b/mobile-attack/relationship/relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--a13fcf96-4507-4053-ab74-6e98d4547b66",
+    "id": "bundle--e00d8436-d999-4a10-b4fc-446e48b09da0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--73d78f2c-dd3b-469c-a622-e2e89cb521d3",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Enterprises can provision policies to mobile devices that require a minimum complexity (length, character requirements, etc.) for the device passcode, and cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. Enterprises can also provision policies to disable biometric authentication, however, biometric authentication can help make using a longer, more complex passcode more practical because it does not need to be entered as frequently. ",
-            "modified": "2022-03-28T19:20:30.375Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:30.621Z",
+            "description": "Enterprises can provision policies to mobile devices that require a minimum complexity (length, character requirements, etc.) for the device passcode, and cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. Enterprises can also provision policies to disable biometric authentication, however, biometric authentication can help make using a longer, more complex passcode more practical because it does not need to be entered as frequently. ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--73e78aab-bcd9-4d3c-96f8-832f399bf2ee.json b/mobile-attack/relationship/relationship--73e78aab-bcd9-4d3c-96f8-832f399bf2ee.json
index e6e3fe8ee9..c7645d0b83 100644
--- a/mobile-attack/relationship/relationship--73e78aab-bcd9-4d3c-96f8-832f399bf2ee.json
+++ b/mobile-attack/relationship/relationship--73e78aab-bcd9-4d3c-96f8-832f399bf2ee.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--bc547df5-9868-4834-b15e-7eca4875e5f5",
+    "id": "bundle--7f9b8284-7522-4d99-84f5-0e5dd70b5176",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--73e78aab-bcd9-4d3c-96f8-832f399bf2ee",
             "created": "2024-02-20T23:56:14.156Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:56:14.156Z",
+            "modified": "2025-04-16T21:49:30.830Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).(Citation: Google Project Zero Insomnia)",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--74080f4f-1de2-464f-8ec1-0635fc142273.json b/mobile-attack/relationship/relationship--74080f4f-1de2-464f-8ec1-0635fc142273.json
index 1975ba35e1..699f820df4 100644
--- a/mobile-attack/relationship/relationship--74080f4f-1de2-464f-8ec1-0635fc142273.json
+++ b/mobile-attack/relationship/relationship--74080f4f-1de2-464f-8ec1-0635fc142273.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--e2c96b4c-0faa-4648-8aa0-1cfd8331ff20",
+    "id": "bundle--32736367-813e-4800-9fe0-1b44025e6571",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--74080f4f-1de2-464f-8ec1-0635fc142273",
             "created": "2023-08-08T16:23:41.141Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T16:23:41.141Z",
+            "modified": "2025-04-16T21:49:31.040Z",
             "description": "Application vetting services may be able to list domains and/or IP addresses that applications communicate with. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8.json b/mobile-attack/relationship/relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8.json
index 5946ed4c29..47b767f3b5 100644
--- a/mobile-attack/relationship/relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8.json
+++ b/mobile-attack/relationship/relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--bd998fea-7dbb-492a-85a6-77d930604a79",
+    "id": "bundle--b524856a-fc66-4ab8-a098-313497e463bf",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8",
             "type": "relationship",
+            "id": "relationship--740ea19e-d248-44e5-a0e5-3e9420df9dc8",
             "created": "2020-04-24T17:46:31.613Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecurityIntelligence TrickMo",
-                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
-                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
+                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.",
+                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"
                 }
             ],
-            "modified": "2020-04-24T17:46:31.613Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:31.253Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) can inject input to set itself as the default SMS handler, and to automatically click through pop-ups without giving the user any time to react.(Citation: SecurityIntelligence TrickMo)",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--746eaf98-bd95-4e9a-a4ed-0e3f20402276.json b/mobile-attack/relationship/relationship--746eaf98-bd95-4e9a-a4ed-0e3f20402276.json
index 601960cbfd..24a89adaab 100644
--- a/mobile-attack/relationship/relationship--746eaf98-bd95-4e9a-a4ed-0e3f20402276.json
+++ b/mobile-attack/relationship/relationship--746eaf98-bd95-4e9a-a4ed-0e3f20402276.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4b5323f8-5a80-4c37-a3d2-769877312053",
+    "id": "bundle--67004cbf-b604-4f73-b68f-b339974d6138",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:57.989Z",
+            "modified": "2025-04-16T21:49:31.448Z",
             "description": "[Dendroid](https://attack.mitre.org/software/S0301) can be bound to legitimate applications prior to installation on devices.(Citation: Lookout-Dendroid)",
             "relationship_type": "uses",
             "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--749dcdbd-9be9-403b-850f-8ee5452b7aed.json b/mobile-attack/relationship/relationship--749dcdbd-9be9-403b-850f-8ee5452b7aed.json
index 99d6211859..2d09572803 100644
--- a/mobile-attack/relationship/relationship--749dcdbd-9be9-403b-850f-8ee5452b7aed.json
+++ b/mobile-attack/relationship/relationship--749dcdbd-9be9-403b-850f-8ee5452b7aed.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8341f3f8-2395-42b9-be6b-2750c0a0a61e",
+    "id": "bundle--558c0421-fc45-4141-a158-f30731d3d6bb",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T16:30:21.044Z",
+            "modified": "2025-04-16T21:49:31.664Z",
             "description": "Application vetting services can detect unnecessary and potentially abused location permissions.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--74a137c7-b3f8-421f-bc52-bf9f0785d0ba.json b/mobile-attack/relationship/relationship--74a137c7-b3f8-421f-bc52-bf9f0785d0ba.json
index 8648ca868a..45582d265f 100644
--- a/mobile-attack/relationship/relationship--74a137c7-b3f8-421f-bc52-bf9f0785d0ba.json
+++ b/mobile-attack/relationship/relationship--74a137c7-b3f8-421f-bc52-bf9f0785d0ba.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--e2041e7f-3d2e-466b-a58d-77fb4e2b4a0d",
+    "id": "bundle--2d5dc868-44ea-46c3-a454-75342ec40a10",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--74a137c7-b3f8-421f-bc52-bf9f0785d0ba",
             "created": "2023-09-22T19:15:56.498Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-22T19:15:56.498Z",
+            "modified": "2025-04-16T21:49:31.870Z",
             "description": "Command-line activities can potentially be detected through Mobile Threat Defense (MTD) integrations with lower-level OS APIs. This could grant the MTD agents access to running processes and their parameters, potentially detecting file deletion processes.  ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
             "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69.json b/mobile-attack/relationship/relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69.json
index d7cf5e871a..9bc7266f0c 100644
--- a/mobile-attack/relationship/relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69.json
+++ b/mobile-attack/relationship/relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--514b51cc-1adf-40bb-a35d-8d2977f26452",
+    "id": "bundle--60d38769-3ced-44ef-8c4e-bf9c8737eb37",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--74c3c88c-956b-4bc7-9ea2-585e7366fe69",
             "created": "2020-04-08T15:51:25.078Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "ThreatFabric Ginp",
-                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
-                    "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."
+                    "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:32.070Z",
             "description": "[Ginp](https://attack.mitre.org/software/S0423) can use a multi-step phishing overlay to capture banking credentials and then credit card numbers after login.(Citation: ThreatFabric Ginp)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--74c8c9e7-cd8b-4f3a-830d-a7e6e9668330.json b/mobile-attack/relationship/relationship--74c8c9e7-cd8b-4f3a-830d-a7e6e9668330.json
index 20a434290e..a97a8495aa 100644
--- a/mobile-attack/relationship/relationship--74c8c9e7-cd8b-4f3a-830d-a7e6e9668330.json
+++ b/mobile-attack/relationship/relationship--74c8c9e7-cd8b-4f3a-830d-a7e6e9668330.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--7ad18acf-3b0e-42cf-95d2-becad8e20e1a",
+    "id": "bundle--e0f7d296-16bf-485b-8506-00b4035dbdd4",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--74c8c9e7-cd8b-4f3a-830d-a7e6e9668330",
             "created": "2022-04-01T15:01:53.321Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:32.280Z",
             "description": "Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary\u2019s access to password stores.",
-            "modified": "2022-04-01T15:01:53.321Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
             "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe.json b/mobile-attack/relationship/relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe.json
index 9016d7c005..a927de6d88 100644
--- a/mobile-attack/relationship/relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe.json
+++ b/mobile-attack/relationship/relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--89b461bb-a7cc-4548-a8db-8171784a3896",
+    "id": "bundle--bac66579-e7e2-4ac7-a138-707f17703c6e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe",
             "type": "relationship",
+            "id": "relationship--74eb8469-1cce-40f8-8b6b-486338e8cfbe",
             "created": "2020-07-15T20:20:59.282Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "modified": "2020-07-15T20:20:59.282Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:32.483Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can record the screen.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--75400f2e-8a9a-4bc6-a40b-f860b38868b6.json b/mobile-attack/relationship/relationship--75400f2e-8a9a-4bc6-a40b-f860b38868b6.json
index 3e0b5d1949..0051972554 100644
--- a/mobile-attack/relationship/relationship--75400f2e-8a9a-4bc6-a40b-f860b38868b6.json
+++ b/mobile-attack/relationship/relationship--75400f2e-8a9a-4bc6-a40b-f860b38868b6.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3687fdce-e5aa-44d9-a808-79df3d255b46",
+    "id": "bundle--2260bb39-6500-41d3-b380-79a60dc7eb7c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T21:08:37.537Z",
+            "modified": "2025-04-16T21:49:32.694Z",
             "description": "In iOS 14 and up, an orange dot (or orange square if the Differentiate Without Color setting is enabled) appears in the status bar when the microphone is being used by an application. However, there have been demonstrations indicating it may still be possible to access the microphone in the background without triggering this visual indicator by abusing features that natively access the microphone or camera but do not trigger the visual indicators.(Citation: iOS Mic Spyware)\n\n\nIn Android 12 and up, a green dot appears in the status bar when the microphone is being used by an application.(Citation: Android Privacy Indicators)",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78.json b/mobile-attack/relationship/relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78.json
index 1d85958c8d..677a28d526 100644
--- a/mobile-attack/relationship/relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78.json
+++ b/mobile-attack/relationship/relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--3ae6c13e-7482-4907-9da9-4d3fe7082b63",
+    "id": "bundle--6567f07f-89ab-4cab-8c99-30f2135b0f1b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78",
             "type": "relationship",
+            "id": "relationship--75472bf8-c7fd-4fc7-a11e-74189bc23b78",
             "created": "2019-10-10T15:17:00.972Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "FlexiSpy-Features",
                     "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.",
-                    "url": "https://www.flexispy.com/en/features-overview.htm",
-                    "source_name": "FlexiSpy-Features"
+                    "url": "https://www.flexispy.com/en/features-overview.htm"
                 }
             ],
-            "modified": "2019-10-14T18:08:28.666Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:32.909Z",
             "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can monitor device photos and can also access browser history and bookmarks.(Citation: FlexiSpy-Features)",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--75770898-93a7-45e3-bdb2-03172004a88f.json b/mobile-attack/relationship/relationship--75770898-93a7-45e3-bdb2-03172004a88f.json
index 5245fa04f0..715f8d4d3b 100644
--- a/mobile-attack/relationship/relationship--75770898-93a7-45e3-bdb2-03172004a88f.json
+++ b/mobile-attack/relationship/relationship--75770898-93a7-45e3-bdb2-03172004a88f.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--3ed55461-44a2-4b0a-8487-ca7d476fa23d",
+    "id": "bundle--041ba90a-8ef5-4899-9546-643e58d7dd76",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--75770898-93a7-45e3-bdb2-03172004a88f",
             "created": "2022-03-30T14:49:47.451Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Android-VerifiedBoot",
-                    "url": "https://source.android.com/security/verifiedboot/",
-                    "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016."
+                    "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
+                    "url": "https://source.android.com/security/verifiedboot/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:33.116Z",
             "description": "Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.(Citation: Android-VerifiedBoot) ",
-            "modified": "2022-03-30T14:49:47.451Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
             "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--75989cf6-c023-4ed3-9d23-a83f55690186.json b/mobile-attack/relationship/relationship--75989cf6-c023-4ed3-9d23-a83f55690186.json
index 1996553ee4..293582e824 100644
--- a/mobile-attack/relationship/relationship--75989cf6-c023-4ed3-9d23-a83f55690186.json
+++ b/mobile-attack/relationship/relationship--75989cf6-c023-4ed3-9d23-a83f55690186.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--f8566d50-81ae-40ad-b06c-1a44a14b67c8",
+    "id": "bundle--42a002e2-85db-4ac6-9f47-9069b06bfa39",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--75989cf6-c023-4ed3-9d23-a83f55690186",
             "created": "2023-02-28T21:43:36.886Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-28T21:43:36.886Z",
+            "modified": "2025-04-16T21:49:33.328Z",
             "description": "[TangleBot](https://attack.mitre.org/software/S1069) can read incoming text messages.(Citation: cloudmark_tanglebot_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--759a2e09-32b6-4857-9b6d-adf5dcee142b.json b/mobile-attack/relationship/relationship--759a2e09-32b6-4857-9b6d-adf5dcee142b.json
index dfcd59f4cc..30a976a2c6 100644
--- a/mobile-attack/relationship/relationship--759a2e09-32b6-4857-9b6d-adf5dcee142b.json
+++ b/mobile-attack/relationship/relationship--759a2e09-32b6-4857-9b6d-adf5dcee142b.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--bba29e46-9414-4d79-bbbb-a2e15e5967c1",
+    "id": "bundle--d402e5bb-700a-4e96-b2b0-7dbe2a937532",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--759a2e09-32b6-4857-9b6d-adf5dcee142b",
             "type": "relationship",
+            "id": "relationship--759a2e09-32b6-4857-9b6d-adf5dcee142b",
             "created": "2020-12-14T15:02:35.286Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Securelist Asacub",
-                    "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/",
-                    "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020."
+                    "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.",
+                    "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"
                 }
             ],
-            "modified": "2020-12-14T15:02:35.286Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:33.521Z",
             "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device network configuration information, such as mobile network operator.(Citation: Securelist Asacub)",
             "relationship_type": "uses",
             "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--75a8614f-bf92-455d-b2ef-7085aff9a64d.json b/mobile-attack/relationship/relationship--75a8614f-bf92-455d-b2ef-7085aff9a64d.json
index f261fd33f9..bd34e5a5b2 100644
--- a/mobile-attack/relationship/relationship--75a8614f-bf92-455d-b2ef-7085aff9a64d.json
+++ b/mobile-attack/relationship/relationship--75a8614f-bf92-455d-b2ef-7085aff9a64d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4becd35d-e524-4ef0-ab3d-6f86dd35194b",
+    "id": "bundle--6132fe50-0228-402d-9da5-3ecfcfa58fa1",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-15T19:16:57.874Z",
+            "modified": "2025-04-16T21:49:33.722Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can log keystrokes and gather the lock screen password of an infected device by abusing Accessibility Services.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--75ed2348-279f-4485-97a3-9a5ada27d799.json b/mobile-attack/relationship/relationship--75ed2348-279f-4485-97a3-9a5ada27d799.json
index 7efbfeec2f..160730f0b3 100644
--- a/mobile-attack/relationship/relationship--75ed2348-279f-4485-97a3-9a5ada27d799.json
+++ b/mobile-attack/relationship/relationship--75ed2348-279f-4485-97a3-9a5ada27d799.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--46b84dbc-3507-47a7-8f52-29959308f13e",
+    "id": "bundle--5f9d5c58-7d50-4dc7-8c30-088d20ce47e0",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--75ed2348-279f-4485-97a3-9a5ada27d799",
             "created": "2023-02-06T19:06:17.406Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-06T19:06:17.406Z",
+            "modified": "2025-04-16T21:49:33.925Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can disable Play Protect.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--760037f0-f027-41bb-adf8-1ced6c7085be.json b/mobile-attack/relationship/relationship--760037f0-f027-41bb-adf8-1ced6c7085be.json
index 9a84a44f41..9b9f5cad89 100644
--- a/mobile-attack/relationship/relationship--760037f0-f027-41bb-adf8-1ced6c7085be.json
+++ b/mobile-attack/relationship/relationship--760037f0-f027-41bb-adf8-1ced6c7085be.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--20a15a59-dd73-4e81-8b16-386325dc0984",
+    "id": "bundle--a31fb773-ee1d-48f1-8873-003b8c80ac0b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:59.225Z",
+            "modified": "2025-04-16T21:49:34.121Z",
             "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has mimicked Facebook and Google icons on the \u201cRecent apps\u201d screen to avoid discovery and uses the `com.google.xxx` package name to avoid detection.(Citation: WeLiveSecurity AdDisplayAshas)",
             "relationship_type": "uses",
             "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--760faa7b-06cb-48b7-9103-1c52f2ca408f.json b/mobile-attack/relationship/relationship--760faa7b-06cb-48b7-9103-1c52f2ca408f.json
index 43b241e9ef..e41df6d04b 100644
--- a/mobile-attack/relationship/relationship--760faa7b-06cb-48b7-9103-1c52f2ca408f.json
+++ b/mobile-attack/relationship/relationship--760faa7b-06cb-48b7-9103-1c52f2ca408f.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--d1a0f819-7a57-4f66-b830-a12f88a00f07",
+    "id": "bundle--1197c414-8904-4fd4-b9e7-c14d20ff0f39",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--760faa7b-06cb-48b7-9103-1c52f2ca408f",
             "type": "relationship",
+            "id": "relationship--760faa7b-06cb-48b7-9103-1c52f2ca408f",
             "created": "2020-11-10T17:08:35.644Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-11-10T17:08:35.644Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:34.372Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--76336d14-0dcb-4fc4-8423-9996dca9a9f2.json b/mobile-attack/relationship/relationship--76336d14-0dcb-4fc4-8423-9996dca9a9f2.json
new file mode 100644
index 0000000000..9000f0d7db
--- /dev/null
+++ b/mobile-attack/relationship/relationship--76336d14-0dcb-4fc4-8423-9996dca9a9f2.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--5c0ace0e-28e5-4b44-8549-289cc6a5f3e4",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--76336d14-0dcb-4fc4-8423-9996dca9a9f2",
+            "created": "2024-04-02T19:47:46.198Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:34.575Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) has used obfuscation techniques to hide its hardcoded C2 address.(Citation: welivesecurity_apt-c-23)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--764ba23e-9902-4a60-8ec3-e0ae1abf92ce.json b/mobile-attack/relationship/relationship--764ba23e-9902-4a60-8ec3-e0ae1abf92ce.json
index 35f37fd00f..565f450c52 100644
--- a/mobile-attack/relationship/relationship--764ba23e-9902-4a60-8ec3-e0ae1abf92ce.json
+++ b/mobile-attack/relationship/relationship--764ba23e-9902-4a60-8ec3-e0ae1abf92ce.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--2f2429d0-f942-4caa-98c8-b71318c4f3b2",
+    "id": "bundle--89d0cb18-78bf-4c2c-b0cd-243db853c80a",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--764ba23e-9902-4a60-8ec3-e0ae1abf92ce",
             "created": "2023-09-22T19:16:35.609Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-22T19:16:35.609Z",
+            "modified": "2025-04-16T21:49:34.789Z",
             "description": "The user is prompted for approval when an application requests device administrator permissions.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
             "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7657a4d4-1ba3-4b66-83f7-6db5eab14847.json b/mobile-attack/relationship/relationship--7657a4d4-1ba3-4b66-83f7-6db5eab14847.json
index 14d6e4595d..ddbe0fcf45 100644
--- a/mobile-attack/relationship/relationship--7657a4d4-1ba3-4b66-83f7-6db5eab14847.json
+++ b/mobile-attack/relationship/relationship--7657a4d4-1ba3-4b66-83f7-6db5eab14847.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--304a7fc1-1efc-4a03-9ec6-9cc663299006",
+    "id": "bundle--f2f64fcc-19dc-4037-b669-96e2ee763645",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--7657a4d4-1ba3-4b66-83f7-6db5eab14847",
             "created": "2022-04-06T13:30:03.526Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:34.987Z",
             "description": "Users should be taught that Device Administrator permissions are very dangerous, and very few applications need it.",
-            "modified": "2022-04-06T13:30:03.527Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7696b512-ba2f-4310-86e1-7c528529fc5e.json b/mobile-attack/relationship/relationship--7696b512-ba2f-4310-86e1-7c528529fc5e.json
index 0dceeef0ae..e08a4d1dbf 100644
--- a/mobile-attack/relationship/relationship--7696b512-ba2f-4310-86e1-7c528529fc5e.json
+++ b/mobile-attack/relationship/relationship--7696b512-ba2f-4310-86e1-7c528529fc5e.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--24a6464e-2968-44b3-9a2e-9ff91cc35285",
+    "id": "bundle--c19ea27c-af6e-4db7-8ba4-814f5ab063bf",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--7696b512-ba2f-4310-86e1-7c528529fc5e",
             "type": "relationship",
+            "id": "relationship--7696b512-ba2f-4310-86e1-7c528529fc5e",
             "created": "2020-09-15T15:18:12.425Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Cybereason FakeSpy",
-                    "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
-                    "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
+                    "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.",
+                    "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"
                 }
             ],
-            "modified": "2020-09-15T15:18:12.425Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:35.213Z",
             "description": "[FakeSpy](https://attack.mitre.org/software/S0509) stores its malicious code in encrypted asset files that are decrypted at runtime. Newer versions of [FakeSpy](https://attack.mitre.org/software/S0509) encrypt the C2 address.(Citation: Cybereason FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--76cc66f4-ce85-4873-a63e-879b4a14a540.json b/mobile-attack/relationship/relationship--76cc66f4-ce85-4873-a63e-879b4a14a540.json
index cca620351e..a078810a5e 100644
--- a/mobile-attack/relationship/relationship--76cc66f4-ce85-4873-a63e-879b4a14a540.json
+++ b/mobile-attack/relationship/relationship--76cc66f4-ce85-4873-a63e-879b4a14a540.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--3dd548a1-3cae-4913-953b-5574982b3885",
+    "id": "bundle--8bc3c5e8-1338-46f6-83e8-1179e742630f",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--76cc66f4-ce85-4873-a63e-879b4a14a540",
             "created": "2023-03-03T16:23:20.764Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-03T16:23:20.764Z",
+            "modified": "2025-04-16T21:49:35.423Z",
             "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has connected to the C2 server via HTTP.(Citation: paloalto_yispecter_1015)",
             "relationship_type": "uses",
             "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--76f852f3-f218-40e2-8fa1-6fb15c4cbf98.json b/mobile-attack/relationship/relationship--76f852f3-f218-40e2-8fa1-6fb15c4cbf98.json
index 0e30013db4..8250fef0de 100644
--- a/mobile-attack/relationship/relationship--76f852f3-f218-40e2-8fa1-6fb15c4cbf98.json
+++ b/mobile-attack/relationship/relationship--76f852f3-f218-40e2-8fa1-6fb15c4cbf98.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6274da29-cc65-4650-886d-c76e58ee7e80",
+    "id": "bundle--4f4e8734-c228-44f2-807b-7d96e8345866",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:59.661Z",
+            "modified": "2025-04-16T21:49:35.648Z",
             "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has masqueraded as legitimate media player, social media, and VPN applications.(Citation: Sophos Red Alert 2.0)",
             "relationship_type": "uses",
             "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7793a066-d72b-4a60-9579-e16369ea7185.json b/mobile-attack/relationship/relationship--7793a066-d72b-4a60-9579-e16369ea7185.json
index 3af1b3c2f6..774f213b68 100644
--- a/mobile-attack/relationship/relationship--7793a066-d72b-4a60-9579-e16369ea7185.json
+++ b/mobile-attack/relationship/relationship--7793a066-d72b-4a60-9579-e16369ea7185.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--45e9f09e-6136-45e3-a1e7-1d112ddc0b81",
+    "id": "bundle--4f8ad3e5-872b-4761-b15f-0a1c8b30fc32",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T22:22:25.132Z",
+            "modified": "2025-04-16T21:49:35.870Z",
             "description": "The user can view a list of apps with accessibility service privileges in the device settings.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--77efa84c-5ef0-4554-b774-2dbfcca74087.json b/mobile-attack/relationship/relationship--77efa84c-5ef0-4554-b774-2dbfcca74087.json
index f3a5b2891a..d18edd1d9d 100644
--- a/mobile-attack/relationship/relationship--77efa84c-5ef0-4554-b774-2dbfcca74087.json
+++ b/mobile-attack/relationship/relationship--77efa84c-5ef0-4554-b774-2dbfcca74087.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--95993fcb-e505-4186-94b0-8ed8456ceb66",
+    "id": "bundle--38818e44-c5ec-4473-a7e4-4e2c388f66a8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--77efa84c-5ef0-4554-b774-2dbfcca74087",
             "type": "relationship",
+            "id": "relationship--77efa84c-5ef0-4554-b774-2dbfcca74087",
             "created": "2020-10-29T19:20:58.116Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "WeLiveSecurity AdDisplayAshas",
-                    "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/",
-                    "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020."
+                    "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.",
+                    "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"
                 }
             ],
-            "modified": "2020-10-29T19:20:58.116Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:36.077Z",
             "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has checked to see how many apps are installed, and specifically if Facebook or FB Messenger are installed.(Citation: WeLiveSecurity AdDisplayAshas)",
             "relationship_type": "uses",
             "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7825f4b1-75ca-4377-b8f6-0dda9311d889.json b/mobile-attack/relationship/relationship--7825f4b1-75ca-4377-b8f6-0dda9311d889.json
index c924761992..85b1db4060 100644
--- a/mobile-attack/relationship/relationship--7825f4b1-75ca-4377-b8f6-0dda9311d889.json
+++ b/mobile-attack/relationship/relationship--7825f4b1-75ca-4377-b8f6-0dda9311d889.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--9d3bb6de-4a49-4277-8695-7255e577b3aa",
+    "id": "bundle--8d2f13a6-7ef8-40a7-b76d-924d69b5688c",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--7825f4b1-75ca-4377-b8f6-0dda9311d889",
             "created": "2023-08-04T18:30:58.116Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T18:30:58.116Z",
+            "modified": "2025-04-16T21:49:36.312Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can access a device\u2019s location.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--78417fce-5aaa-4ad3-a2f1-279fa18bfe45.json b/mobile-attack/relationship/relationship--78417fce-5aaa-4ad3-a2f1-279fa18bfe45.json
index b2cd937d23..50ef389f0b 100644
--- a/mobile-attack/relationship/relationship--78417fce-5aaa-4ad3-a2f1-279fa18bfe45.json
+++ b/mobile-attack/relationship/relationship--78417fce-5aaa-4ad3-a2f1-279fa18bfe45.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--831d063c-096d-495e-bf2e-0e2f29a18bd2",
+    "id": "bundle--4a0ddb37-2aed-49a2-b672-b745cfbb1597",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--78417fce-5aaa-4ad3-a2f1-279fa18bfe45",
             "created": "2023-02-06T19:47:26.528Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-06T19:47:26.528Z",
+            "modified": "2025-04-16T21:49:36.530Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has been distributed in obfuscated and packed form.(Citation: threatfabric_sova_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164.json b/mobile-attack/relationship/relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164.json
index cd38ca4fc9..12cfb874f8 100644
--- a/mobile-attack/relationship/relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164.json
+++ b/mobile-attack/relationship/relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--cd21f210-9311-47ef-9f91-47890c776474",
+    "id": "bundle--babbe677-97e5-4365-957f-e7d168c7faaa",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164",
             "type": "relationship",
+            "id": "relationship--7850d933-120b-4ae6-998d-8dc4dfd6d164",
             "created": "2020-01-27T17:49:05.664Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Trend Micro Bouncing Golf 2019",
                     "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
-                    "source_name": "Trend Micro Bouncing Golf 2019"
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
                 }
             ],
-            "modified": "2020-01-27T17:49:05.664Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:36.749Z",
             "description": "(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd",
             "target_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7863ef22-130a-4670-80c6-9bdeee58b8c9.json b/mobile-attack/relationship/relationship--7863ef22-130a-4670-80c6-9bdeee58b8c9.json
index b2b5ba3c99..e242c8c5ab 100644
--- a/mobile-attack/relationship/relationship--7863ef22-130a-4670-80c6-9bdeee58b8c9.json
+++ b/mobile-attack/relationship/relationship--7863ef22-130a-4670-80c6-9bdeee58b8c9.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--b87cda46-156d-4097-9bfa-8d35643564dc",
+    "id": "bundle--2dc4053a-cd75-458b-8a7c-e2341edcc9c2",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--7863ef22-130a-4670-80c6-9bdeee58b8c9",
             "created": "2024-01-26T17:44:59.987Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-01-26T17:44:59.987Z",
+            "modified": "2025-04-16T21:49:36.957Z",
             "description": "[FlixOnline](https://attack.mitre.org/software/S1103) may use the `BOOT_COMPLETED` action to trigger further scripts on boot.(Citation: checkpoint_flixonline_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7885c84c-b832-42d4-b3d3-49b82849262f.json b/mobile-attack/relationship/relationship--7885c84c-b832-42d4-b3d3-49b82849262f.json
index 6752ca6a38..83c8132c24 100644
--- a/mobile-attack/relationship/relationship--7885c84c-b832-42d4-b3d3-49b82849262f.json
+++ b/mobile-attack/relationship/relationship--7885c84c-b832-42d4-b3d3-49b82849262f.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--1bff1b09-8129-42d7-97ce-08b4e0b627fc",
+    "id": "bundle--778622b5-2ed4-4277-8dc5-274d52b33fa3",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--7885c84c-b832-42d4-b3d3-49b82849262f",
             "created": "2024-03-26T19:04:53.270Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
                     "source_name": "fb_arid_viper",
-                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
+                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T19:04:53.270Z",
+            "modified": "2025-04-16T21:49:37.162Z",
             "description": "[Phenakite](https://attack.mitre.org/software/S1126) can collect and exfiltrate WhatsApp media, photos and files with specific extensions, such as .pdf and .doc.(Citation: fb_arid_viper)",
             "relationship_type": "uses",
             "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--789699c2-44f1-4280-bf86-ab23e6a13e84.json b/mobile-attack/relationship/relationship--789699c2-44f1-4280-bf86-ab23e6a13e84.json
index 1f604858b6..562df0c68b 100644
--- a/mobile-attack/relationship/relationship--789699c2-44f1-4280-bf86-ab23e6a13e84.json
+++ b/mobile-attack/relationship/relationship--789699c2-44f1-4280-bf86-ab23e6a13e84.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--aa31f8ed-9718-471e-8061-14af25714d71",
+    "id": "bundle--34c13c26-1bd4-4c01-9ebc-fe6a2bab6089",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:18:51.813Z",
+            "modified": "2025-04-16T21:49:37.365Z",
             "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads calendar events and reminders.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
             "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d.json b/mobile-attack/relationship/relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d.json
index 2e2d6ec5db..8395e3fa74 100644
--- a/mobile-attack/relationship/relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d.json
+++ b/mobile-attack/relationship/relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--31a5e043-ccf4-4698-91ae-6dd67ff674c2",
+    "id": "bundle--2873d415-a578-41eb-bce6-1d5159f27fdf",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d",
             "type": "relationship",
+            "id": "relationship--789cb76e-27b0-4762-a2f7-3ff32ce0762d",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:37.568Z",
             "description": "[PJApps](https://attack.mitre.org/software/S0291) has the capability to collect and leak the victim's phone number, mobile device unique identifier (IMEI).(Citation: Lookout-EnterpriseApps)",
             "relationship_type": "uses",
             "source_ref": "malware--c709da93-20c3-4d17-ab68-48cba76b2137",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f.json b/mobile-attack/relationship/relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f.json
index fd242b04db..be630eb344 100644
--- a/mobile-attack/relationship/relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f.json
+++ b/mobile-attack/relationship/relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f.json
@@ -1,30 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--2cc07d16-e2c1-4935-a7f7-fa64f835375b",
+    "id": "bundle--0c47bcc1-39aa-4223-b705-5196af4c4f04",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f",
             "type": "relationship",
+            "id": "relationship--789dd0f9-527c-49b3-93b7-851ce4961f0f",
             "created": "2019-09-03T19:45:48.492Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
-            "modified": "2019-10-14T17:15:52.637Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:37.773Z",
             "description": " [Exodus](https://attack.mitre.org/software/S0405) One queries the device for its IMEI code and the phone number in order to validate the target of a new infection.(Citation: SWB Exodus March 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9.json b/mobile-attack/relationship/relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9.json
index ea5129e249..9fd740f754 100644
--- a/mobile-attack/relationship/relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9.json
+++ b/mobile-attack/relationship/relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--19ec38b2-13d0-45f2-8e61-d798ea0a4980",
+    "id": "bundle--74355661-6d8e-4096-8a91-7bafb9d5f5c0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9",
             "type": "relationship",
+            "id": "relationship--78cc0d6d-6347-45a4-a18c-ca76150aa7a9",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:37.974Z",
             "description": "[BrainTest](https://attack.mitre.org/software/S0293) stores a secondary Android app package (APK) in its assets directory in encrypted form, and decrypts the payload at runtime.(Citation: Lookout-BrainTest)",
             "relationship_type": "uses",
             "source_ref": "malware--e13d084c-382f-40fd-aa9a-98d69e20301e",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf.json b/mobile-attack/relationship/relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf.json
index 957b363969..0c8dfeb564 100644
--- a/mobile-attack/relationship/relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf.json
+++ b/mobile-attack/relationship/relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e6d5bb88-72b7-44b7-8dee-04ae7a081f17",
+    "id": "bundle--caed7867-4c53-4543-ae89-3e19e080606b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf",
             "type": "relationship",
+            "id": "relationship--78fc4506-5c80-4638-8f51-44a2e28f7aaf",
             "created": "2020-09-11T15:43:49.309Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Threat Fabric Cerberus",
-                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
-                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
+                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
                 }
             ],
-            "modified": "2020-09-11T15:43:49.309Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:38.174Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) can send SMS messages from a device.(Citation: Threat Fabric Cerberus)",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--792ae0c6-8b0c-4adf-9c7f-83ebee84bb57.json b/mobile-attack/relationship/relationship--792ae0c6-8b0c-4adf-9c7f-83ebee84bb57.json
index bbb3a699ae..b8241405b5 100644
--- a/mobile-attack/relationship/relationship--792ae0c6-8b0c-4adf-9c7f-83ebee84bb57.json
+++ b/mobile-attack/relationship/relationship--792ae0c6-8b0c-4adf-9c7f-83ebee84bb57.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--c1ee3ecf-5b1e-455d-aa71-c97e98e56822",
+    "id": "bundle--741ff101-9ba9-4875-b1d6-b38c8227479c",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--792ae0c6-8b0c-4adf-9c7f-83ebee84bb57",
             "created": "2023-12-18T19:04:37.052Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T19:04:37.052Z",
+            "modified": "2025-04-16T21:49:38.388Z",
             "description": "[AhRat](https://attack.mitre.org/software/S1095) can enumerate files on external storage.(Citation: welivesecurity_ahrat_0523)",
             "relationship_type": "uses",
             "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--794c3cb4-1a1f-4d7e-969f-c97dfcd006c7.json b/mobile-attack/relationship/relationship--794c3cb4-1a1f-4d7e-969f-c97dfcd006c7.json
index 45e8fd79cd..3d322aa9a3 100644
--- a/mobile-attack/relationship/relationship--794c3cb4-1a1f-4d7e-969f-c97dfcd006c7.json
+++ b/mobile-attack/relationship/relationship--794c3cb4-1a1f-4d7e-969f-c97dfcd006c7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--71ede489-5d34-43a7-bd20-8781b65e40fb",
+    "id": "bundle--0ec54f5b-cb9b-4c24-8767-8d9a73bb27e3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:22:27.554Z",
+            "modified": "2025-04-16T21:49:38.601Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) can request device administrator permissions.(Citation: Talos GPlayed)",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7965128c-89d6-411e-b765-c60e0cae96c6.json b/mobile-attack/relationship/relationship--7965128c-89d6-411e-b765-c60e0cae96c6.json
index ec5ca0404a..07c6e315d4 100644
--- a/mobile-attack/relationship/relationship--7965128c-89d6-411e-b765-c60e0cae96c6.json
+++ b/mobile-attack/relationship/relationship--7965128c-89d6-411e-b765-c60e0cae96c6.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--92dde113-4d36-46a9-814d-5b91729a6b6c",
+    "id": "bundle--4aa2e8ac-beb2-4213-83ea-855c100ad909",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:36:23.084Z",
+            "modified": "2025-04-16T21:49:38.822Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can manipulate clipboard data to replace cryptocurrency addresses.(Citation: threatfabric_sova_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--797e82a0-0132-4adc-8885-c9e9d88386dd.json b/mobile-attack/relationship/relationship--797e82a0-0132-4adc-8885-c9e9d88386dd.json
index 1f25f985e9..ca22a81a50 100644
--- a/mobile-attack/relationship/relationship--797e82a0-0132-4adc-8885-c9e9d88386dd.json
+++ b/mobile-attack/relationship/relationship--797e82a0-0132-4adc-8885-c9e9d88386dd.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8a5502b9-1b9c-4a3c-8378-a701a0b2ec9c",
+    "id": "bundle--b53104c8-1610-490f-a9b7-cae967db8b53",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T21:39:32.169Z",
+            "modified": "2025-04-16T21:49:39.033Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to record phone calls.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--79c3fe5d-585b-401a-8bb4-84bfdc7252a1.json b/mobile-attack/relationship/relationship--79c3fe5d-585b-401a-8bb4-84bfdc7252a1.json
index 9bfa1d4a87..3999eea2de 100644
--- a/mobile-attack/relationship/relationship--79c3fe5d-585b-401a-8bb4-84bfdc7252a1.json
+++ b/mobile-attack/relationship/relationship--79c3fe5d-585b-401a-8bb4-84bfdc7252a1.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--525a07ab-6103-4a86-8237-36afecbe654c",
+    "id": "bundle--73cf9b43-4c2b-4bfb-92c8-838b6c25d391",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--79c3fe5d-585b-401a-8bb4-84bfdc7252a1",
             "created": "2022-04-06T13:52:46.831Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:39.258Z",
             "description": "Android 7 changed how the Device Administrator password APIs function.",
-            "modified": "2022-04-06T13:52:46.831Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--79ef0025-3e1c-4914-9873-19808c2a5bec.json b/mobile-attack/relationship/relationship--79ef0025-3e1c-4914-9873-19808c2a5bec.json
index a8a3785899..c082862cc8 100644
--- a/mobile-attack/relationship/relationship--79ef0025-3e1c-4914-9873-19808c2a5bec.json
+++ b/mobile-attack/relationship/relationship--79ef0025-3e1c-4914-9873-19808c2a5bec.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--4558ba88-6d4a-4172-b2a0-97ebb4144447",
+    "id": "bundle--6a2d851d-6d9e-4b68-b807-72e27df6be99",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--79ef0025-3e1c-4914-9873-19808c2a5bec",
             "created": "2023-02-28T21:44:22.373Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-28T21:44:22.373Z",
+            "modified": "2025-04-16T21:49:39.457Z",
             "description": "[TangleBot](https://attack.mitre.org/software/S1069) can record the screen and stream the data off the device.(Citation: cloudmark_tanglebot_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a.json b/mobile-attack/relationship/relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a.json
index c0696387f6..7382e6ed4c 100644
--- a/mobile-attack/relationship/relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a.json
+++ b/mobile-attack/relationship/relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a.json
@@ -1,22 +1,22 @@
 {
     "type": "bundle",
-    "id": "bundle--8e38dd85-d302-448f-b7c2-126dcdf3f13d",
+    "id": "bundle--6d07d6fb-d928-4e7b-b133-a219a19fceb7",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a",
+            "created": "2018-10-17T00:14:20.652Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--79f04c05-8299-4e5e-b4c1-3f82637fa47a",
-            "type": "relationship",
-            "created": "2018-10-17T00:14:20.652Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2018-10-17T00:14:20.652Z",
+            "modified": "2025-04-16T21:49:39.673Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--f9e4f526-ac9d-4df5-8949-833a82a1d2df",
             "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7a50961b-9be4-4042-a6a0-878b612c520e.json b/mobile-attack/relationship/relationship--7a50961b-9be4-4042-a6a0-878b612c520e.json
index 338596ee1d..87504cad29 100644
--- a/mobile-attack/relationship/relationship--7a50961b-9be4-4042-a6a0-878b612c520e.json
+++ b/mobile-attack/relationship/relationship--7a50961b-9be4-4042-a6a0-878b612c520e.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--004fb527-8370-4d11-9bec-8dba397d5afb",
+    "id": "bundle--fae331fc-7345-453e-b7ad-c318746aaa1f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--7a50961b-9be4-4042-a6a0-878b612c520e",
             "type": "relationship",
+            "id": "relationship--7a50961b-9be4-4042-a6a0-878b612c520e",
             "created": "2019-07-10T15:25:57.602Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
                 }
             ],
-            "modified": "2019-08-12T17:30:07.571Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:39.878Z",
             "description": "[FinFisher](https://attack.mitre.org/software/S0182) uses the device microphone to record phone conversations.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7a860f1b-fd19-48aa-b0b3-fbaa3d045dac.json b/mobile-attack/relationship/relationship--7a860f1b-fd19-48aa-b0b3-fbaa3d045dac.json
index 0531b5e61f..cdcc92171e 100644
--- a/mobile-attack/relationship/relationship--7a860f1b-fd19-48aa-b0b3-fbaa3d045dac.json
+++ b/mobile-attack/relationship/relationship--7a860f1b-fd19-48aa-b0b3-fbaa3d045dac.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--c3e31dda-3715-486a-8051-9dfe192e44c2",
+    "id": "bundle--d56e5de3-37de-48f4-b6a0-32ca8567e1f3",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--7a860f1b-fd19-48aa-b0b3-fbaa3d045dac",
             "created": "2023-12-18T18:14:01.632Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:14:01.632Z",
+            "modified": "2025-04-16T21:49:40.080Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can search for specifically installed security applications.(Citation: cleafy_brata_0122)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7a8e1611-1a7e-45a0-b518-6efd744fce4f.json b/mobile-attack/relationship/relationship--7a8e1611-1a7e-45a0-b518-6efd744fce4f.json
index cdcdfe0ebe..390b11e155 100644
--- a/mobile-attack/relationship/relationship--7a8e1611-1a7e-45a0-b518-6efd744fce4f.json
+++ b/mobile-attack/relationship/relationship--7a8e1611-1a7e-45a0-b518-6efd744fce4f.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--0e4e10da-e8d2-418b-92a3-2fa0cec464f3",
+    "id": "bundle--f79ca71f-f68e-4bed-a02e-a5519dd1335a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--7a8e1611-1a7e-45a0-b518-6efd744fce4f",
             "type": "relationship",
+            "id": "relationship--7a8e1611-1a7e-45a0-b518-6efd744fce4f",
             "created": "2020-12-24T22:04:28.002Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T22:04:28.002Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:40.312Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has sent messages to an attacker-controlled number.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7accde36-cb29-43c6-8c66-6486efd867a8.json b/mobile-attack/relationship/relationship--7accde36-cb29-43c6-8c66-6486efd867a8.json
index bfcc4eebf1..46720a9bf7 100644
--- a/mobile-attack/relationship/relationship--7accde36-cb29-43c6-8c66-6486efd867a8.json
+++ b/mobile-attack/relationship/relationship--7accde36-cb29-43c6-8c66-6486efd867a8.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--de0d7ded-43c7-4f25-bd3d-c73183e258aa",
+    "id": "bundle--9120b5e0-b38e-4d8f-a613-c3392095c88b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--7accde36-cb29-43c6-8c66-6486efd867a8",
             "type": "relationship",
+            "id": "relationship--7accde36-cb29-43c6-8c66-6486efd867a8",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
                 }
             ],
-            "modified": "2019-10-10T15:27:22.157Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:40.513Z",
             "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to gather GPS coordinates.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06.json b/mobile-attack/relationship/relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06.json
index c8e48f47bc..2453409d33 100644
--- a/mobile-attack/relationship/relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06.json
+++ b/mobile-attack/relationship/relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--1363f440-afe6-4449-9ef2-2c8387f3d3de",
+    "id": "bundle--9d5834ef-dfb0-4d61-aef5-d804e0f2ce90",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06",
             "type": "relationship",
+            "id": "relationship--7af7d094-3a49-4e5e-99d0-385c79f95f06",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:40.719Z",
             "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) monitors the victim for status and disables other access to the phone by other jailbreaking software.(Citation: Lookout-Pegasus)",
             "relationship_type": "uses",
             "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7b1477bc-8fd0-45ce-8eaa-b3b307f18024.json b/mobile-attack/relationship/relationship--7b1477bc-8fd0-45ce-8eaa-b3b307f18024.json
index 9d7878c34d..99b02696c4 100644
--- a/mobile-attack/relationship/relationship--7b1477bc-8fd0-45ce-8eaa-b3b307f18024.json
+++ b/mobile-attack/relationship/relationship--7b1477bc-8fd0-45ce-8eaa-b3b307f18024.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d47efef8-4675-4b74-8495-dcb153f7fbe8",
+    "id": "bundle--6a04baa0-f6c2-4a24-9d48-79f3ea390ea4",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "Skycure-Profiles",
-                    "description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved December 22, 2016.",
-                    "url": "https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/"
+                    "description": "Yair Amit. (2013, March 12). Malicious Profiles - The Sleeping Giant of iOS Security. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20150203010257/https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:28:11.000Z",
+            "modified": "2025-04-16T21:49:40.915Z",
             "description": "Most [KeyRaider](https://attack.mitre.org/software/S0288) samples hook SSLRead and SSLWrite functions in the itunesstored process to intercept device communication with the Apple App Store.(Citation: Skycure-Profiles)",
             "relationship_type": "uses",
             "source_ref": "malware--3bc1f0ad-ef11-4afc-83c0-fcffe08d4e50",
             "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7b3fa5cb-bd70-47e0-acfb-7db99e29e70f.json b/mobile-attack/relationship/relationship--7b3fa5cb-bd70-47e0-acfb-7db99e29e70f.json
index f0ebbf46a1..f2da7f7c7f 100644
--- a/mobile-attack/relationship/relationship--7b3fa5cb-bd70-47e0-acfb-7db99e29e70f.json
+++ b/mobile-attack/relationship/relationship--7b3fa5cb-bd70-47e0-acfb-7db99e29e70f.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--04cdb36b-b31f-4e0e-9d9b-b0faedaf9eec",
+    "id": "bundle--bad4c2c4-c11a-4b9b-8346-3517af3fc874",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--7b3fa5cb-bd70-47e0-acfb-7db99e29e70f",
             "created": "2022-04-01T18:49:19.284Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:41.112Z",
             "description": "Recent versions of Android modified how device administrator applications are uninstalled, making it easier for the user to remove them. Android 7 introduced updates that revoke standard device administrators\u2019 ability to reset the device\u2019s passcode.",
-            "modified": "2022-04-01T18:49:19.284Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7b45e72f-5741-4942-aa28-ee7abb6f7046.json b/mobile-attack/relationship/relationship--7b45e72f-5741-4942-aa28-ee7abb6f7046.json
index 4ef0dbed2b..71cace2c7a 100644
--- a/mobile-attack/relationship/relationship--7b45e72f-5741-4942-aa28-ee7abb6f7046.json
+++ b/mobile-attack/relationship/relationship--7b45e72f-5741-4942-aa28-ee7abb6f7046.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b67534cc-58bd-4535-b443-32913e5acda9",
+    "id": "bundle--3e879d7b-1b10-4e1f-818c-12f04f46213b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--7b45e72f-5741-4942-aa28-ee7abb6f7046",
             "created": "2022-04-05T17:14:35.469Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:41.345Z",
             "description": "",
-            "modified": "2022-04-05T17:14:35.469Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
             "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7b611c76-0ea1-49c5-9b9a-2e504a0bbe14.json b/mobile-attack/relationship/relationship--7b611c76-0ea1-49c5-9b9a-2e504a0bbe14.json
index 849a648a2a..23aa6e624a 100644
--- a/mobile-attack/relationship/relationship--7b611c76-0ea1-49c5-9b9a-2e504a0bbe14.json
+++ b/mobile-attack/relationship/relationship--7b611c76-0ea1-49c5-9b9a-2e504a0bbe14.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7cabaa95-c4ca-4b18-a2b1-c7457d364f3f",
+    "id": "bundle--a4732a71-196b-4cb2-9d57-3ac370e4daf7",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:53:04.417Z",
+            "modified": "2025-04-16T21:49:41.556Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) disables Google Play Protect to prevent its discovery and deletion in the future.(Citation: Threat Fabric Cerberus)",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb.json b/mobile-attack/relationship/relationship--7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb.json
index 4893f581f0..745f301248 100644
--- a/mobile-attack/relationship/relationship--7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb.json
+++ b/mobile-attack/relationship/relationship--7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--9af1f0a1-1565-4890-a916-cc660d580d1c",
+    "id": "bundle--35e308da-eae3-4c70-9b8a-65b06dae7cb4",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--7b679dbf-4e31-4d0b-9e13-eb8c3b98b7fb",
             "created": "2019-08-09T16:19:02.782Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Android Capture Sensor 2019",
-                    "url": "https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access",
-                    "description": "Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019."
+                    "description": "Android Developers. (, January). Android 9+ Privacy Changes . Retrieved August 27, 2019.",
+                    "url": "https://developer.android.com/about/versions/pie/android-9.0-changes-all#bg-sensor-access"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:41.771Z",
             "description": "Android 9 and above restricts access to microphone, camera, and other sensors from background applications.(Citation: Android Capture Sensor 2019) ",
-            "modified": "2022-04-01T15:21:13.296Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531.json b/mobile-attack/relationship/relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531.json
index 1dfe13c866..632db31441 100644
--- a/mobile-attack/relationship/relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531.json
+++ b/mobile-attack/relationship/relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--43a1f6c3-d121-461f-8519-21fe8a897bfc",
+    "id": "bundle--dc373bbf-911a-457c-ac4c-cbc41c750e84",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531",
             "type": "relationship",
+            "id": "relationship--7b8c3ae2-7e52-4f1d-ad30-788b367a7531",
             "created": "2019-08-07T15:57:13.417Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Kaspersky Riltok June 2019",
-                    "url": "https://securelist.com/mobile-banker-riltok/91374/",
-                    "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."
+                    "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.",
+                    "url": "https://securelist.com/mobile-banker-riltok/91374/"
                 }
             ],
-            "modified": "2019-09-15T15:36:42.340Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:41.970Z",
             "description": "[Riltok](https://attack.mitre.org/software/S0403) can query various details about the device, including phone number, country, mobile operator, model, root availability, and operating system version.(Citation: Kaspersky Riltok June 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7ba30703-c3aa-425a-9482-9e9941fd7038.json b/mobile-attack/relationship/relationship--7ba30703-c3aa-425a-9482-9e9941fd7038.json
index 7621c5c1c5..6c4187b2fc 100644
--- a/mobile-attack/relationship/relationship--7ba30703-c3aa-425a-9482-9e9941fd7038.json
+++ b/mobile-attack/relationship/relationship--7ba30703-c3aa-425a-9482-9e9941fd7038.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--94c8240c-ccea-4d80-a969-5f6c8018d97e",
+    "id": "bundle--b2a076a4-2ea7-4bf8-8cb5-b94b3e587756",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--7ba30703-c3aa-425a-9482-9e9941fd7038",
             "type": "relationship",
+            "id": "relationship--7ba30703-c3aa-425a-9482-9e9941fd7038",
             "created": "2020-12-24T21:45:56.961Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T21:45:56.961Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:42.218Z",
             "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access the camera on the device.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7ba4fb2e-99ff-41ff-8b07-f02e9f74e890.json b/mobile-attack/relationship/relationship--7ba4fb2e-99ff-41ff-8b07-f02e9f74e890.json
index 8806d40070..880328b455 100644
--- a/mobile-attack/relationship/relationship--7ba4fb2e-99ff-41ff-8b07-f02e9f74e890.json
+++ b/mobile-attack/relationship/relationship--7ba4fb2e-99ff-41ff-8b07-f02e9f74e890.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--02cff5fe-fbcd-4d0a-98d0-74ae6c033dbe",
+    "id": "bundle--67925f4f-4003-4648-b092-29a75bb52d96",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "cyble_drinik_1022",
-                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.",
-                    "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:58:45.439Z",
+            "modified": "2025-04-16T21:49:42.427Z",
             "description": "[Drinik](https://attack.mitre.org/software/S1054) can record the screen via the `MediaProjection` library to harvest user credentials, including biometric PINs.(Citation: cyble_drinik_1022)",
             "relationship_type": "uses",
             "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c.json b/mobile-attack/relationship/relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c.json
index 93aed27d68..cd60c0caf2 100644
--- a/mobile-attack/relationship/relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c.json
+++ b/mobile-attack/relationship/relationship--7baa3cab-c4f8-4b91-a6c3-189ad7a6416c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d30075fa-b4c2-4ce0-9bb9-768a4570fd82",
+    "id": "bundle--b028b9cc-b50f-43ca-85c8-ab1662bc4cf8",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:34:08.372Z",
+            "modified": "2025-04-16T21:49:42.648Z",
             "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) gathers contacts from the system by dumping the victim's address book.(Citation: Lookout-Pegasus)",
             "relationship_type": "uses",
             "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7bbbd2aa-104f-443a-907e-6e1fbcf0a73e.json b/mobile-attack/relationship/relationship--7bbbd2aa-104f-443a-907e-6e1fbcf0a73e.json
index 3e2fde5fcc..230fce98a8 100644
--- a/mobile-attack/relationship/relationship--7bbbd2aa-104f-443a-907e-6e1fbcf0a73e.json
+++ b/mobile-attack/relationship/relationship--7bbbd2aa-104f-443a-907e-6e1fbcf0a73e.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--f84a187d-e1e1-402e-ad47-a9a5df2dedb4",
+    "id": "bundle--655e694d-13e9-4528-9da4-194751b75b1f",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--7bbbd2aa-104f-443a-907e-6e1fbcf0a73e",
             "created": "2023-07-21T19:34:29.630Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:34:29.630Z",
+            "modified": "2025-04-16T21:49:42.849Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can take and exfiltrate screenshots.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7bc6460d-b36e-41ed-baa0-82d54ec19e57.json b/mobile-attack/relationship/relationship--7bc6460d-b36e-41ed-baa0-82d54ec19e57.json
index eb7d875c27..da4cda90e6 100644
--- a/mobile-attack/relationship/relationship--7bc6460d-b36e-41ed-baa0-82d54ec19e57.json
+++ b/mobile-attack/relationship/relationship--7bc6460d-b36e-41ed-baa0-82d54ec19e57.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--71196257-3058-45d1-8f92-945c0a45d2aa",
+    "id": "bundle--44b57b9b-d731-443b-91a1-69ea5d3ab193",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T18:58:58.480Z",
+            "modified": "2025-04-16T21:49:43.059Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can exfiltrate data back to the C2 server using HTTP.(Citation: lookout_hornbill_sunbird_0221) ",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7bf2e05e-496f-49d1-8a37-48cc3ff8d6cc.json b/mobile-attack/relationship/relationship--7bf2e05e-496f-49d1-8a37-48cc3ff8d6cc.json
index bc69a2e132..e401146fae 100644
--- a/mobile-attack/relationship/relationship--7bf2e05e-496f-49d1-8a37-48cc3ff8d6cc.json
+++ b/mobile-attack/relationship/relationship--7bf2e05e-496f-49d1-8a37-48cc3ff8d6cc.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--28379c20-22f3-444e-b26a-33838515e123",
+    "id": "bundle--a8037f87-3894-44bf-87c6-812eb6c2a493",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.109Z",
+            "modified": "2025-04-16T21:49:43.275Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) can modify administrator settings and disable Play Protect.(Citation: Cofense Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7c4a4766-cb63-4a3c-85ef-a1dba3be4a47.json b/mobile-attack/relationship/relationship--7c4a4766-cb63-4a3c-85ef-a1dba3be4a47.json
index 4ca108d726..890c314c8c 100644
--- a/mobile-attack/relationship/relationship--7c4a4766-cb63-4a3c-85ef-a1dba3be4a47.json
+++ b/mobile-attack/relationship/relationship--7c4a4766-cb63-4a3c-85ef-a1dba3be4a47.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--cebb52cb-4d41-461a-be84-1a3a7a4c0bd8",
+    "id": "bundle--acf6edf6-39b3-4372-b979-54f27f6a0ad7",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--7c4a4766-cb63-4a3c-85ef-a1dba3be4a47",
             "created": "2023-06-09T19:19:56.840Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-06-09T19:19:56.840Z",
+            "modified": "2025-04-16T21:49:43.486Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) has monitored for SMS and WhatsApp notifications.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7c6207c7-d738-4a17-8380-595c86574b64.json b/mobile-attack/relationship/relationship--7c6207c7-d738-4a17-8380-595c86574b64.json
index d87550a143..05c2081215 100644
--- a/mobile-attack/relationship/relationship--7c6207c7-d738-4a17-8380-595c86574b64.json
+++ b/mobile-attack/relationship/relationship--7c6207c7-d738-4a17-8380-595c86574b64.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--f9fefb8c-a469-4e6d-a951-c751702d4559",
+    "id": "bundle--2cd0f40d-37e2-4db7-b01c-ddb16351bede",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--7c6207c7-d738-4a17-8380-595c86574b64",
             "type": "relationship",
+            "id": "relationship--7c6207c7-d738-4a17-8380-595c86574b64",
             "created": "2020-09-11T16:22:03.298Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout ViperRAT",
-                    "url": "https://blog.lookout.com/viperrat-mobile-apt",
-                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
+                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/viperrat-mobile-apt"
                 }
             ],
-            "modified": "2020-09-11T16:22:03.298Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:43.708Z",
             "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can track the device\u2019s location.(Citation: Lookout ViperRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7c67e8eb-4967-4858-8bfe-bb68c3f30cfd.json b/mobile-attack/relationship/relationship--7c67e8eb-4967-4858-8bfe-bb68c3f30cfd.json
new file mode 100644
index 0000000000..46b31d81f2
--- /dev/null
+++ b/mobile-attack/relationship/relationship--7c67e8eb-4967-4858-8bfe-bb68c3f30cfd.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--6116f5ac-9700-4fa6-911e-79d6831a51f2",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--7c67e8eb-4967-4858-8bfe-bb68c3f30cfd",
+            "created": "2025-04-15T18:12:30.764Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:43.907Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has collected device information such as IMEI, phone number, MAC address and IP address.(Citation: LinkedIn Dmitry LightSpy 2025) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7cae8c80-c603-4352-a704-f3a2f4aa4a56.json b/mobile-attack/relationship/relationship--7cae8c80-c603-4352-a704-f3a2f4aa4a56.json
index 9c09b0cc13..a2f4713791 100644
--- a/mobile-attack/relationship/relationship--7cae8c80-c603-4352-a704-f3a2f4aa4a56.json
+++ b/mobile-attack/relationship/relationship--7cae8c80-c603-4352-a704-f3a2f4aa4a56.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--b6c5f1ce-32d7-437a-9014-43243637c551",
+    "id": "bundle--5eab2159-5529-4d2e-b340-8ac925c8ede7",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--7cae8c80-c603-4352-a704-f3a2f4aa4a56",
             "created": "2019-09-03T20:08:00.737Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Talos Gustuff Apr 2019",
-                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
-                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."
+                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
+                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:44.111Z",
             "description": "[Gustuff](https://attack.mitre.org/software/S0406) abuses accessibility features to intercept all interactions between a user and the device.(Citation: Talos Gustuff Apr 2019)",
-            "modified": "2022-04-15T17:39:08.123Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7d2f869d-a117-4b1f-a783-c6d3fc002562.json b/mobile-attack/relationship/relationship--7d2f869d-a117-4b1f-a783-c6d3fc002562.json
index 2d091359d0..c42d059819 100644
--- a/mobile-attack/relationship/relationship--7d2f869d-a117-4b1f-a783-c6d3fc002562.json
+++ b/mobile-attack/relationship/relationship--7d2f869d-a117-4b1f-a783-c6d3fc002562.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--b0530137-a5c6-40cd-9f7a-85468fd828ac",
+    "id": "bundle--0ec1d79d-5239-4b86-904d-d3568f6bfe58",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--7d2f869d-a117-4b1f-a783-c6d3fc002562",
             "created": "2023-07-21T19:38:52.085Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:38:52.085Z",
+            "modified": "2025-04-16T21:49:44.322Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) uses unencrypted HTTP traffic between the victim and C2 infrastructure.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7d481598-ece7-469c-b231-619a804c25e5.json b/mobile-attack/relationship/relationship--7d481598-ece7-469c-b231-619a804c25e5.json
index 425e2bbefa..8af303f71e 100644
--- a/mobile-attack/relationship/relationship--7d481598-ece7-469c-b231-619a804c25e5.json
+++ b/mobile-attack/relationship/relationship--7d481598-ece7-469c-b231-619a804c25e5.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2eb73411-41be-4545-a896-69425935b072",
+    "id": "bundle--d34e3ff6-14f3-4e6b-8bc7-e34b784c0b45",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:34:25.318Z",
+            "modified": "2025-04-16T21:49:44.545Z",
             "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) captures SMS messages that the victim sends or receives.(Citation: Lookout-Pegasus)",
             "relationship_type": "uses",
             "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7d6bba99-ea81-42bc-b02a-e5e98b34a688.json b/mobile-attack/relationship/relationship--7d6bba99-ea81-42bc-b02a-e5e98b34a688.json
index 35b6d88437..2176209212 100644
--- a/mobile-attack/relationship/relationship--7d6bba99-ea81-42bc-b02a-e5e98b34a688.json
+++ b/mobile-attack/relationship/relationship--7d6bba99-ea81-42bc-b02a-e5e98b34a688.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--90007e47-904d-47d8-b929-b0b1384988a7",
+    "id": "bundle--335b2303-284a-476a-aac6-409f55c31ffd",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:19:44.427Z",
+            "modified": "2025-04-16T21:49:44.778Z",
             "description": "[Agent Smith](https://attack.mitre.org/software/S0440) can hide its icon from the application launcher.(Citation: CheckPoint Agent Smith)",
             "relationship_type": "uses",
             "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7db33293-6971-4c0d-88e0-18f505ebd943.json b/mobile-attack/relationship/relationship--7db33293-6971-4c0d-88e0-18f505ebd943.json
index b444d6232a..5f551a1952 100644
--- a/mobile-attack/relationship/relationship--7db33293-6971-4c0d-88e0-18f505ebd943.json
+++ b/mobile-attack/relationship/relationship--7db33293-6971-4c0d-88e0-18f505ebd943.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--6c2d9783-0b9a-4499-a517-d93c56de3f3f",
+    "id": "bundle--04599e6c-4db4-4fe3-b037-637935a5c5de",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--7db33293-6971-4c0d-88e0-18f505ebd943",
             "created": "2022-04-05T20:11:51.188Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:44.990Z",
             "description": "Recent OS versions have made it more difficult for applications to register as VPN providers. ",
-            "modified": "2022-04-05T20:11:51.188Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7de1af68-d893-40a0-b27a-c9010f5cdc62.json b/mobile-attack/relationship/relationship--7de1af68-d893-40a0-b27a-c9010f5cdc62.json
index fdabab759c..ff652e8f2d 100644
--- a/mobile-attack/relationship/relationship--7de1af68-d893-40a0-b27a-c9010f5cdc62.json
+++ b/mobile-attack/relationship/relationship--7de1af68-d893-40a0-b27a-c9010f5cdc62.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7ec0db65-706d-4579-bd86-a5c430727f56",
+    "id": "bundle--18db6bbc-3744-4b47-b588-c4bac03c7a01",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T14:49:51.309Z",
+            "modified": "2025-04-16T21:49:45.216Z",
             "description": "Enterprises may be able to detect anomalous traffic originating from mobile devices, which could indicate compromise.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
             "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f.json b/mobile-attack/relationship/relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f.json
index 4fa39fe44d..10e7047ea1 100644
--- a/mobile-attack/relationship/relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f.json
+++ b/mobile-attack/relationship/relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--7178e4e5-bfca-47a8-acbd-e289defb1229",
+    "id": "bundle--fb3f940b-c252-42c8-8bd3-2dd4a58b7b18",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f",
             "type": "relationship",
+            "id": "relationship--7ded1b79-cf7c-435d-b6ed-2c8872f9393f",
             "created": "2020-12-24T22:04:28.005Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T22:04:28.005Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:45.419Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has taken photos with the device camera.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7defdb15-65d1-40ca-a9da-5c0484892484.json b/mobile-attack/relationship/relationship--7defdb15-65d1-40ca-a9da-5c0484892484.json
index ecbec80f8f..ffcd2a1740 100644
--- a/mobile-attack/relationship/relationship--7defdb15-65d1-40ca-a9da-5c0484892484.json
+++ b/mobile-attack/relationship/relationship--7defdb15-65d1-40ca-a9da-5c0484892484.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--4140c59c-2ec8-4441-ae4f-f71868c8962d",
+    "id": "bundle--74341467-504c-44ba-9ed4-c0ee3553b4ff",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--7defdb15-65d1-40ca-a9da-5c0484892484",
             "created": "2020-04-24T17:46:31.616Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SecurityIntelligence TrickMo",
-                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
-                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
+                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.",
+                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:45.646Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) can be controlled via encrypted SMS message.(Citation: SecurityIntelligence TrickMo)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7e00d3ac-a97a-4db0-9699-7474d81413a8.json b/mobile-attack/relationship/relationship--7e00d3ac-a97a-4db0-9699-7474d81413a8.json
index bf7097535e..850fded032 100644
--- a/mobile-attack/relationship/relationship--7e00d3ac-a97a-4db0-9699-7474d81413a8.json
+++ b/mobile-attack/relationship/relationship--7e00d3ac-a97a-4db0-9699-7474d81413a8.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--4243dc3a-b945-456e-a165-14931d201870",
+    "id": "bundle--5c21fd66-af46-4d0a-872d-77a71d242625",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--7e00d3ac-a97a-4db0-9699-7474d81413a8",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "",
-            "modified": "2022-04-06T15:41:33.831Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:45.848Z",
+            "description": "",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--a21a6a79-f9a1-4c87-aed9-ba2d79536881",
             "target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed.json b/mobile-attack/relationship/relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed.json
index d5914fa796..a839dfe4f1 100644
--- a/mobile-attack/relationship/relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed.json
+++ b/mobile-attack/relationship/relationship--7e2d9773-1320-4c8f-a595-2b92bf0fd8ed.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b57191e0-175f-48f5-a790-1d93d9671661",
+    "id": "bundle--7606e0a8-3e59-41ef-ae87-2f224e24acd6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:55:00.294Z",
+            "modified": "2025-04-16T21:49:46.054Z",
             "description": "[Pallas](https://attack.mitre.org/software/S0399) accesses the device contact list.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7e8956e3-7d90-412d-a82f-d61e43239923.json b/mobile-attack/relationship/relationship--7e8956e3-7d90-412d-a82f-d61e43239923.json
index c029a7d693..42dc080eee 100644
--- a/mobile-attack/relationship/relationship--7e8956e3-7d90-412d-a82f-d61e43239923.json
+++ b/mobile-attack/relationship/relationship--7e8956e3-7d90-412d-a82f-d61e43239923.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--59607f93-e9e9-4e32-afcf-d889f13b9341",
+    "id": "bundle--3d04eee5-9e02-421f-9c2d-ed2ded62c9f8",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:21:32.437Z",
+            "modified": "2025-04-16T21:49:46.272Z",
             "description": "Application vetting services may indicate precisely what content was requested during application execution.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad.json b/mobile-attack/relationship/relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad.json
index 3f83a225e2..737fbad967 100644
--- a/mobile-attack/relationship/relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad.json
+++ b/mobile-attack/relationship/relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--b114c6e2-7c62-4b9e-9b95-04ce555a72a0",
+    "id": "bundle--601d2dd0-9347-449b-9d02-72760f0198dc",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad",
             "type": "relationship",
+            "id": "relationship--7ec3ee9a-6710-46ed-aecb-c0f2a64739ad",
             "created": "2020-11-20T16:37:28.429Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Symantec GoldenCup",
-                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans",
-                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."
+                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.",
+                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"
                 }
             ],
-            "modified": "2020-11-20T16:37:28.429Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:46.483Z",
             "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect images, videos, and attacker-specified files.(Citation: Symantec GoldenCup)",
             "relationship_type": "uses",
             "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7ee49e53-e75d-4e65-a71f-79919ebb08f4.json b/mobile-attack/relationship/relationship--7ee49e53-e75d-4e65-a71f-79919ebb08f4.json
index b4fa29b46f..feac8cbf88 100644
--- a/mobile-attack/relationship/relationship--7ee49e53-e75d-4e65-a71f-79919ebb08f4.json
+++ b/mobile-attack/relationship/relationship--7ee49e53-e75d-4e65-a71f-79919ebb08f4.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--de8f1926-5547-4b67-891e-cb68d2da6618",
+    "id": "bundle--683b5969-d9e9-4cc6-9d12-18f6ae1e958c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.109Z",
+            "modified": "2025-04-16T21:49:46.713Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) can use its ransomware module to encrypt device data and hold it for ransom.(Citation: Cofense Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7ef9f4cf-863b-4bc4-bdaf-55055263c030.json b/mobile-attack/relationship/relationship--7ef9f4cf-863b-4bc4-bdaf-55055263c030.json
index 39f2f9198a..1a98818952 100644
--- a/mobile-attack/relationship/relationship--7ef9f4cf-863b-4bc4-bdaf-55055263c030.json
+++ b/mobile-attack/relationship/relationship--7ef9f4cf-863b-4bc4-bdaf-55055263c030.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--f75947ed-4ae7-4269-a32f-93e42b1fb53b",
+    "id": "bundle--f99b9d8d-b921-44a2-9398-7dc4c1a3a851",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--7ef9f4cf-863b-4bc4-bdaf-55055263c030",
             "created": "2022-03-30T20:42:04.251Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:46.921Z",
             "description": "Users should be advised to be extra scrutinous of applications that request location, and to deny any permissions requests for applications they do not recognize.",
-            "modified": "2022-03-30T20:42:04.251Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7f3f4abd-f097-4ab5-b9ae-7ffc1a2e015e.json b/mobile-attack/relationship/relationship--7f3f4abd-f097-4ab5-b9ae-7ffc1a2e015e.json
index 493f791414..ab5fd1647e 100644
--- a/mobile-attack/relationship/relationship--7f3f4abd-f097-4ab5-b9ae-7ffc1a2e015e.json
+++ b/mobile-attack/relationship/relationship--7f3f4abd-f097-4ab5-b9ae-7ffc1a2e015e.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--9b2460ef-f7d2-4667-a218-6cfc9439ac52",
+    "id": "bundle--c2a7a3e7-7a17-4a7f-8c84-e99d86d96097",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--7f3f4abd-f097-4ab5-b9ae-7ffc1a2e015e",
             "created": "2023-12-18T18:15:38.261Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:15:38.261Z",
+            "modified": "2025-04-16T21:49:47.136Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can check to see if it has been installed in a virtual environment.(Citation: mcafee_brata_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7f4e1ac1-145e-4983-b735-7f70003893aa.json b/mobile-attack/relationship/relationship--7f4e1ac1-145e-4983-b735-7f70003893aa.json
index ec39b6ca7c..74f5dfc21e 100644
--- a/mobile-attack/relationship/relationship--7f4e1ac1-145e-4983-b735-7f70003893aa.json
+++ b/mobile-attack/relationship/relationship--7f4e1ac1-145e-4983-b735-7f70003893aa.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--c605755c-f33a-4326-a154-7f8f27720a8e",
+    "id": "bundle--2d09fc5a-5b67-4305-8e89-f371418d63f6",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--7f4e1ac1-145e-4983-b735-7f70003893aa",
             "created": "2023-08-04T18:29:35.223Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T18:29:35.223Z",
+            "modified": "2025-04-16T21:49:47.367Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate call logs.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7fa860d3-fa92-4953-8e79-05238b7dff99.json b/mobile-attack/relationship/relationship--7fa860d3-fa92-4953-8e79-05238b7dff99.json
index e707e50849..bebcb87231 100644
--- a/mobile-attack/relationship/relationship--7fa860d3-fa92-4953-8e79-05238b7dff99.json
+++ b/mobile-attack/relationship/relationship--7fa860d3-fa92-4953-8e79-05238b7dff99.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--d7d996b3-38cf-4e20-98e5-c4a256b7fbb4",
+    "id": "bundle--0fdd218c-711a-4b80-be5f-784a39781642",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--7fa860d3-fa92-4953-8e79-05238b7dff99",
             "created": "2024-03-29T15:04:39.189Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-29T15:04:39.189Z",
+            "modified": "2025-04-16T21:49:47.580Z",
             "description": "",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002",
             "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec.json b/mobile-attack/relationship/relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec.json
index cfa3677b6b..4cfc0e8bfd 100644
--- a/mobile-attack/relationship/relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec.json
+++ b/mobile-attack/relationship/relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec.json
@@ -1,38 +1,37 @@
 {
     "type": "bundle",
-    "id": "bundle--da2ffeba-f898-4b15-bc35-080bf0184770",
+    "id": "bundle--b975e461-fa7f-40d7-b9a2-b8d97f366c8f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--7fcfc36b-bebc-481f-b9af-b65008b045ec",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "BankInfoSecurity-BackDoor",
-                    "url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534",
-                    "description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017."
+                    "description": "Jeremy Kirk. (2016, November 16). Why Did Chinese Spyware Linger in U.S. Phones?. Retrieved February 6, 2017.",
+                    "url": "http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534"
                 },
                 {
                     "source_name": "NYTimes-BackDoor",
-                    "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html",
-                    "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017."
+                    "description": "Matt Apuzzo and Michael S. Schmidt. (2016, November 15). Secret Back Door in Some U.S. Phones Sent Data to China, Analysts Say. Retrieved February 6, 2017.",
+                    "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:47.788Z",
             "description": "[Adups](https://attack.mitre.org/software/S0309) was pre-installed on Android devices from some vendors.(Citation: NYTimes-BackDoor)(Citation: BankInfoSecurity-BackDoor)",
-            "modified": "2022-04-19T15:46:20.166Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
             "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--7fe8ab9f-b207-4c39-ab5c-e929a1c949f9.json b/mobile-attack/relationship/relationship--7fe8ab9f-b207-4c39-ab5c-e929a1c949f9.json
index ce02abf9b2..d1491677de 100644
--- a/mobile-attack/relationship/relationship--7fe8ab9f-b207-4c39-ab5c-e929a1c949f9.json
+++ b/mobile-attack/relationship/relationship--7fe8ab9f-b207-4c39-ab5c-e929a1c949f9.json
@@ -1,38 +1,37 @@
 {
     "type": "bundle",
-    "id": "bundle--1de0c71d-2cf6-45c8-a1e9-48d923496c60",
+    "id": "bundle--4009c666-6467-4d43-a64d-fede6b4d0b84",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--7fe8ab9f-b207-4c39-ab5c-e929a1c949f9",
             "created": "2019-07-16T14:33:12.113Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Krebs-Triada June 2019",
-                    "url": "https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/",
-                    "description": "Krebs, B. (2019, June 25). Tracing the Supply Chain Attack on Android. Retrieved July 16, 2019."
+                    "description": "Krebs, B. (2019, June 25). Tracing the Supply Chain Attack on Android. Retrieved July 16, 2019.",
+                    "url": "https://krebsonsecurity.com/2019/06/tracing-the-supply-chain-attack-on-android-2/"
                 },
                 {
                     "source_name": "Google Triada June 2019",
-                    "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
-                    "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."
+                    "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.",
+                    "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:48.008Z",
             "description": "[Triada](https://attack.mitre.org/software/S0424) was added into the Android system by a third-party vendor identified as Yehuo or Blazefire during the production process.(Citation: Google Triada June 2019)(Citation: Krebs-Triada June 2019)",
-            "modified": "2022-04-19T15:47:32.152Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
             "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--806a9338-be20-4eef-aa54-067633ac0e58.json b/mobile-attack/relationship/relationship--806a9338-be20-4eef-aa54-067633ac0e58.json
index 19c90e0be4..6381e3cfa3 100644
--- a/mobile-attack/relationship/relationship--806a9338-be20-4eef-aa54-067633ac0e58.json
+++ b/mobile-attack/relationship/relationship--806a9338-be20-4eef-aa54-067633ac0e58.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5e4e4aad-b0d9-4e81-9766-0e0c43295f76",
+    "id": "bundle--a40103c1-6c92-4d39-afe3-c23b1d6952d8",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.110Z",
+            "modified": "2025-04-16T21:49:48.276Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) can retrieve the device\u2019s GPS location.(Citation: Cofense Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--80778a1e-715d-477b-87fa-e92181b31659.json b/mobile-attack/relationship/relationship--80778a1e-715d-477b-87fa-e92181b31659.json
index 210f09e203..e0e0652f15 100644
--- a/mobile-attack/relationship/relationship--80778a1e-715d-477b-87fa-e92181b31659.json
+++ b/mobile-attack/relationship/relationship--80778a1e-715d-477b-87fa-e92181b31659.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b315528e-bfe2-477b-b8e3-58cf9a2fd082",
+    "id": "bundle--2edcebfa-b52c-4d20-a6b9-aba74dc68c93",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:15:22.472Z",
+            "modified": "2025-04-16T21:49:48.473Z",
             "description": "[SilkBean](https://attack.mitre.org/software/S0549) can delete various piece of device data, such as contacts, call logs, applications, SMS messages, email, plugins, and files in external storage.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9.json b/mobile-attack/relationship/relationship--80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9.json
index 7632f6c6cc..8dcceb2424 100644
--- a/mobile-attack/relationship/relationship--80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9.json
+++ b/mobile-attack/relationship/relationship--80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--233dba50-fef3-4434-8b94-8dd22b12aa9d",
+    "id": "bundle--0a9323a7-3b1e-4c07-922f-7fd94850eded",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9",
             "type": "relationship",
+            "id": "relationship--80ac52f9-ffa4-4b6e-b420-95d1b69ae9d9",
             "created": "2021-01-05T20:16:20.502Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Zscaler TikTok Spyware",
-                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware",
-                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."
+                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.",
+                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"
                 }
             ],
-            "modified": "2021-01-05T20:16:20.502Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:48.712Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can take screenshots.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--80eb5ebc-ae6f-461e-8e78-a18702249343.json b/mobile-attack/relationship/relationship--80eb5ebc-ae6f-461e-8e78-a18702249343.json
index fe0a16beee..1227391c58 100644
--- a/mobile-attack/relationship/relationship--80eb5ebc-ae6f-461e-8e78-a18702249343.json
+++ b/mobile-attack/relationship/relationship--80eb5ebc-ae6f-461e-8e78-a18702249343.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--fde5181a-3a01-40be-9fbd-6464be9b67a3",
+    "id": "bundle--2987e7c5-6043-4ea4-97ea-60811dafe34d",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--80eb5ebc-ae6f-461e-8e78-a18702249343",
             "created": "2023-12-18T18:14:53.862Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:14:53.862Z",
+            "modified": "2025-04-16T21:49:48.920Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can hide incoming calls by setting ring volume to 0 and showing a blank screen overlay.(Citation: mcafee_brata_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--812490b8-2160-47e9-9e1e-c1749b7ee86d.json b/mobile-attack/relationship/relationship--812490b8-2160-47e9-9e1e-c1749b7ee86d.json
index 8474b323f4..cb60c5df2c 100644
--- a/mobile-attack/relationship/relationship--812490b8-2160-47e9-9e1e-c1749b7ee86d.json
+++ b/mobile-attack/relationship/relationship--812490b8-2160-47e9-9e1e-c1749b7ee86d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--04efa007-2b5f-4dca-a9b0-286f57a9ebc5",
+    "id": "bundle--b7a06905-9028-4ea1-bd5a-162aea475213",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T19:13:17.011Z",
+            "modified": "2025-04-16T21:49:49.142Z",
             "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can collect Facebook account information, such as Facebook ID, email address, cookies, and login tokens.(Citation: Trend Micro FlyTrap)(Citation: Zimperium FlyTrap)",
             "relationship_type": "uses",
             "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--81722aad-f503-4a74-91d5-1843adf8a995.json b/mobile-attack/relationship/relationship--81722aad-f503-4a74-91d5-1843adf8a995.json
index 2b79d8ed82..a3aa13c03c 100644
--- a/mobile-attack/relationship/relationship--81722aad-f503-4a74-91d5-1843adf8a995.json
+++ b/mobile-attack/relationship/relationship--81722aad-f503-4a74-91d5-1843adf8a995.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--bd528468-d1f7-42a1-aac7-33771098400b",
+    "id": "bundle--52d6f5cd-20e3-461d-9e95-efe3e341eeba",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--81722aad-f503-4a74-91d5-1843adf8a995",
             "created": "2023-08-16T16:36:04.747Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:36:04.747Z",
+            "modified": "2025-04-16T21:49:49.378Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can prevent application removal by abusing Accessibility Services.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--818b8c2b-bd23-4a83-9970-d42063608699.json b/mobile-attack/relationship/relationship--818b8c2b-bd23-4a83-9970-d42063608699.json
index 9914427a37..cddfe1331d 100644
--- a/mobile-attack/relationship/relationship--818b8c2b-bd23-4a83-9970-d42063608699.json
+++ b/mobile-attack/relationship/relationship--818b8c2b-bd23-4a83-9970-d42063608699.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--fd90ad6b-1db8-4cf3-8b8f-d7c68639e6fc",
+    "id": "bundle--2ea011a1-915e-4b99-bfb3-41093383680c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:49:04.950Z",
+            "modified": "2025-04-16T21:49:49.581Z",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device contacts.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--81d4d8cf-3785-4847-9c9e-5ea27580f93a.json b/mobile-attack/relationship/relationship--81d4d8cf-3785-4847-9c9e-5ea27580f93a.json
new file mode 100644
index 0000000000..431f65a7f3
--- /dev/null
+++ b/mobile-attack/relationship/relationship--81d4d8cf-3785-4847-9c9e-5ea27580f93a.json
@@ -0,0 +1,47 @@
+{
+    "type": "bundle",
+    "id": "bundle--1bf96875-f91f-4b81-b3d8-dfe6dcff54a5",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--81d4d8cf-3785-4847-9c9e-5ea27580f93a",
+            "created": "2024-03-26T19:13:47.350Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "checkpoint_hamas_android_malware",
+                    "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"
+                },
+                {
+                    "source_name": "fb_arid_viper",
+                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
+                },
+                {
+                    "source_name": "sophos_android_apt_spyware",
+                    "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"
+                },
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:49.800Z",
+            "description": "(Citation: welivesecurity_apt-c-23)(Citation: fb_arid_viper)(Citation: checkpoint_hamas_android_malware)(Citation: sophos_android_apt_spyware)",
+            "relationship_type": "uses",
+            "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394",
+            "target_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--81db3270-4cb8-4982-8ff8-c28a874e8421.json b/mobile-attack/relationship/relationship--81db3270-4cb8-4982-8ff8-c28a874e8421.json
index 31f8e78bd9..ce3a96a285 100644
--- a/mobile-attack/relationship/relationship--81db3270-4cb8-4982-8ff8-c28a874e8421.json
+++ b/mobile-attack/relationship/relationship--81db3270-4cb8-4982-8ff8-c28a874e8421.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--84dc5bcf-7155-44f1-b04b-5f59e23b5cea",
+    "id": "bundle--5a00141a-10d6-4a6e-920c-130bbcc0d187",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--81db3270-4cb8-4982-8ff8-c28a874e8421",
             "type": "relationship",
+            "id": "relationship--81db3270-4cb8-4982-8ff8-c28a874e8421",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:50.011Z",
             "description": "[DressCode](https://attack.mitre.org/software/S0300) sets up a \"general purpose tunnel\" that can be used by an adversary to compromise enterprise networks that the mobile device is connected to.(Citation: TrendMicro-DressCode)",
             "relationship_type": "uses",
             "source_ref": "malware--ff742eeb-1f90-4f5a-8b92-9d40fffd99ca",
             "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--81dbe111-0f02-49a1-9bba-42a31e6bb416.json b/mobile-attack/relationship/relationship--81dbe111-0f02-49a1-9bba-42a31e6bb416.json
index c7b83ecd12..44393b084b 100644
--- a/mobile-attack/relationship/relationship--81dbe111-0f02-49a1-9bba-42a31e6bb416.json
+++ b/mobile-attack/relationship/relationship--81dbe111-0f02-49a1-9bba-42a31e6bb416.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7400e5b0-a125-4117-8b26-78b1e1105ea9",
+    "id": "bundle--fdb41c81-2dec-489f-aa7b-4b05022a6130",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T22:33:23.699Z",
+            "modified": "2025-04-16T21:49:50.263Z",
             "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f.json b/mobile-attack/relationship/relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f.json
index 08409e475a..652b6bf2e5 100644
--- a/mobile-attack/relationship/relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f.json
+++ b/mobile-attack/relationship/relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--16a953e4-7ba6-4ad7-a36e-c6b740580738",
+    "id": "bundle--324eaf5a-7c4c-45ef-a029-de036c2842f2",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--81e1311e-4fe1-4177-ae12-1d50037c5e4f",
             "created": "2020-06-02T14:32:31.906Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Volexity Insomnia",
-                    "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/",
-                    "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."
+                    "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.",
+                    "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:50.467Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) has communicated with the C2 using HTTPS requests over ports 43111, 43223, and 43773.(Citation: Volexity Insomnia)",
-            "modified": "2022-04-20T16:40:05.898Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0.json b/mobile-attack/relationship/relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0.json
index 2f4699ed52..b1c0c1aca7 100644
--- a/mobile-attack/relationship/relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0.json
+++ b/mobile-attack/relationship/relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--2345dad2-9665-4ed4-b0d5-609aae87321d",
+    "id": "bundle--8f6ffb03-2153-4670-8e70-f20fab637cc9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0",
             "type": "relationship",
+            "id": "relationship--81fb62ac-ba04-48d2-8817-52d0652f61a0",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:50.689Z",
             "description": "[Judy](https://attack.mitre.org/software/S0325) bypasses Google Play's protections by downloading a malicious payload at runtime after installation.(Citation: CheckPoint-Judy)",
             "relationship_type": "uses",
             "source_ref": "malware--172444ab-97fc-4d94-b142-179452bfb760",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--821db003-f7ad-4e28-b07d-2e3fc4f208a7.json b/mobile-attack/relationship/relationship--821db003-f7ad-4e28-b07d-2e3fc4f208a7.json
new file mode 100644
index 0000000000..e89663e04f
--- /dev/null
+++ b/mobile-attack/relationship/relationship--821db003-f7ad-4e28-b07d-2e3fc4f208a7.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--a97acabc-d7e6-46f6-88fa-a551844b4ab6",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--821db003-f7ad-4e28-b07d-2e3fc4f208a7",
+            "created": "2025-03-24T20:13:39.921Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:50.898Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has communicated with the C2 using ports 52202, 51200, 43201, 43202, 43203, and 21202.(Citation: Threatfabric LightSpy 2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8244700e-6f96-463a-a9c3-810c489a2c60.json b/mobile-attack/relationship/relationship--8244700e-6f96-463a-a9c3-810c489a2c60.json
index ac0451398e..2b7d8e0ec4 100644
--- a/mobile-attack/relationship/relationship--8244700e-6f96-463a-a9c3-810c489a2c60.json
+++ b/mobile-attack/relationship/relationship--8244700e-6f96-463a-a9c3-810c489a2c60.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c972b967-2154-48d6-915d-b075c86f2b3e",
+    "id": "bundle--e59c579e-6d22-47c6-9c07-ed9bb26ac382",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T14:54:57.884Z",
+            "modified": "2025-04-16T21:49:51.107Z",
             "description": "Application vetting services could detect applications trying to modify files in protected parts of the operating system.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--82555171-8b78-40f3-84d9-058359ae808a.json b/mobile-attack/relationship/relationship--82555171-8b78-40f3-84d9-058359ae808a.json
index 156d8c3ba7..af9c6f2c8b 100644
--- a/mobile-attack/relationship/relationship--82555171-8b78-40f3-84d9-058359ae808a.json
+++ b/mobile-attack/relationship/relationship--82555171-8b78-40f3-84d9-058359ae808a.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--908453ec-79ee-4936-b94a-3dcc3db3156b",
+    "id": "bundle--8309c7a5-8759-42fc-94a9-b136026ad5ce",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--82555171-8b78-40f3-84d9-058359ae808a",
             "type": "relationship",
+            "id": "relationship--82555171-8b78-40f3-84d9-058359ae808a",
             "created": "2020-09-24T15:34:51.244Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
                 }
             ],
-            "modified": "2020-09-24T15:34:51.244Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:51.368Z",
             "description": "[Dendroid](https://attack.mitre.org/software/S0301) can send and block SMS messages.(Citation: Lookout-Dendroid)",
             "relationship_type": "uses",
             "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--825ffecc-090f-44c8-87be-f7b72e07f987.json b/mobile-attack/relationship/relationship--825ffecc-090f-44c8-87be-f7b72e07f987.json
index c6735a0066..080e85d9c7 100644
--- a/mobile-attack/relationship/relationship--825ffecc-090f-44c8-87be-f7b72e07f987.json
+++ b/mobile-attack/relationship/relationship--825ffecc-090f-44c8-87be-f7b72e07f987.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--86f7caf8-6165-4adb-bec0-3d0117d6371a",
+    "id": "bundle--483a90af-3499-4560-92a2-eba4f72d2ef0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--825ffecc-090f-44c8-87be-f7b72e07f987",
             "created": "2022-04-01T18:43:15.716Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:51.565Z",
             "description": "Mobile security software can typically detect if a device has been rooted or jailbroken and can inform the user, who can then take appropriate action.",
-            "modified": "2022-04-01T18:43:15.716Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
             "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--826e3bad-fa02-4fd9-b8f1-1d23f374b43d.json b/mobile-attack/relationship/relationship--826e3bad-fa02-4fd9-b8f1-1d23f374b43d.json
index a26e52e9ef..e0863c5978 100644
--- a/mobile-attack/relationship/relationship--826e3bad-fa02-4fd9-b8f1-1d23f374b43d.json
+++ b/mobile-attack/relationship/relationship--826e3bad-fa02-4fd9-b8f1-1d23f374b43d.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--402a4d7d-5e1d-41a9-b531-66229b116c24",
+    "id": "bundle--113040a7-1bf5-41e8-aa96-29363cb4bae0",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--826e3bad-fa02-4fd9-b8f1-1d23f374b43d",
             "created": "2024-02-20T23:45:08.561Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:45:08.561Z",
+            "modified": "2025-04-16T21:49:51.767Z",
             "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect various pieces of device network configuration information, such as mobile network operator.(Citation: Securelist Asacub)",
             "relationship_type": "uses",
             "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--828417ec-c444-41c8-95b4-c339c5ecf62b.json b/mobile-attack/relationship/relationship--828417ec-c444-41c8-95b4-c339c5ecf62b.json
index 93921f703c..bc55a23c0c 100644
--- a/mobile-attack/relationship/relationship--828417ec-c444-41c8-95b4-c339c5ecf62b.json
+++ b/mobile-attack/relationship/relationship--828417ec-c444-41c8-95b4-c339c5ecf62b.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--dda4e51b-4495-410e-85d0-e3cb8e790aba",
+    "id": "bundle--be028e70-678c-40b5-b9c8-37df14c0ee9d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--828417ec-c444-41c8-95b4-c339c5ecf62b",
             "created": "2022-03-30T20:48:00.360Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:51.965Z",
             "description": "iOS users should be instructed to not download applications from unofficial sources, as applications distributed via the Apple App Store cannot list installed applications on a device.",
-            "modified": "2022-03-30T20:48:00.360Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--82a51cc3-7a91-43b0-9147-df5983e52b41.json b/mobile-attack/relationship/relationship--82a51cc3-7a91-43b0-9147-df5983e52b41.json
index 330218fb07..62456cc3d1 100644
--- a/mobile-attack/relationship/relationship--82a51cc3-7a91-43b0-9147-df5983e52b41.json
+++ b/mobile-attack/relationship/relationship--82a51cc3-7a91-43b0-9147-df5983e52b41.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--53bf78d0-4782-440d-830d-5f8685a6d8d9",
+    "id": "bundle--6cd6a0c5-c268-48c1-8bd8-2d158393bd65",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:08:11.798Z",
+            "modified": "2025-04-16T21:49:52.168Z",
             "description": "[Asacub](https://attack.mitre.org/software/S0540) has communicated with the C2 using HTTP POST requests.(Citation: Securelist Asacub)",
             "relationship_type": "uses",
             "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--82b58c75-239e-4dac-b848-bc1f3354adc4.json b/mobile-attack/relationship/relationship--82b58c75-239e-4dac-b848-bc1f3354adc4.json
index ed02659110..8b1565be11 100644
--- a/mobile-attack/relationship/relationship--82b58c75-239e-4dac-b848-bc1f3354adc4.json
+++ b/mobile-attack/relationship/relationship--82b58c75-239e-4dac-b848-bc1f3354adc4.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--65a754b9-36ca-4219-9082-8349596f59d6",
+    "id": "bundle--09de6cc1-dda7-4fd1-9373-43b9529ba3b2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T22:14:04.455Z",
+            "modified": "2025-04-16T21:49:52.408Z",
             "description": "Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--82e93a9e-6968-497f-8043-a08d0f35bd32.json b/mobile-attack/relationship/relationship--82e93a9e-6968-497f-8043-a08d0f35bd32.json
index 540d207d6d..b5b95f3623 100644
--- a/mobile-attack/relationship/relationship--82e93a9e-6968-497f-8043-a08d0f35bd32.json
+++ b/mobile-attack/relationship/relationship--82e93a9e-6968-497f-8043-a08d0f35bd32.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--743cdd68-bc1a-4377-afff-4f085f248ed6",
+    "id": "bundle--7feea167-37ee-45ec-b4a7-d0926d3f613e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.110Z",
+            "modified": "2025-04-16T21:49:52.612Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) has requested accessibility service privileges while masquerading as \"Google Play Protect\" and has disguised additional malicious application installs as legitimate system updates.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--82f12052-783e-40e4-8079-d9c030c310fd.json b/mobile-attack/relationship/relationship--82f12052-783e-40e4-8079-d9c030c310fd.json
index ac41696bb7..3833ee5061 100644
--- a/mobile-attack/relationship/relationship--82f12052-783e-40e4-8079-d9c030c310fd.json
+++ b/mobile-attack/relationship/relationship--82f12052-783e-40e4-8079-d9c030c310fd.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--e04e02b9-3b39-4a94-9c04-197014ea1076",
+    "id": "bundle--30428c00-2502-4081-8531-4a564980e618",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--82f12052-783e-40e4-8079-d9c030c310fd",
             "created": "2022-03-30T20:08:40.223Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:52.819Z",
             "description": "Android and iOS include system partition integrity mechanisms that could detect unauthorized modifications. ",
-            "modified": "2022-03-30T20:08:40.223Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
             "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--82f51cc6-6ce4-459e-b598-7b2b77983469.json b/mobile-attack/relationship/relationship--82f51cc6-6ce4-459e-b598-7b2b77983469.json
index d29f088296..f434e4304c 100644
--- a/mobile-attack/relationship/relationship--82f51cc6-6ce4-459e-b598-7b2b77983469.json
+++ b/mobile-attack/relationship/relationship--82f51cc6-6ce4-459e-b598-7b2b77983469.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a439ff07-c856-4d08-a101-b0bb92515db9",
+    "id": "bundle--dc24228b-9801-4b0a-9ef8-d0bd9e36d3f2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:28:18.530Z",
+            "modified": "2025-04-16T21:49:53.011Z",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect SMS messages.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--83358774-0857-429c-9f7a-151403e52881.json b/mobile-attack/relationship/relationship--83358774-0857-429c-9f7a-151403e52881.json
index 03c1da1b23..1ddf4217f0 100644
--- a/mobile-attack/relationship/relationship--83358774-0857-429c-9f7a-151403e52881.json
+++ b/mobile-attack/relationship/relationship--83358774-0857-429c-9f7a-151403e52881.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--0f328369-58fd-44d2-a3c6-f224c3f657ad",
+    "id": "bundle--ccf18d3a-13ba-4632-94e9-f0ed7784b57a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:59.912Z",
+            "modified": "2025-04-16T21:49:53.221Z",
             "description": "[Exobot](https://attack.mitre.org/software/S0522) has used names like WhatsApp and Netflix.(Citation: Threat Fabric Exobot)",
             "relationship_type": "uses",
             "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c.json b/mobile-attack/relationship/relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c.json
index db2f06af53..d61edf33f3 100644
--- a/mobile-attack/relationship/relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c.json
+++ b/mobile-attack/relationship/relationship--833b4c44-7370-4b27-b9b2-a058c27dcf8c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--9c02a514-86bf-4569-9955-944fd596ad8f",
+    "id": "bundle--e6f512fc-2f6e-4fc0-b3f6-2b18728f1778",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:28:32.568Z",
+            "modified": "2025-04-16T21:49:53.428Z",
             "description": "[Xbot](https://attack.mitre.org/software/S0298) steals all SMS message and contact information as well as intercepts and parses certain SMS messages.(Citation: PaloAlto-Xbot)",
             "relationship_type": "uses",
             "source_ref": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a.json b/mobile-attack/relationship/relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a.json
index d4044aa651..44fef2d0c7 100644
--- a/mobile-attack/relationship/relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a.json
+++ b/mobile-attack/relationship/relationship--834c9a7e-6520-486d-ba60-c3a8b2f9eb1a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ca287f62-0145-4504-b9e7-3b9d7962fe25",
+    "id": "bundle--e70c21cd-e38b-467d-97f9-e9507c40655d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:28:46.820Z",
+            "modified": "2025-04-16T21:49:53.650Z",
             "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects SMS messages.(Citation: TrendMicro-XLoader)",
             "relationship_type": "uses",
             "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8375c6f6-4450-4aa5-ae26-672aecf91d1b.json b/mobile-attack/relationship/relationship--8375c6f6-4450-4aa5-ae26-672aecf91d1b.json
index 8f06d7b045..b11bf1013a 100644
--- a/mobile-attack/relationship/relationship--8375c6f6-4450-4aa5-ae26-672aecf91d1b.json
+++ b/mobile-attack/relationship/relationship--8375c6f6-4450-4aa5-ae26-672aecf91d1b.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--532b35ca-cf2c-479e-871b-142c1efbc04e",
+    "id": "bundle--38ff0854-4fb5-4ffd-b722-59ccaab3701b",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--8375c6f6-4450-4aa5-ae26-672aecf91d1b",
             "created": "2024-04-02T19:14:02.841Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-02T19:14:02.842Z",
+            "modified": "2025-04-16T21:49:53.854Z",
             "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can retrieve a device\u2019s SMS messages.(Citation: Meta Adversarial Threat Report 2022)",
             "relationship_type": "uses",
             "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835.json b/mobile-attack/relationship/relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835.json
index 62d6d9d3eb..f22fcee603 100644
--- a/mobile-attack/relationship/relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835.json
+++ b/mobile-attack/relationship/relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--34b15680-c6a0-4bfb-82ab-e309753326b5",
+    "id": "bundle--ccfb25a8-6227-4de6-ba0f-7c4d413ce369",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835",
             "type": "relationship",
+            "id": "relationship--83991b5c-59b9-4fe5-9ef2-39c6ddc8b835",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
                 }
             ],
-            "modified": "2019-10-15T19:54:10.285Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:54.064Z",
             "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) gathered system information including phone number, OS version, phone model, and SDK version.(Citation: Kaspersky-WUC)",
             "relationship_type": "uses",
             "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--83d95d05-7545-4295-894b-f33a2ba1063b.json b/mobile-attack/relationship/relationship--83d95d05-7545-4295-894b-f33a2ba1063b.json
index 1b2cbf045a..e1ecef704f 100644
--- a/mobile-attack/relationship/relationship--83d95d05-7545-4295-894b-f33a2ba1063b.json
+++ b/mobile-attack/relationship/relationship--83d95d05-7545-4295-894b-f33a2ba1063b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--63130977-63ef-459c-b3c1-38dfca583bb6",
+    "id": "bundle--8ff896b0-f1b8-4231-a9e2-a7a1cd53fc18",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:47:45.408Z",
+            "modified": "2025-04-16T21:49:54.274Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) has registered several broadcast receivers.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--841dcc87-1c22-4775-abe8-606aa6a48bf7.json b/mobile-attack/relationship/relationship--841dcc87-1c22-4775-abe8-606aa6a48bf7.json
new file mode 100644
index 0000000000..06fad0b7bd
--- /dev/null
+++ b/mobile-attack/relationship/relationship--841dcc87-1c22-4775-abe8-606aa6a48bf7.json
@@ -0,0 +1,52 @@
+{
+    "type": "bundle",
+    "id": "bundle--6eb55719-f95a-45ab-915b-170379df4517",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--841dcc87-1c22-4775-abe8-606aa6a48bf7",
+            "created": "2025-03-24T17:48:43.834Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "FirshSecureList LightSpy 2020",
+                    "description": "Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.",
+                    "url": "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:54.487Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has captured environment audio, phone calls and Voice over IP (VoIP) calls.(Citation: FirshSecureList LightSpy 2020)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--848581bc-bf8f-40e2-871e-cd67042b4adf.json b/mobile-attack/relationship/relationship--848581bc-bf8f-40e2-871e-cd67042b4adf.json
index 54fc2cbe1e..fb8c0a9368 100644
--- a/mobile-attack/relationship/relationship--848581bc-bf8f-40e2-871e-cd67042b4adf.json
+++ b/mobile-attack/relationship/relationship--848581bc-bf8f-40e2-871e-cd67042b4adf.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7fe9fb2e-3fe6-4f20-923e-3ebbea579699",
+    "id": "bundle--c0c846b3-4864-483d-8025-2f3201021349",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "cyble_drinik_1022",
-                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.",
-                    "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:59:26.448Z",
+            "modified": "2025-04-16T21:49:54.709Z",
             "description": "[Drinik](https://attack.mitre.org/software/S1054) can use overlays to steal user banking credentials entered into legitimate sites.(Citation: cyble_drinik_1022)",
             "relationship_type": "uses",
             "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8499ffce-1045-4a8a-9e09-ec53d535a021.json b/mobile-attack/relationship/relationship--8499ffce-1045-4a8a-9e09-ec53d535a021.json
index d34d503a5f..cf83483113 100644
--- a/mobile-attack/relationship/relationship--8499ffce-1045-4a8a-9e09-ec53d535a021.json
+++ b/mobile-attack/relationship/relationship--8499ffce-1045-4a8a-9e09-ec53d535a021.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a1101693-026b-4cd2-83b4-eb10d45512d7",
+    "id": "bundle--a93f790c-4e7e-40ff-8069-d7c7dd34c0e7",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:58.887Z",
+            "modified": "2025-04-16T21:49:54.944Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) has masqueraded as VPN and Android system apps.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--84dbe7c6-421b-4bfb-b022-6c585c2e50c4.json b/mobile-attack/relationship/relationship--84dbe7c6-421b-4bfb-b022-6c585c2e50c4.json
index d1216b65f6..44afecf39e 100644
--- a/mobile-attack/relationship/relationship--84dbe7c6-421b-4bfb-b022-6c585c2e50c4.json
+++ b/mobile-attack/relationship/relationship--84dbe7c6-421b-4bfb-b022-6c585c2e50c4.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e79b952e-6f50-4624-97e3-7b09a64423d4",
+    "id": "bundle--50ce7e26-6b9f-4b40-a666-d77c5f263e47",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:59.401Z",
+            "modified": "2025-04-16T21:49:55.230Z",
             "description": "[Bouncing Golf](https://attack.mitre.org/groups/G0097) distributed malware as repackaged legitimate applications, with the malicious code in the `com.golf` package.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--049cef3b-22d5-4be6-b50c-9839c7a34fdd",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--84ece53a-eb31-4c2e-9257-a055e0a190c0.json b/mobile-attack/relationship/relationship--84ece53a-eb31-4c2e-9257-a055e0a190c0.json
index 03c345b659..98503654aa 100644
--- a/mobile-attack/relationship/relationship--84ece53a-eb31-4c2e-9257-a055e0a190c0.json
+++ b/mobile-attack/relationship/relationship--84ece53a-eb31-4c2e-9257-a055e0a190c0.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--97b1663d-22dc-4ae2-82dc-3435ed07f324",
+    "id": "bundle--e15e5f1b-6bd8-45fe-95a4-18de094029c7",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--84ece53a-eb31-4c2e-9257-a055e0a190c0",
             "created": "2024-03-26T19:05:36.787Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
                     "source_name": "fb_arid_viper",
-                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
+                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T19:05:36.787Z",
+            "modified": "2025-04-16T21:49:55.443Z",
             "description": "[Phenakite](https://attack.mitre.org/software/S1126) can download additional malware to the victim device.(Citation: fb_arid_viper) ",
             "relationship_type": "uses",
             "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691",
             "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--850e249d-c0a1-4608-9a60-bcf9c02b741c.json b/mobile-attack/relationship/relationship--850e249d-c0a1-4608-9a60-bcf9c02b741c.json
index d920357678..50c1f30991 100644
--- a/mobile-attack/relationship/relationship--850e249d-c0a1-4608-9a60-bcf9c02b741c.json
+++ b/mobile-attack/relationship/relationship--850e249d-c0a1-4608-9a60-bcf9c02b741c.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--a17abc55-022f-475a-a41c-eed264ca077c",
+    "id": "bundle--e6a68e3f-ea9a-4a4e-8912-3ccdf70f8ac2",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--850e249d-c0a1-4608-9a60-bcf9c02b741c",
             "created": "2024-02-21T20:53:10.203Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T20:53:10.203Z",
+            "modified": "2025-04-16T21:49:55.649Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s phone number, ICCID, IMEI, and the currently active network interface (Wi-Fi or cellular).(Citation: Google Project Zero Insomnia)",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8570b7ef-a84d-480e-b1ca-b15f15d12103.json b/mobile-attack/relationship/relationship--8570b7ef-a84d-480e-b1ca-b15f15d12103.json
index 15fca66ca5..12f82753ba 100644
--- a/mobile-attack/relationship/relationship--8570b7ef-a84d-480e-b1ca-b15f15d12103.json
+++ b/mobile-attack/relationship/relationship--8570b7ef-a84d-480e-b1ca-b15f15d12103.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e40f53a6-2759-42ed-8688-257ac589c771",
+    "id": "bundle--7a2158ef-2887-44b7-8b13-2abe923ec4eb",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T16:58:27.974Z",
+            "modified": "2025-04-16T21:49:55.862Z",
             "description": "[Rotexy](https://attack.mitre.org/software/S0411) can communicate with the command and control server using JSON payloads sent in HTTP POST request bodies. It can also communicate by using JSON messages sent through Google Cloud Messaging.(Citation: securelist rotexy 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8578441b-00d2-4416-a011-380647e6ccdd.json b/mobile-attack/relationship/relationship--8578441b-00d2-4416-a011-380647e6ccdd.json
index d77f306331..acad061b08 100644
--- a/mobile-attack/relationship/relationship--8578441b-00d2-4416-a011-380647e6ccdd.json
+++ b/mobile-attack/relationship/relationship--8578441b-00d2-4416-a011-380647e6ccdd.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--71d01af3-0674-40df-b6fa-4056f6dac49d",
+    "id": "bundle--ada7e7f3-debb-451f-8b0c-17314792c0cd",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--8578441b-00d2-4416-a011-380647e6ccdd",
             "created": "2024-02-21T20:44:44.955Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T20:44:44.955Z",
+            "modified": "2025-04-16T21:49:56.064Z",
             "description": "",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b.json b/mobile-attack/relationship/relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b.json
index bd0b5a41f4..56a1780304 100644
--- a/mobile-attack/relationship/relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b.json
+++ b/mobile-attack/relationship/relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--f543ad74-b306-41c5-81fb-735eb29779a4",
+    "id": "bundle--69269168-75c3-416d-8e09-285b940f5484",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b",
             "type": "relationship",
+            "id": "relationship--85c7e956-3ce5-4495-b52e-385ae2ee4f9b",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
                 }
             ],
-            "modified": "2019-10-09T14:51:42.845Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:56.277Z",
             "description": "[Charger](https://attack.mitre.org/software/S0323) checks the local settings of the device and does not run its malicious logic if the device is located in Ukraine, Russia, or Belarus.(Citation: CheckPoint-Charger)",
             "relationship_type": "uses",
             "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--85d9c54e-a434-4533-9755-aff1aeb9cc23.json b/mobile-attack/relationship/relationship--85d9c54e-a434-4533-9755-aff1aeb9cc23.json
new file mode 100644
index 0000000000..fbe1268564
--- /dev/null
+++ b/mobile-attack/relationship/relationship--85d9c54e-a434-4533-9755-aff1aeb9cc23.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--bfe8d953-4275-468e-a142-df002b3962a3",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--85d9c54e-a434-4533-9755-aff1aeb9cc23",
+            "created": "2025-03-28T15:02:49.204Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:56.484Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used HTTPS POST requests for C2 communication.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--85e0d8c5-b9d6-4a10-963a-aeb54eba4f02.json b/mobile-attack/relationship/relationship--85e0d8c5-b9d6-4a10-963a-aeb54eba4f02.json
index ec500a7708..624c16742f 100644
--- a/mobile-attack/relationship/relationship--85e0d8c5-b9d6-4a10-963a-aeb54eba4f02.json
+++ b/mobile-attack/relationship/relationship--85e0d8c5-b9d6-4a10-963a-aeb54eba4f02.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c443ab55-3430-4e47-97b0-84dc0ced937f",
+    "id": "bundle--aded248c-1b3c-46f4-8b52-87914098d549",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:10:26.480Z",
+            "modified": "2025-04-16T21:49:56.712Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) communicates with the C2 server using HTTP.(Citation: CheckPoint Cerberus)",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8611661c-04b4-4a82-9669-2d0e26b7b3f3.json b/mobile-attack/relationship/relationship--8611661c-04b4-4a82-9669-2d0e26b7b3f3.json
index 592fb7e000..73c0e57f57 100644
--- a/mobile-attack/relationship/relationship--8611661c-04b4-4a82-9669-2d0e26b7b3f3.json
+++ b/mobile-attack/relationship/relationship--8611661c-04b4-4a82-9669-2d0e26b7b3f3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ed8251b3-932a-4af0-91ed-db97980a6653",
+    "id": "bundle--be35afcd-82b8-402d-a2c2-d5d7ce93a0b1",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:53:17.865Z",
+            "modified": "2025-04-16T21:49:56.912Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can disable Play Protect.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--86170d29-0e41-44d0-94b0-de7d23718302.json b/mobile-attack/relationship/relationship--86170d29-0e41-44d0-94b0-de7d23718302.json
index 90d607adfe..388227019c 100644
--- a/mobile-attack/relationship/relationship--86170d29-0e41-44d0-94b0-de7d23718302.json
+++ b/mobile-attack/relationship/relationship--86170d29-0e41-44d0-94b0-de7d23718302.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--f4c58ced-bba6-4362-83df-ad124a01bc9b",
+    "id": "bundle--7e223843-6cd7-4da8-a1d7-f376e1a6b9c7",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--86170d29-0e41-44d0-94b0-de7d23718302",
             "created": "2022-04-05T19:42:39.957Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Android 12 Features",
-                    "url": "https://developer.android.com/about/versions/12/features",
-                    "description": "Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022."
+                    "description": "Google. (2022, April 4). Features and APIs Overview. Retrieved April 5, 2022.",
+                    "url": "https://developer.android.com/about/versions/12/features"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:57.115Z",
             "description": "The `HIDE_OVERLAY_WINDOWS` permission was introduced in Android 12 allowing apps to hide overlay windows of type `TYPE_APPLICATION_OVERLAY` drawn by other apps with the `SYSTEM_ALERT_WINDOW` permission, preventing other applications from creating overlay windows on top of the current application.(Citation: Android 12 Features)",
-            "modified": "2022-04-05T19:51:47.956Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8634a732-1c5e-4931-a24f-cdcc2f81c788.json b/mobile-attack/relationship/relationship--8634a732-1c5e-4931-a24f-cdcc2f81c788.json
index 059a582b41..b0d9f4d168 100644
--- a/mobile-attack/relationship/relationship--8634a732-1c5e-4931-a24f-cdcc2f81c788.json
+++ b/mobile-attack/relationship/relationship--8634a732-1c5e-4931-a24f-cdcc2f81c788.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--52e22b5f-9b09-44f7-a751-17653c555e7d",
+    "id": "bundle--404a53e3-89f1-45be-b06a-8d168d4c7498",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:20:05.166Z",
+            "modified": "2025-04-16T21:49:57.345Z",
             "description": "[Agent Smith](https://attack.mitre.org/software/S0440) deletes infected applications\u2019 update packages when they are detected on the system, preventing updates.(Citation: CheckPoint Agent Smith)",
             "relationship_type": "uses",
             "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8650e2e8-d8bd-472d-8b9b-54befbea05b8.json b/mobile-attack/relationship/relationship--8650e2e8-d8bd-472d-8b9b-54befbea05b8.json
index bf1d63b6ba..ed6aa4d129 100644
--- a/mobile-attack/relationship/relationship--8650e2e8-d8bd-472d-8b9b-54befbea05b8.json
+++ b/mobile-attack/relationship/relationship--8650e2e8-d8bd-472d-8b9b-54befbea05b8.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--7563598e-d725-4a5b-9b8b-8e1ddf6071c0",
+    "id": "bundle--7c000a82-a7a8-4163-a825-5bb7fec488da",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--8650e2e8-d8bd-472d-8b9b-54befbea05b8",
             "created": "2022-04-05T19:49:59.027Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:57.561Z",
             "description": "",
-            "modified": "2022-04-05T19:49:59.027Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--867b4929-20f2-47cd-9ab3-43a5a6ea98b5.json b/mobile-attack/relationship/relationship--867b4929-20f2-47cd-9ab3-43a5a6ea98b5.json
index af18767008..e72d46c89a 100644
--- a/mobile-attack/relationship/relationship--867b4929-20f2-47cd-9ab3-43a5a6ea98b5.json
+++ b/mobile-attack/relationship/relationship--867b4929-20f2-47cd-9ab3-43a5a6ea98b5.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--00d7c251-ee2e-480f-910e-5ea99f459749",
+    "id": "bundle--cec49192-b100-4f9e-ae7d-ef26431507c6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T19:11:52.875Z",
+            "modified": "2025-04-16T21:49:57.767Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) has a list of file extensions that it may use to log certain operations (creation, open, close, modification, movement, deletion) on files of those types.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--86afe8cc-6d6d-4952-8fee-619e95d53a7f.json b/mobile-attack/relationship/relationship--86afe8cc-6d6d-4952-8fee-619e95d53a7f.json
index 8c4a0aedf1..ea963e5287 100644
--- a/mobile-attack/relationship/relationship--86afe8cc-6d6d-4952-8fee-619e95d53a7f.json
+++ b/mobile-attack/relationship/relationship--86afe8cc-6d6d-4952-8fee-619e95d53a7f.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--2c91871b-f679-4fee-b15e-f13b49545b00",
+    "id": "bundle--5ee6ce4b-2e3c-4ea5-81cb-793e9aaaf77f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--86afe8cc-6d6d-4952-8fee-619e95d53a7f",
             "created": "2022-04-06T13:39:39.883Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:57.975Z",
             "description": "",
-            "modified": "2022-04-06T13:39:39.883Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6",
             "target_ref": "attack-pattern--c548d8c4-a0a3-4a24-bb79-2a84abbc7b36",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3.json b/mobile-attack/relationship/relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3.json
index 3194b2a6db..038a643b26 100644
--- a/mobile-attack/relationship/relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3.json
+++ b/mobile-attack/relationship/relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--bf4153ab-2556-4d86-a926-292e33f94660",
+    "id": "bundle--3b910d89-6229-43ce-8936-1fb1aad2d7df",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3",
             "type": "relationship",
+            "id": "relationship--86e3c37c-1e4a-450c-850b-c80be8156fe3",
             "created": "2020-05-04T14:04:56.189Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Google Bread",
-                    "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
-                    "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
+                    "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.",
+                    "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"
                 }
             ],
-            "modified": "2020-05-04T15:40:21.081Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:58.177Z",
             "description": "[Bread](https://attack.mitre.org/software/S0432) collects the device\u2019s IMEI, carrier, mobile country code, and mobile network code.(Citation: Google Bread)",
             "relationship_type": "uses",
             "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8726b157-3575-450f-bb7f-f17bb18e6aef.json b/mobile-attack/relationship/relationship--8726b157-3575-450f-bb7f-f17bb18e6aef.json
index 73281aaf6a..ec9ff1cb07 100644
--- a/mobile-attack/relationship/relationship--8726b157-3575-450f-bb7f-f17bb18e6aef.json
+++ b/mobile-attack/relationship/relationship--8726b157-3575-450f-bb7f-f17bb18e6aef.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--9ae106f3-313a-4fec-ad40-34f20bb3d739",
+    "id": "bundle--ad7ebfd4-df46-46e1-af7c-4a5f2552140d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--8726b157-3575-450f-bb7f-f17bb18e6aef",
             "created": "2022-03-30T20:41:43.314Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:58.380Z",
             "description": "New OS releases frequently contain additional limitations or controls around device location access.",
-            "modified": "2022-03-30T20:41:43.314Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--873b98de-d7cf-471b-9aa2-229eb03c9165.json b/mobile-attack/relationship/relationship--873b98de-d7cf-471b-9aa2-229eb03c9165.json
index 7a1a20d4f5..7140b5890b 100644
--- a/mobile-attack/relationship/relationship--873b98de-d7cf-471b-9aa2-229eb03c9165.json
+++ b/mobile-attack/relationship/relationship--873b98de-d7cf-471b-9aa2-229eb03c9165.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--14d75234-2292-4ee2-abba-ee2746238aaa",
+    "id": "bundle--db17cf8e-fb90-4a5c-a783-8db8fced45b1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--873b98de-d7cf-471b-9aa2-229eb03c9165",
             "type": "relationship",
+            "id": "relationship--873b98de-d7cf-471b-9aa2-229eb03c9165",
             "created": "2020-09-15T15:18:12.459Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Cybereason FakeSpy",
-                    "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
-                    "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
+                    "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.",
+                    "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"
                 }
             ],
-            "modified": "2020-09-15T15:18:12.459Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:58.581Z",
             "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect device information, including OS version and device model.(Citation: Cybereason FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--875dc21d-92c3-45bf-be37-faa44f4449bf.json b/mobile-attack/relationship/relationship--875dc21d-92c3-45bf-be37-faa44f4449bf.json
index 754b86fc28..60ed2838e9 100644
--- a/mobile-attack/relationship/relationship--875dc21d-92c3-45bf-be37-faa44f4449bf.json
+++ b/mobile-attack/relationship/relationship--875dc21d-92c3-45bf-be37-faa44f4449bf.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--47bf618b-5b8d-4270-8b42-d567c60a6e25",
+    "id": "bundle--0b71013f-343f-4deb-be3b-b128cf74c8b6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:51:44.262Z",
+            "modified": "2025-04-16T21:49:58.808Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect the device\u2019s contact list.(Citation: Google Project Zero Insomnia)",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--876fc8ee-aeae-4d4b-b4ce-541b432e5298.json b/mobile-attack/relationship/relationship--876fc8ee-aeae-4d4b-b4ce-541b432e5298.json
index feae02e832..97d0e3f28e 100644
--- a/mobile-attack/relationship/relationship--876fc8ee-aeae-4d4b-b4ce-541b432e5298.json
+++ b/mobile-attack/relationship/relationship--876fc8ee-aeae-4d4b-b4ce-541b432e5298.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--762fc1cd-2ff8-4211-b111-63727c1680af",
+    "id": "bundle--b1d06d5e-2eee-4178-8050-0b272f1ed520",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T18:06:30.456Z",
+            "modified": "2025-04-16T21:49:59.022Z",
             "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect the device\u2019s contact list.(Citation: Securelist Asacub)",
             "relationship_type": "uses",
             "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--886849fc-f83c-4d69-b700-bfad0def765d.json b/mobile-attack/relationship/relationship--886849fc-f83c-4d69-b700-bfad0def765d.json
index bcbde52c06..31d02ba511 100644
--- a/mobile-attack/relationship/relationship--886849fc-f83c-4d69-b700-bfad0def765d.json
+++ b/mobile-attack/relationship/relationship--886849fc-f83c-4d69-b700-bfad0def765d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--bc214e04-9c14-431e-a60e-8264fab8de97",
+    "id": "bundle--a00626c3-0fec-4e23-a61b-a5a83b9ee307",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T22:12:27.186Z",
+            "modified": "2025-04-16T21:49:59.268Z",
             "description": "On Android, the user can manage which applications have permission to access the call log through the device settings screen, revoking the permission if necessary.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8870c211-820a-46a1-96fc-02f4e6eaec03.json b/mobile-attack/relationship/relationship--8870c211-820a-46a1-96fc-02f4e6eaec03.json
index 85f39e1a9b..8a201ee75f 100644
--- a/mobile-attack/relationship/relationship--8870c211-820a-46a1-96fc-02f4e6eaec03.json
+++ b/mobile-attack/relationship/relationship--8870c211-820a-46a1-96fc-02f4e6eaec03.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--3b1679d7-8653-4067-8e2e-eea4bacc8871",
+    "id": "bundle--bdd9c3b7-4e10-4c68-a151-233fdaf118ce",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--8870c211-820a-46a1-96fc-02f4e6eaec03",
             "type": "relationship",
+            "id": "relationship--8870c211-820a-46a1-96fc-02f4e6eaec03",
             "created": "2020-11-10T16:50:39.134Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2021-04-19T15:40:36.387Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:59.464Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has collected device network information, including 16-bit GSM Cell Identity, 16-bit Location Area Code, Mobile Country Code (MCC), and Mobile Network Code (MNC). [CarbonSteal](https://attack.mitre.org/software/S0529) has also called `netcfg` to get stats.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--88de8869-2b01-4702-8518-e4e78fde44d9.json b/mobile-attack/relationship/relationship--88de8869-2b01-4702-8518-e4e78fde44d9.json
index c26e4aae67..71962fa5cd 100644
--- a/mobile-attack/relationship/relationship--88de8869-2b01-4702-8518-e4e78fde44d9.json
+++ b/mobile-attack/relationship/relationship--88de8869-2b01-4702-8518-e4e78fde44d9.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--7a1f0f8a-e787-44e2-8616-fb2aad445a4e",
+    "id": "bundle--fb03a90d-a5c1-4fba-8261-49dd4c8b7c5b",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--88de8869-2b01-4702-8518-e4e78fde44d9",
             "created": "2023-07-12T20:45:18.766Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-12T20:45:18.766Z",
+            "modified": "2025-04-16T21:49:59.671Z",
             "description": "",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--88ded3fb-759e-4e96-946b-e7148c54856e.json b/mobile-attack/relationship/relationship--88ded3fb-759e-4e96-946b-e7148c54856e.json
index f2b477a46d..368e6bca17 100644
--- a/mobile-attack/relationship/relationship--88ded3fb-759e-4e96-946b-e7148c54856e.json
+++ b/mobile-attack/relationship/relationship--88ded3fb-759e-4e96-946b-e7148c54856e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--1b4ef929-0cd2-4085-9499-782001388319",
+    "id": "bundle--c2e68f50-cb35-424c-9def-213f09d1aa1d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--88ded3fb-759e-4e96-946b-e7148c54856e",
             "created": "2022-04-08T16:29:30.371Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:49:59.882Z",
             "description": "",
-            "modified": "2022-04-08T16:29:30.371Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9",
             "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--88e33687-e999-42c8-b46b-49d2adfa17d0.json b/mobile-attack/relationship/relationship--88e33687-e999-42c8-b46b-49d2adfa17d0.json
index 90371ddd3e..792c2e9f7f 100644
--- a/mobile-attack/relationship/relationship--88e33687-e999-42c8-b46b-49d2adfa17d0.json
+++ b/mobile-attack/relationship/relationship--88e33687-e999-42c8-b46b-49d2adfa17d0.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--e3cf4eb2-864c-46ba-aa58-124a3c54bffa",
+    "id": "bundle--e087f223-4d1d-43c3-9c41-d7c885d7a426",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--88e33687-e999-42c8-b46b-49d2adfa17d0",
             "created": "2022-04-01T15:02:04.528Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:00.085Z",
             "description": "Apple regularly provides security updates for known OS vulnerabilities. ",
-            "modified": "2022-04-01T15:02:04.528Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--88ea5004-8bdb-4af4-a2dc-a8c56236ff03.json b/mobile-attack/relationship/relationship--88ea5004-8bdb-4af4-a2dc-a8c56236ff03.json
index 709906548b..d3ec946661 100644
--- a/mobile-attack/relationship/relationship--88ea5004-8bdb-4af4-a2dc-a8c56236ff03.json
+++ b/mobile-attack/relationship/relationship--88ea5004-8bdb-4af4-a2dc-a8c56236ff03.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--7608fc56-c4b8-4dac-9be0-c486db046653",
+    "id": "bundle--37de8553-7425-458f-bd23-3668806dbf6c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--88ea5004-8bdb-4af4-a2dc-a8c56236ff03",
             "type": "relationship",
+            "id": "relationship--88ea5004-8bdb-4af4-a2dc-a8c56236ff03",
             "created": "2020-12-17T20:15:22.449Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Palo Alto HenBox",
-                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/",
-                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."
+                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.",
+                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
                 }
             ],
-            "modified": "2020-12-17T20:15:22.449Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:00.317Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) can access the device\u2019s microphone.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--891edea2-817c-4eeb-9991-b6e095c269a8.json b/mobile-attack/relationship/relationship--891edea2-817c-4eeb-9991-b6e095c269a8.json
index df3f05c085..72ebd2389f 100644
--- a/mobile-attack/relationship/relationship--891edea2-817c-4eeb-9991-b6e095c269a8.json
+++ b/mobile-attack/relationship/relationship--891edea2-817c-4eeb-9991-b6e095c269a8.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--575d63ad-5cf5-42a5-9e81-741ba432dc1d",
+    "id": "bundle--19757203-ddaa-43fa-b4ff-34ae6ae56a5a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:40:06.957Z",
+            "modified": "2025-04-16T21:50:00.513Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can retrieve the call history.(Citation: Google Project Zero Insomnia)",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0.json b/mobile-attack/relationship/relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0.json
index ce13772219..f2952c25df 100644
--- a/mobile-attack/relationship/relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0.json
+++ b/mobile-attack/relationship/relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--72f29be3-c76b-4e80-b9b7-2e26b7df5708",
+    "id": "bundle--33cfe1df-cb55-4a55-9284-228b152a9b87",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0",
             "type": "relationship",
+            "id": "relationship--8936c564-b11a-4c9e-a32a-76e7d7e0c8b0",
             "created": "2020-04-24T15:12:11.185Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "TrendMicro Coronavirus Updates",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
-                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
+                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"
                 }
             ],
-            "modified": "2020-04-24T15:12:11.185Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:00.714Z",
             "description": "[Concipit1248](https://attack.mitre.org/software/S0426) requests permissions to use the device camera.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--89565753-23c4-422d-a9ba-39f4101cd819.json b/mobile-attack/relationship/relationship--89565753-23c4-422d-a9ba-39f4101cd819.json
index eecf9a711d..4aef18f789 100644
--- a/mobile-attack/relationship/relationship--89565753-23c4-422d-a9ba-39f4101cd819.json
+++ b/mobile-attack/relationship/relationship--89565753-23c4-422d-a9ba-39f4101cd819.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--d605be64-475a-4e0f-8b1d-6706789909b1",
+    "id": "bundle--90038bd9-a9fa-40c9-a25c-1cbcf5de7bfd",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--89565753-23c4-422d-a9ba-39f4101cd819",
             "type": "relationship",
+            "id": "relationship--89565753-23c4-422d-a9ba-39f4101cd819",
             "created": "2020-11-20T16:37:28.485Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Symantec GoldenCup",
-                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans",
-                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."
+                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.",
+                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"
                 }
             ],
-            "modified": "2020-11-20T16:37:28.485Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:00.915Z",
             "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can track the device\u2019s location.(Citation: Symantec GoldenCup)",
             "relationship_type": "uses",
             "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--89d0de37-87ba-4aa8-832a-a2305e658a7d.json b/mobile-attack/relationship/relationship--89d0de37-87ba-4aa8-832a-a2305e658a7d.json
index d0711f02cf..d3c8537985 100644
--- a/mobile-attack/relationship/relationship--89d0de37-87ba-4aa8-832a-a2305e658a7d.json
+++ b/mobile-attack/relationship/relationship--89d0de37-87ba-4aa8-832a-a2305e658a7d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--698d4f27-a4cd-454f-bd12-dbfa80a65743",
+    "id": "bundle--ec370ecb-8ebe-4ad1-bfca-98e0d6064a48",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:44:32.659Z",
+            "modified": "2025-04-16T21:50:01.137Z",
             "description": "Application vetting services may be able to detect if an application attempts to encrypt files, although this may be benign behavior.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--89fcec02-8696-4c41-a7b1-8a75236a4c05.json b/mobile-attack/relationship/relationship--89fcec02-8696-4c41-a7b1-8a75236a4c05.json
index de7ec2e23c..a03f6710a2 100644
--- a/mobile-attack/relationship/relationship--89fcec02-8696-4c41-a7b1-8a75236a4c05.json
+++ b/mobile-attack/relationship/relationship--89fcec02-8696-4c41-a7b1-8a75236a4c05.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--703bf7a8-05b2-484d-88dd-e59336397c25",
+    "id": "bundle--b42bf51f-68e4-4587-9aea-81c39e6a864a",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--89fcec02-8696-4c41-a7b1-8a75236a4c05",
             "created": "2024-03-26T19:03:34.834Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
                     "source_name": "fb_arid_viper",
-                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
+                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T19:03:34.834Z",
+            "modified": "2025-04-16T21:50:01.388Z",
             "description": "[Phenakite](https://attack.mitre.org/software/S1126) can record phone calls.(Citation: fb_arid_viper)",
             "relationship_type": "uses",
             "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8a255d63-a770-4b9d-911c-bd906733ceef.json b/mobile-attack/relationship/relationship--8a255d63-a770-4b9d-911c-bd906733ceef.json
index e365cad302..737e760da3 100644
--- a/mobile-attack/relationship/relationship--8a255d63-a770-4b9d-911c-bd906733ceef.json
+++ b/mobile-attack/relationship/relationship--8a255d63-a770-4b9d-911c-bd906733ceef.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5fd9ef39-493a-46c2-8976-b12ffb168ef2",
+    "id": "bundle--213f4c21-6ce7-4a5f-9dec-97eb811ff1be",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "cyble_drinik_1022",
-                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.",
-                    "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:05:42.846Z",
+            "modified": "2025-04-16T21:50:01.599Z",
             "description": "[Drinik](https://attack.mitre.org/software/S1054) has C2 commands that can move the malware in and out of the foreground. (Citation: cyble_drinik_1022)",
             "relationship_type": "uses",
             "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe",
             "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8a55c28d-9cdd-4b6f-91e7-bcb3b05f6724.json b/mobile-attack/relationship/relationship--8a55c28d-9cdd-4b6f-91e7-bcb3b05f6724.json
index 03960fff0f..716f03fad5 100644
--- a/mobile-attack/relationship/relationship--8a55c28d-9cdd-4b6f-91e7-bcb3b05f6724.json
+++ b/mobile-attack/relationship/relationship--8a55c28d-9cdd-4b6f-91e7-bcb3b05f6724.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--55e6786b-7313-49da-9db8-49de3bf399ed",
+    "id": "bundle--4d6f7edb-aa4c-4fb3-8505-0ddc13107333",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--8a55c28d-9cdd-4b6f-91e7-bcb3b05f6724",
             "created": "2022-04-01T15:02:21.344Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:01.813Z",
             "description": "Device attestation can often detect jailbroken devices. ",
-            "modified": "2022-04-01T15:02:21.344Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
             "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8a89f675-4e43-4fe1-8bbd-8e49e07d11be.json b/mobile-attack/relationship/relationship--8a89f675-4e43-4fe1-8bbd-8e49e07d11be.json
index 2e681e24cf..71eee3aefe 100644
--- a/mobile-attack/relationship/relationship--8a89f675-4e43-4fe1-8bbd-8e49e07d11be.json
+++ b/mobile-attack/relationship/relationship--8a89f675-4e43-4fe1-8bbd-8e49e07d11be.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--dfdfa791-6371-4888-b45c-5a28b6f1908d",
+    "id": "bundle--29fc33dd-b70a-46d4-96eb-693959f744fb",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--8a89f675-4e43-4fe1-8bbd-8e49e07d11be",
             "created": "2023-07-21T19:35:34.846Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:35:34.846Z",
+            "modified": "2025-04-16T21:50:02.027Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can access browser history and bookmarks, and can list all files and folders on the device.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3.json b/mobile-attack/relationship/relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3.json
index d78758c4de..0b19070ef0 100644
--- a/mobile-attack/relationship/relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3.json
+++ b/mobile-attack/relationship/relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--62d36ac2-5706-4991-ae49-73e17cd7a3d7",
+    "id": "bundle--5b8a1804-c7b3-4231-a224-6ebe2ebce488",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3",
             "type": "relationship",
+            "id": "relationship--8a961514-3372-4c3e-b7ee-e3d053c3d5f3",
             "created": "2020-09-11T14:54:16.615Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Desert Scorpion",
-                    "url": "https://blog.lookout.com/desert-scorpion-google-play",
-                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
+                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/desert-scorpion-google-play"
                 }
             ],
-            "modified": "2020-09-11T14:54:16.615Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:02.265Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can record videos.(Citation: Lookout Desert Scorpion)",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8b27a786-b4d9-4014-a249-3725442f9f1d.json b/mobile-attack/relationship/relationship--8b27a786-b4d9-4014-a249-3725442f9f1d.json
index 44f09188c7..dc3642bdf1 100644
--- a/mobile-attack/relationship/relationship--8b27a786-b4d9-4014-a249-3725442f9f1d.json
+++ b/mobile-attack/relationship/relationship--8b27a786-b4d9-4014-a249-3725442f9f1d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--78aa3e82-2bec-4e65-b36b-7b36ae6411f4",
+    "id": "bundle--db2ba9e2-11e2-4123-afcc-5ac628945c1a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--8b27a786-b4d9-4014-a249-3725442f9f1d",
             "type": "relationship",
+            "id": "relationship--8b27a786-b4d9-4014-a249-3725442f9f1d",
             "created": "2021-01-05T20:16:20.499Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Zscaler TikTok Spyware",
-                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware",
-                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."
+                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.",
+                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"
                 }
             ],
-            "modified": "2021-01-05T20:16:20.499Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:02.471Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can obtain a list of installed applications.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8b2c2716-a62b-4c3a-a211-d72bb5ed29b9.json b/mobile-attack/relationship/relationship--8b2c2716-a62b-4c3a-a211-d72bb5ed29b9.json
index 2b4255e042..a5e57b915c 100644
--- a/mobile-attack/relationship/relationship--8b2c2716-a62b-4c3a-a211-d72bb5ed29b9.json
+++ b/mobile-attack/relationship/relationship--8b2c2716-a62b-4c3a-a211-d72bb5ed29b9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f7abcc55-683c-49f7-9403-ac2bf24a0d64",
+    "id": "bundle--279f36a2-eb36-40b4-b826-bb8e14f96009",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:52:05.260Z",
+            "modified": "2025-04-16T21:50:02.696Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect the device\u2019s contact list.(Citation: Lookout Desert Scorpion)",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8b3756f1-327a-4625-bde0-26b216ecb07a.json b/mobile-attack/relationship/relationship--8b3756f1-327a-4625-bde0-26b216ecb07a.json
new file mode 100644
index 0000000000..d316fdf4fb
--- /dev/null
+++ b/mobile-attack/relationship/relationship--8b3756f1-327a-4625-bde0-26b216ecb07a.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--9ccf9d8d-b07b-473f-8753-f99a60b144f5",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--8b3756f1-327a-4625-bde0-26b216ecb07a",
+            "created": "2025-03-28T14:41:27.693Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:02.903Z",
+            "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has obtained a list of files using the `fts` API and has obtained files that match a specified regular expression.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f",
+            "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8b3e74ad-7cc4-4ed2-84d2-c745e6997711.json b/mobile-attack/relationship/relationship--8b3e74ad-7cc4-4ed2-84d2-c745e6997711.json
index 14f3e80b6d..cb4dd18b29 100644
--- a/mobile-attack/relationship/relationship--8b3e74ad-7cc4-4ed2-84d2-c745e6997711.json
+++ b/mobile-attack/relationship/relationship--8b3e74ad-7cc4-4ed2-84d2-c745e6997711.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3dafc49a-dbad-4be3-abbc-1325b828e5b2",
+    "id": "bundle--d0393d00-290c-4011-98b3-6ad8b8e026ea",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "cyble_drinik_1022",
-                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.",
-                    "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:04:59.445Z",
+            "modified": "2025-04-16T21:50:03.101Z",
             "description": "[Drinik](https://attack.mitre.org/software/S1054) can request the `READ_CALL_LOG` permission.(Citation: cyble_drinik_1022)",
             "relationship_type": "uses",
             "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8b5baec3-60bf-4663-bc5c-ec9ad821c785.json b/mobile-attack/relationship/relationship--8b5baec3-60bf-4663-bc5c-ec9ad821c785.json
index 2883422e67..81df35b84c 100644
--- a/mobile-attack/relationship/relationship--8b5baec3-60bf-4663-bc5c-ec9ad821c785.json
+++ b/mobile-attack/relationship/relationship--8b5baec3-60bf-4663-bc5c-ec9ad821c785.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--518d17b1-4604-4231-936c-86fb664c91ab",
+    "id": "bundle--002dfd92-1f13-4b06-ac55-a5d0b5bcf067",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--8b5baec3-60bf-4663-bc5c-ec9ad821c785",
             "created": "2024-04-03T20:10:01.390Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-03T20:10:01.390Z",
+            "modified": "2025-04-16T21:50:03.316Z",
             "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) has been distributed via malicious links in SMS messages.(Citation: CitizenLab Great iPwn)",
             "relationship_type": "uses",
             "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
             "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781.json b/mobile-attack/relationship/relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781.json
index d29325a7df..76bb994bb5 100644
--- a/mobile-attack/relationship/relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781.json
+++ b/mobile-attack/relationship/relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--94928deb-8644-440d-941a-6a6905821b7a",
+    "id": "bundle--66648aa4-2b9f-4737-a707-12525c60b5df",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781",
             "type": "relationship",
+            "id": "relationship--8b66543e-2ea1-4ff7-84d9-f8f431f53781",
             "created": "2020-04-24T15:06:33.503Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "TrendMicro Coronavirus Updates",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
-                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
+                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"
                 }
             ],
-            "modified": "2020-04-24T15:06:33.503Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:03.518Z",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can record MP4 files and monitor calls.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8b8a9c44-c8a4-4f30-a3d8-a23310f6c090.json b/mobile-attack/relationship/relationship--8b8a9c44-c8a4-4f30-a3d8-a23310f6c090.json
index bd0ca5492a..4bc05303be 100644
--- a/mobile-attack/relationship/relationship--8b8a9c44-c8a4-4f30-a3d8-a23310f6c090.json
+++ b/mobile-attack/relationship/relationship--8b8a9c44-c8a4-4f30-a3d8-a23310f6c090.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7aa88c01-e79d-46fc-82d6-53f7036b2f7b",
+    "id": "bundle--1d637380-c518-4d01-9483-521414320a94",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T16:43:56.718Z",
+            "modified": "2025-04-16T21:50:03.724Z",
             "description": "On Android 10 and later, the system shows a notification to the user when an app has been accessing device location in the background.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
             "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8bc0abc2-a413-4c05-b2b8-2a92d9cc5556.json b/mobile-attack/relationship/relationship--8bc0abc2-a413-4c05-b2b8-2a92d9cc5556.json
index 9d102e51df..b96dc8b995 100644
--- a/mobile-attack/relationship/relationship--8bc0abc2-a413-4c05-b2b8-2a92d9cc5556.json
+++ b/mobile-attack/relationship/relationship--8bc0abc2-a413-4c05-b2b8-2a92d9cc5556.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--9af5a893-d035-4e6f-a599-9323b8e4563c",
+    "id": "bundle--1f3bc588-0e30-4ea9-ac41-18677c667635",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:44:31.870Z",
+            "modified": "2025-04-16T21:50:03.916Z",
             "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is capable of hiding SuperSU's icon if it is installed and visible.(Citation: FortiGuard-FlexiSpy) [FlexiSpy](https://attack.mitre.org/software/S0408) can also hide its own icon to make detection and the uninstallation process more difficult.(Citation: FlexiSpy-Features)",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8bc21e5d-b6bb-4c93-9419-19a12061de52.json b/mobile-attack/relationship/relationship--8bc21e5d-b6bb-4c93-9419-19a12061de52.json
index 09d9d6cd58..1a6d7ec925 100644
--- a/mobile-attack/relationship/relationship--8bc21e5d-b6bb-4c93-9419-19a12061de52.json
+++ b/mobile-attack/relationship/relationship--8bc21e5d-b6bb-4c93-9419-19a12061de52.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8740a8a1-65a6-427c-93dd-27bf63bdd2d5",
+    "id": "bundle--8237f0e1-a805-45d3-b770-b240c66ee2fd",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:19:25.438Z",
+            "modified": "2025-04-16T21:50:04.116Z",
             "description": "[TianySpy](https://attack.mitre.org/software/S1056) can exfiltrate collected user data, including credentials and authorized cookies, via email.(Citation: trendmicro_tianyspy_0122) ",
             "relationship_type": "uses",
             "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6",
             "target_ref": "attack-pattern--3e091a89-a493-4a6c-8e88-d57be19bb98d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8bcc9da8-c390-4151-b72d-30604820673e.json b/mobile-attack/relationship/relationship--8bcc9da8-c390-4151-b72d-30604820673e.json
index dc32c505c7..3906f47c3c 100644
--- a/mobile-attack/relationship/relationship--8bcc9da8-c390-4151-b72d-30604820673e.json
+++ b/mobile-attack/relationship/relationship--8bcc9da8-c390-4151-b72d-30604820673e.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--c78cec00-48da-4d53-b21a-5d062cb4d59b",
+    "id": "bundle--5f2a8815-065f-4f2d-8fbc-5b1b56055bef",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--8bcc9da8-c390-4151-b72d-30604820673e",
             "created": "2023-08-04T19:05:04.644Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T19:05:04.644Z",
+            "modified": "2025-04-16T21:50:04.323Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can search for installed applications such as WhatsApp.(Citation: lookout_hornbill_sunbird_0221) ",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8c034c66-18ad-4b30-9f17-ed574c10918f.json b/mobile-attack/relationship/relationship--8c034c66-18ad-4b30-9f17-ed574c10918f.json
index 494606bc8a..57d10b35a6 100644
--- a/mobile-attack/relationship/relationship--8c034c66-18ad-4b30-9f17-ed574c10918f.json
+++ b/mobile-attack/relationship/relationship--8c034c66-18ad-4b30-9f17-ed574c10918f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7a316248-1332-4ea1-a87e-a47d7b2b23e7",
+    "id": "bundle--f2d137f1-b0c1-4909-b448-f14b4e693550",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T22:08:44.242Z",
+            "modified": "2025-04-16T21:50:04.534Z",
             "description": "The user can view permissions granted to an application in device settings. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8c3296f6-3520-4d1b-8b57-bdd48a5aac91.json b/mobile-attack/relationship/relationship--8c3296f6-3520-4d1b-8b57-bdd48a5aac91.json
index e891bc2f16..7263a8f1e6 100644
--- a/mobile-attack/relationship/relationship--8c3296f6-3520-4d1b-8b57-bdd48a5aac91.json
+++ b/mobile-attack/relationship/relationship--8c3296f6-3520-4d1b-8b57-bdd48a5aac91.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c42c2d81-1e1b-4d4d-8e10-bd5faef3054c",
+    "id": "bundle--79179fe4-51ca-49fa-b9dc-e7d22ddf4027",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:48:00.045Z",
+            "modified": "2025-04-16T21:50:04.767Z",
             "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has registered several broadcast receivers.(Citation: WhiteOps TERRACOTTA)",
             "relationship_type": "uses",
             "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8c50e9e7-e13c-4814-98d0-088d73b10005.json b/mobile-attack/relationship/relationship--8c50e9e7-e13c-4814-98d0-088d73b10005.json
index b96eee4e00..90168fa2ff 100644
--- a/mobile-attack/relationship/relationship--8c50e9e7-e13c-4814-98d0-088d73b10005.json
+++ b/mobile-attack/relationship/relationship--8c50e9e7-e13c-4814-98d0-088d73b10005.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--cc77078e-4ea7-4766-9468-9427ccddab5a",
+    "id": "bundle--a4977f13-7c78-4cf0-a1ba-3beaa80c3f3a",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--8c50e9e7-e13c-4814-98d0-088d73b10005",
             "created": "2023-03-03T16:21:24.531Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-03T16:21:24.531Z",
+            "modified": "2025-04-16T21:50:04.996Z",
             "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has modified Safari\u2019s default search engine, bookmarked websites, opened pages, and accessed contacts and authorization tokens of the IM program \u201cQQ\u201d on infected devices.(Citation: paloalto_yispecter_1015)",
             "relationship_type": "uses",
             "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8c656539-aa1e-42db-9016-d38f1daaae16.json b/mobile-attack/relationship/relationship--8c656539-aa1e-42db-9016-d38f1daaae16.json
index a875935bc4..84383552bc 100644
--- a/mobile-attack/relationship/relationship--8c656539-aa1e-42db-9016-d38f1daaae16.json
+++ b/mobile-attack/relationship/relationship--8c656539-aa1e-42db-9016-d38f1daaae16.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--04b4c235-938d-4d2d-a701-41bee483784a",
+    "id": "bundle--49b87d75-2f72-4f46-9a2c-b192128aef8a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "cyble_drinik_1022",
-                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.",
-                    "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:06:05.822Z",
+            "modified": "2025-04-16T21:50:05.220Z",
             "description": "[Drinik](https://attack.mitre.org/software/S1054) can collect user SMS messages.(Citation: cyble_drinik_1022)",
             "relationship_type": "uses",
             "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8c7598a6-6046-491d-99a7-52c31974a9a9.json b/mobile-attack/relationship/relationship--8c7598a6-6046-491d-99a7-52c31974a9a9.json
index 39573635b2..d9ddeb1202 100644
--- a/mobile-attack/relationship/relationship--8c7598a6-6046-491d-99a7-52c31974a9a9.json
+++ b/mobile-attack/relationship/relationship--8c7598a6-6046-491d-99a7-52c31974a9a9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4e647c66-b8d2-473c-96fb-2e37f3bf452a",
+    "id": "bundle--db85bfb6-bb11-448f-9758-776ed3d113ac",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T15:36:24.934Z",
+            "modified": "2025-04-16T21:50:05.426Z",
             "description": "Application vetting services could look for misuse of dynamic libraries.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e.json b/mobile-attack/relationship/relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e.json
index 652eb05cb1..62ad53de20 100644
--- a/mobile-attack/relationship/relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e.json
+++ b/mobile-attack/relationship/relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--0e892fe0-f31e-46a5-b6f6-0cb111b2872e",
+    "id": "bundle--8cee3853-5fe5-414b-9583-b971607cef19",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e",
             "type": "relationship",
+            "id": "relationship--8c8ce536-d9b5-4dfc-93f1-84c4f222b49e",
             "created": "2021-01-05T20:16:20.512Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Zscaler TikTok Spyware",
-                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware",
-                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."
+                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.",
+                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"
                 }
             ],
-            "modified": "2021-01-05T20:16:20.512Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:05.648Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can check the device\u2019s battery status.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8c9dbc53-27d2-420c-b698-98c23a7ead2b.json b/mobile-attack/relationship/relationship--8c9dbc53-27d2-420c-b698-98c23a7ead2b.json
index 23820e2a61..20cdff3de4 100644
--- a/mobile-attack/relationship/relationship--8c9dbc53-27d2-420c-b698-98c23a7ead2b.json
+++ b/mobile-attack/relationship/relationship--8c9dbc53-27d2-420c-b698-98c23a7ead2b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--beb00c9d-1053-4a91-97d9-3ef1b191222d",
+    "id": "bundle--ac3d6010-bcc3-4c49-9e96-c5881a2df98e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:36:55.810Z",
+            "modified": "2025-04-16T21:50:05.862Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can delete copies of itself if additional APKs are downloaded to external storage.(Citation: Lookout Desert Scorpion)",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1.json b/mobile-attack/relationship/relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1.json
index f72b97301e..c5b7d18da9 100644
--- a/mobile-attack/relationship/relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1.json
+++ b/mobile-attack/relationship/relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--59cd91b3-b8ce-4cbb-a2a4-0f97c4819a12",
+    "id": "bundle--6e377552-be23-4803-b1aa-42c0127b8951",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--8cb42e3d-69f4-4b0d-98c9-0bb7560947c1",
             "created": "2017-12-14T16:46:06.044Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "TrendMicro-RCSAndroid",
-                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
-                    "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016."
+                    "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
+                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:06.069Z",
             "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can use SMS for command and control.(Citation: TrendMicro-RCSAndroid)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8d027310-93a0-4046-b7ad-d1f461f30838.json b/mobile-attack/relationship/relationship--8d027310-93a0-4046-b7ad-d1f461f30838.json
index 255fa5a94b..0b34fde841 100644
--- a/mobile-attack/relationship/relationship--8d027310-93a0-4046-b7ad-d1f461f30838.json
+++ b/mobile-attack/relationship/relationship--8d027310-93a0-4046-b7ad-d1f461f30838.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--bff4917c-dea0-4d24-9f68-ff8271f95d1a",
+    "id": "bundle--4d3d7750-d1b4-49fe-8eff-414d09ee6103",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--8d027310-93a0-4046-b7ad-d1f461f30838",
             "type": "relationship",
+            "id": "relationship--8d027310-93a0-4046-b7ad-d1f461f30838",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
+                    "source_name": "TrendMicro-RCSAndroid",
                     "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
-                    "source_name": "TrendMicro-RCSAndroid"
+                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
                 }
             ],
-            "modified": "2019-08-09T17:53:48.783Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:06.267Z",
             "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) has the ability to dynamically download and execute new code at runtime.(Citation: TrendMicro-RCSAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8d3ca04e-867f-4274-bc61-f18c0282a0a9.json b/mobile-attack/relationship/relationship--8d3ca04e-867f-4274-bc61-f18c0282a0a9.json
index dfb459de3e..361eebfa38 100644
--- a/mobile-attack/relationship/relationship--8d3ca04e-867f-4274-bc61-f18c0282a0a9.json
+++ b/mobile-attack/relationship/relationship--8d3ca04e-867f-4274-bc61-f18c0282a0a9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--238a842f-d231-4f34-9f72-82b37d810b0c",
+    "id": "bundle--abf13598-ae12-4621-8562-70d91c5b6a98",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-26T12:53:15.952Z",
+            "modified": "2025-04-16T21:50:06.485Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate a device's contacts.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8d71e646-74d1-4d62-8989-2ad4ddf7a67b.json b/mobile-attack/relationship/relationship--8d71e646-74d1-4d62-8989-2ad4ddf7a67b.json
index aabcb45467..3e6c452eef 100644
--- a/mobile-attack/relationship/relationship--8d71e646-74d1-4d62-8989-2ad4ddf7a67b.json
+++ b/mobile-attack/relationship/relationship--8d71e646-74d1-4d62-8989-2ad4ddf7a67b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--75817953-894b-4aea-bba7-e95f24bd5c9c",
+    "id": "bundle--008911a0-edb8-4948-8f9a-eec0f14adcf1",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-30T15:13:44.210Z",
+            "modified": "2025-04-16T21:50:06.715Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has code to encrypt device data with AES.(Citation: cleafy_sova_1122)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--d9e88203-2b5d-405f-a406-2933b1e3d7e4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8d72c224-0cf5-4b9b-a98a-76ee3a406803.json b/mobile-attack/relationship/relationship--8d72c224-0cf5-4b9b-a98a-76ee3a406803.json
index 0ca4d72293..73b18db5af 100644
--- a/mobile-attack/relationship/relationship--8d72c224-0cf5-4b9b-a98a-76ee3a406803.json
+++ b/mobile-attack/relationship/relationship--8d72c224-0cf5-4b9b-a98a-76ee3a406803.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c952d24e-9a6d-4a51-b68d-57858c82a1d7",
+    "id": "bundle--0a083994-fbcf-4abd-ba93-341758de5157",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:20:37.796Z",
+            "modified": "2025-04-16T21:50:06.920Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can obtain a list of installed applications.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8dc4b237-e466-4a3d-9d28-896f1389996d.json b/mobile-attack/relationship/relationship--8dc4b237-e466-4a3d-9d28-896f1389996d.json
new file mode 100644
index 0000000000..5b170a083b
--- /dev/null
+++ b/mobile-attack/relationship/relationship--8dc4b237-e466-4a3d-9d28-896f1389996d.json
@@ -0,0 +1,25 @@
+{
+    "type": "bundle",
+    "id": "bundle--3e67cae2-4606-448e-b05f-9424906e9ef0",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--8dc4b237-e466-4a3d-9d28-896f1389996d",
+            "created": "2025-02-12T15:22:36.181Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:07.134Z",
+            "description": "The OS may show a notification to the user that the SIM card has been transferred to another device.",
+            "relationship_type": "detects",
+            "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+            "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8e67f2e0-65da-4d27-9d41-e2f9a174331b.json b/mobile-attack/relationship/relationship--8e67f2e0-65da-4d27-9d41-e2f9a174331b.json
index 4f448ec5c2..61bc1cbca0 100644
--- a/mobile-attack/relationship/relationship--8e67f2e0-65da-4d27-9d41-e2f9a174331b.json
+++ b/mobile-attack/relationship/relationship--8e67f2e0-65da-4d27-9d41-e2f9a174331b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a30723e3-97e2-42b6-ac75-c1599897f5c4",
+    "id": "bundle--9f8880fa-29dd-47de-bd26-af8845bd0ee2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:58.186Z",
+            "modified": "2025-04-16T21:50:07.387Z",
             "description": "[Ginp](https://attack.mitre.org/software/S0423) has masqueraded as \u201cAdobe Flash Player\u201d and \u201cGoogle Play Verificator\u201d.(Citation: ThreatFabric Ginp)",
             "relationship_type": "uses",
             "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8e6b9c1e-5e28-4519-95c3-6b4a836661de.json b/mobile-attack/relationship/relationship--8e6b9c1e-5e28-4519-95c3-6b4a836661de.json
index aeafd9944b..8d18846d9f 100644
--- a/mobile-attack/relationship/relationship--8e6b9c1e-5e28-4519-95c3-6b4a836661de.json
+++ b/mobile-attack/relationship/relationship--8e6b9c1e-5e28-4519-95c3-6b4a836661de.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--1c8c835f-34db-4323-8bac-902a03c8ec0f",
+    "id": "bundle--44f1cd01-8f7e-47c0-93a4-a0cb8ecebf94",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "cyble_drinik_1022",
-                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.",
-                    "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:07:34.581Z",
+            "modified": "2025-04-16T21:50:07.599Z",
             "description": "[Drinik](https://attack.mitre.org/software/S1054) has used custom encryption to hide strings, potentially to evade antivirus products.(Citation: cyble_drinik_1022)",
             "relationship_type": "uses",
             "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8ea39534-6fe9-404c-94b7-0f320af95404.json b/mobile-attack/relationship/relationship--8ea39534-6fe9-404c-94b7-0f320af95404.json
index 4f630aca91..c4a10bc25c 100644
--- a/mobile-attack/relationship/relationship--8ea39534-6fe9-404c-94b7-0f320af95404.json
+++ b/mobile-attack/relationship/relationship--8ea39534-6fe9-404c-94b7-0f320af95404.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b1d20654-abe6-4432-b56e-a254cf9f59c0",
+    "id": "bundle--547fb3c6-287a-4906-bf51-148de8479a40",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--8ea39534-6fe9-404c-94b7-0f320af95404",
             "created": "2022-04-01T15:17:21.511Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:07.834Z",
             "description": "",
-            "modified": "2022-04-01T15:17:21.511Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--77e30eee-fd48-40b4-99ec-73e97c158b58",
             "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc.json b/mobile-attack/relationship/relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc.json
index 1bac58c728..6f09f122b7 100644
--- a/mobile-attack/relationship/relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc.json
+++ b/mobile-attack/relationship/relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--cd89a40e-92f4-42de-8055-70a3b2a23213",
+    "id": "bundle--b493c0fd-e4d6-400b-87d6-bac9af09a621",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc",
             "type": "relationship",
+            "id": "relationship--8ec03f4c-5ed8-4c25-956c-3ee6c777a5cc",
             "created": "2019-09-23T13:36:08.441Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "securelist rotexy 2018",
                     "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
-                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
-                    "source_name": "securelist rotexy 2018"
+                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"
                 }
             ],
-            "modified": "2019-09-23T13:36:08.441Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:08.025Z",
             "description": "[Rotexy](https://attack.mitre.org/software/S0411) retrieves a list of installed applications and sends it to the command and control server.(Citation: securelist rotexy 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3.json b/mobile-attack/relationship/relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3.json
index 85b7a2af6c..385b74ef75 100644
--- a/mobile-attack/relationship/relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3.json
+++ b/mobile-attack/relationship/relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--bdd26692-368d-4a3b-84b2-cc252b2b28ad",
+    "id": "bundle--b11e15b5-b213-4b96-8346-be84466d828d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3",
             "type": "relationship",
+            "id": "relationship--8ed14c81-0b30-4bfc-8552-439aa0e920c3",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:08.264Z",
             "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted location information.(Citation: NYTimes-BackDoor)",
             "relationship_type": "uses",
             "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8f142643-0448-4b04-8260-8e4e62ad80bb.json b/mobile-attack/relationship/relationship--8f142643-0448-4b04-8260-8e4e62ad80bb.json
index 9ae4b8b469..f72090f6b6 100644
--- a/mobile-attack/relationship/relationship--8f142643-0448-4b04-8260-8e4e62ad80bb.json
+++ b/mobile-attack/relationship/relationship--8f142643-0448-4b04-8260-8e4e62ad80bb.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e1df5ca7-fc8a-4650-bfdc-b0dac54e462f",
+    "id": "bundle--54865390-61af-4ded-843c-81c66c9afa02",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-26T12:54:48.541Z",
+            "modified": "2025-04-16T21:50:08.467Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can download adversary specified content from FTP shares.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8f22a4ce-f075-4343-acb0-1d45c56e91e8.json b/mobile-attack/relationship/relationship--8f22a4ce-f075-4343-acb0-1d45c56e91e8.json
index d8e76b73b2..962518ea61 100644
--- a/mobile-attack/relationship/relationship--8f22a4ce-f075-4343-acb0-1d45c56e91e8.json
+++ b/mobile-attack/relationship/relationship--8f22a4ce-f075-4343-acb0-1d45c56e91e8.json
@@ -1,38 +1,37 @@
 {
     "type": "bundle",
-    "id": "bundle--b75b4b02-9de8-4ce6-a8e2-ed0cbcaad320",
+    "id": "bundle--e92f4885-8afa-42ba-883b-e2f8b14e874b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--8f22a4ce-f075-4343-acb0-1d45c56e91e8",
             "created": "2022-03-30T18:06:21.355Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Symantec-iOSProfile2",
-                    "url": "https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles",
-                    "description": "Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018."
+                    "description": "Brian Duckering. (2017, March 27). Apple iOS 10.3 Finally Battles Malicious Profiles. Retrieved September 24, 2018.",
+                    "url": "https://www.symantec.com/connect/blogs/apple-ios-103-finally-battles-malicious-profiles"
                 },
                 {
                     "source_name": "Android-TrustedCA",
-                    "url": "https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html",
-                    "description": "Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018."
+                    "description": "Chad Brubaker. (2016, July 7). Changes to Trusted Certificate Authorities in Android Nougat. Retrieved September 24, 2018.",
+                    "url": "https://android-developers.googleblog.com/2016/07/changes-to-trusted-certificate.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:08.676Z",
             "description": "Mobile OSes have implemented measures to make it more difficult to trick users into installing untrusted certificates and configurations. iOS 10.3 and higher add an additional step for users to install new trusted CA certificates and configuration profiles. On Android, apps that target compatibility with Android 7 and higher (API Level 24) default to only trusting CA certificates that are bundled with the operating system, not CA certificates that are added by the user or administrator, hence decreasing their susceptibility to successful adversary-in-the-middle attack.(Citation: Symantec-iOSProfile2)(Citation: Android-TrustedCA)",
-            "modified": "2022-03-30T18:06:21.355Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8f2929a9-cd25-4e07-b402-447da68aaa56.json b/mobile-attack/relationship/relationship--8f2929a9-cd25-4e07-b402-447da68aaa56.json
index 49e78f2ce0..30beadc879 100644
--- a/mobile-attack/relationship/relationship--8f2929a9-cd25-4e07-b402-447da68aaa56.json
+++ b/mobile-attack/relationship/relationship--8f2929a9-cd25-4e07-b402-447da68aaa56.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--be0ea1ac-d87d-423f-aa0e-09f1ede054ca",
+    "id": "bundle--6ce6c2b8-6495-48bc-bce0-182703bd1685",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:10:43.246Z",
+            "modified": "2025-04-16T21:50:08.908Z",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) communicates with the C2 server using HTTP requests.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc.json b/mobile-attack/relationship/relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc.json
index 74586a3069..1136e3d962 100644
--- a/mobile-attack/relationship/relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc.json
+++ b/mobile-attack/relationship/relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--244a35d6-64ed-4e96-966f-9397565b2186",
+    "id": "bundle--41f6e053-719f-4b93-acf5-aeed196b9880",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc",
             "type": "relationship",
+            "id": "relationship--8f2ff9c5-249d-4a9a-bdc6-0cef887eaefc",
             "created": "2020-07-15T20:20:59.298Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "modified": "2020-07-15T20:20:59.298Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:09.110Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) obfuscates its hardcoded C2 URLs.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8f4c7030-f3e2-4c7d-b5b1-dc6815055c68.json b/mobile-attack/relationship/relationship--8f4c7030-f3e2-4c7d-b5b1-dc6815055c68.json
index 0b88ddff9e..f365701731 100644
--- a/mobile-attack/relationship/relationship--8f4c7030-f3e2-4c7d-b5b1-dc6815055c68.json
+++ b/mobile-attack/relationship/relationship--8f4c7030-f3e2-4c7d-b5b1-dc6815055c68.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--fa8b6f70-95c0-450c-9094-76ad83774f9f",
+    "id": "bundle--a6e86a74-bfa8-4b42-a658-b7ea8b00f6b2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T19:07:51.438Z",
+            "modified": "2025-04-16T21:50:09.324Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect voice notes and messages from WhatsApp, if installed.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8f52e1ab-284e-4d0c-bae1-3a8544a22f57.json b/mobile-attack/relationship/relationship--8f52e1ab-284e-4d0c-bae1-3a8544a22f57.json
index 7529ef8ff9..69a61020b0 100644
--- a/mobile-attack/relationship/relationship--8f52e1ab-284e-4d0c-bae1-3a8544a22f57.json
+++ b/mobile-attack/relationship/relationship--8f52e1ab-284e-4d0c-bae1-3a8544a22f57.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d5604752-01bc-4650-b671-289efc8c4671",
+    "id": "bundle--894bba62-757f-4475-a34d-c23690c0e02e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:22:41.797Z",
+            "modified": "2025-04-16T21:50:09.522Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) can wipe the device.(Citation: Talos GPlayed)",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8f72a070-cfcb-4d75-ace6-b4427f3ba8d3.json b/mobile-attack/relationship/relationship--8f72a070-cfcb-4d75-ace6-b4427f3ba8d3.json
index d53fe5cc4c..7be9315e4b 100644
--- a/mobile-attack/relationship/relationship--8f72a070-cfcb-4d75-ace6-b4427f3ba8d3.json
+++ b/mobile-attack/relationship/relationship--8f72a070-cfcb-4d75-ace6-b4427f3ba8d3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c8c5e632-f5a2-47c7-b79d-272b164f0438",
+    "id": "bundle--45d05837-ac54-4b4c-a8a3-bec8d730709f",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.111Z",
+            "modified": "2025-04-16T21:50:09.727Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) can steal the device\u2019s contact list.(Citation: Cofense Anubis) ",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5.json b/mobile-attack/relationship/relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5.json
index 4ff7d50667..71fd51f3ef 100644
--- a/mobile-attack/relationship/relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5.json
+++ b/mobile-attack/relationship/relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5.json
@@ -1,30 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--86d05168-6755-4c03-8ed1-b6257df83f95",
+    "id": "bundle--7ede0cc1-f67b-4663-a877-6dc2e3891665",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5",
             "type": "relationship",
+            "id": "relationship--8f88d438-3150-4317-b1fe-b14f13c15ac5",
             "created": "2019-09-03T19:45:48.501Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
-            "modified": "2019-10-14T16:47:53.197Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:09.937Z",
             "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can record audio from the compromised device's microphone and can record call audio in 3GP format.(Citation: SWB Exodus March 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8fd05d96-552d-4ef9-98e3-ea70dc84f6a9.json b/mobile-attack/relationship/relationship--8fd05d96-552d-4ef9-98e3-ea70dc84f6a9.json
index 9e2e2d5fa3..9f17f57d97 100644
--- a/mobile-attack/relationship/relationship--8fd05d96-552d-4ef9-98e3-ea70dc84f6a9.json
+++ b/mobile-attack/relationship/relationship--8fd05d96-552d-4ef9-98e3-ea70dc84f6a9.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--3b8c69c8-4ee9-4009-b0f5-4137b4c7f15b",
+    "id": "bundle--76d820af-2192-4383-ac08-6750209d3121",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--8fd05d96-552d-4ef9-98e3-ea70dc84f6a9",
             "created": "2022-03-30T14:26:02.359Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Android Changes to System Broadcasts",
-                    "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts",
-                    "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020."
+                    "description": "Google. (2019, December 27). Broadcasts Overview. Retrieved January 27, 2020.",
+                    "url": "https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:10.145Z",
             "description": "Android 8 introduced additional limitations on the implicit intents that an application can register for.(Citation: Android Changes to System Broadcasts) ",
-            "modified": "2022-03-30T14:26:02.359Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--8ff45341-60d6-40d3-bb38-566814a466f9.json b/mobile-attack/relationship/relationship--8ff45341-60d6-40d3-bb38-566814a466f9.json
index 45fe0eaab5..8a9e322850 100644
--- a/mobile-attack/relationship/relationship--8ff45341-60d6-40d3-bb38-566814a466f9.json
+++ b/mobile-attack/relationship/relationship--8ff45341-60d6-40d3-bb38-566814a466f9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--80301c9e-7afd-4648-84f7-8e2c030e4b16",
+    "id": "bundle--e4e9529f-e3f5-42e7-8d11-62e0cebb59fc",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:51:31.121Z",
+            "modified": "2025-04-16T21:50:10.390Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can perform primitive emulation checks.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--901492b5-b074-4631-ad6e-4178caa4164a.json b/mobile-attack/relationship/relationship--901492b5-b074-4631-ad6e-4178caa4164a.json
index 05b1bbf683..e9f83cfe26 100644
--- a/mobile-attack/relationship/relationship--901492b5-b074-4631-ad6e-4178caa4164a.json
+++ b/mobile-attack/relationship/relationship--901492b5-b074-4631-ad6e-4178caa4164a.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ff65fbf9-9a95-4e86-8498-5fde061b9ec8",
+    "id": "bundle--b156a3f6-ce86-407c-8be0-87707c3debbf",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--901492b5-b074-4631-ad6e-4178caa4164a",
             "type": "relationship",
+            "id": "relationship--901492b5-b074-4631-ad6e-4178caa4164a",
             "created": "2020-12-24T22:04:28.017Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T22:04:28.017Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:10.590Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has recorded calls and environment audio in .amr format.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--907db911-b39c-4230-b6ad-a0ba5ef6926a.json b/mobile-attack/relationship/relationship--907db911-b39c-4230-b6ad-a0ba5ef6926a.json
index 416b552b0f..1a74348103 100644
--- a/mobile-attack/relationship/relationship--907db911-b39c-4230-b6ad-a0ba5ef6926a.json
+++ b/mobile-attack/relationship/relationship--907db911-b39c-4230-b6ad-a0ba5ef6926a.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--46a04fd9-42bf-46cb-bf67-b5b990109ce5",
+    "id": "bundle--3be11476-6bed-4155-a9bd-9d7d6f64390a",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--907db911-b39c-4230-b6ad-a0ba5ef6926a",
             "created": "2023-09-28T17:39:24.890Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:39:24.890Z",
+            "modified": "2025-04-16T21:50:10.815Z",
             "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can collect device geolocation data.(Citation: Trend Micro FlyTrap)",
             "relationship_type": "uses",
             "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--90d4d964-efa2-46ac-adc2-759886e07158.json b/mobile-attack/relationship/relationship--90d4d964-efa2-46ac-adc2-759886e07158.json
index 2112e39e9b..de4885d089 100644
--- a/mobile-attack/relationship/relationship--90d4d964-efa2-46ac-adc2-759886e07158.json
+++ b/mobile-attack/relationship/relationship--90d4d964-efa2-46ac-adc2-759886e07158.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--93a43820-b0f3-4f4d-bb9c-4367f89fc2f4",
+    "id": "bundle--de13ffc3-c04f-4dd6-abf4-9f9ac9c753a5",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:11:02.157Z",
+            "modified": "2025-04-16T21:50:11.016Z",
             "description": "[Exobot](https://attack.mitre.org/software/S0522) has used HTTPS for C2 communication.(Citation: Threat Fabric Exobot)",
             "relationship_type": "uses",
             "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--90d58c65-acb9-4d7b-89b9-f4b35593c861.json b/mobile-attack/relationship/relationship--90d58c65-acb9-4d7b-89b9-f4b35593c861.json
index 70b8255d6b..b781311247 100644
--- a/mobile-attack/relationship/relationship--90d58c65-acb9-4d7b-89b9-f4b35593c861.json
+++ b/mobile-attack/relationship/relationship--90d58c65-acb9-4d7b-89b9-f4b35593c861.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8e2be7e5-0c92-4729-9ee7-2fd2d266071f",
+    "id": "bundle--e7da9eb9-c791-4156-812a-daf729d1a771",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:06:46.369Z",
+            "modified": "2025-04-16T21:50:11.383Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included SMS message exfiltration in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--90e76d57-90b2-4d5d-8928-f6e6f5414bd4.json b/mobile-attack/relationship/relationship--90e76d57-90b2-4d5d-8928-f6e6f5414bd4.json
new file mode 100644
index 0000000000..85b515b9c2
--- /dev/null
+++ b/mobile-attack/relationship/relationship--90e76d57-90b2-4d5d-8928-f6e6f5414bd4.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--c16ecc86-515e-4f3f-b1ab-b10b168c4fbd",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--90e76d57-90b2-4d5d-8928-f6e6f5414bd4",
+            "created": "2025-03-24T17:56:46.563Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "FirshSecureList LightSpy 2020",
+                    "description": "Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.",
+                    "url": "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/"
+                },
+                {
+                    "source_name": "Shoshin_Kaspersky LightSpy 2020",
+                    "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.",
+                    "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:11.602Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has delivered malicious links through Telegram channels and Instagram posts.(Citation: FirshSecureList LightSpy 2020)(Citation: Shoshin_Kaspersky LightSpy 2020) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e.json b/mobile-attack/relationship/relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e.json
index b22b2c2481..6011679022 100644
--- a/mobile-attack/relationship/relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e.json
+++ b/mobile-attack/relationship/relationship--910009da-65c0-4e6a-aeb2-386c643d1c0e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ab11ace7-5e76-4c19-849b-d47d3a87bd09",
+    "id": "bundle--8be63b5e-7825-4e55-82c2-3d25c750c853",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:24:53.701Z",
+            "modified": "2025-04-16T21:50:11.803Z",
             "description": "[DroidJack](https://attack.mitre.org/software/S0320) captures SMS data.(Citation: Zscaler-SuperMarioRun)",
             "relationship_type": "uses",
             "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--91831379-b0da-4019-a7bb-17e53cda9d0b.json b/mobile-attack/relationship/relationship--91831379-b0da-4019-a7bb-17e53cda9d0b.json
index 1f64ef3822..5f9f3abdd6 100644
--- a/mobile-attack/relationship/relationship--91831379-b0da-4019-a7bb-17e53cda9d0b.json
+++ b/mobile-attack/relationship/relationship--91831379-b0da-4019-a7bb-17e53cda9d0b.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--0296cab6-59c4-4dba-bb05-44e5921e72f0",
+    "id": "bundle--f28f0d2d-f129-4a97-bc36-01da4f37c110",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--91831379-b0da-4019-a7bb-17e53cda9d0b",
             "type": "relationship",
+            "id": "relationship--91831379-b0da-4019-a7bb-17e53cda9d0b",
             "created": "2020-12-31T18:25:05.131Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "CYBERWARCON CHEMISTGAMES",
-                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w",
-                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."
+                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.",
+                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"
                 }
             ],
-            "modified": "2020-12-31T18:25:05.131Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:12.002Z",
             "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has utilized native code to decrypt its malicious payload.(Citation: CYBERWARCON CHEMISTGAMES)",
             "relationship_type": "uses",
             "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341",
             "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--919a13bc-74be-4660-af63-454abee92635.json b/mobile-attack/relationship/relationship--919a13bc-74be-4660-af63-454abee92635.json
index 4ac06d94f8..3c9d7a44f1 100644
--- a/mobile-attack/relationship/relationship--919a13bc-74be-4660-af63-454abee92635.json
+++ b/mobile-attack/relationship/relationship--919a13bc-74be-4660-af63-454abee92635.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--3352046b-116e-4126-832b-db97e9c48918",
+    "id": "bundle--a4e8b42c-8f3f-4f3b-bda7-8296a88c8f09",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--919a13bc-74be-4660-af63-454abee92635",
             "type": "relationship",
+            "id": "relationship--919a13bc-74be-4660-af63-454abee92635",
             "created": "2019-03-11T15:13:40.408Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "TrendMicro-Anserver2",
                     "description": "Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.",
-                    "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A",
-                    "source_name": "TrendMicro-Anserver2"
+                    "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A"
                 }
             ],
-            "modified": "2019-08-05T20:05:25.571Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:12.223Z",
             "description": "\n[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device IMEI and IMSI.(Citation: TrendMicro-Anserver2)",
             "relationship_type": "uses",
             "source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--91a4924f-2519-4662-91f2-b7ef715a459f.json b/mobile-attack/relationship/relationship--91a4924f-2519-4662-91f2-b7ef715a459f.json
index b736552a95..af9124e156 100644
--- a/mobile-attack/relationship/relationship--91a4924f-2519-4662-91f2-b7ef715a459f.json
+++ b/mobile-attack/relationship/relationship--91a4924f-2519-4662-91f2-b7ef715a459f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--cb1ce306-eca8-4e1d-8808-0868f614fce5",
+    "id": "bundle--b9f96b5c-98be-4224-bd06-500fc61c38a4",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T17:10:20.748Z",
+            "modified": "2025-04-16T21:50:12.427Z",
             "description": "Application vetting can detect many techniques associated with impairing device defenses.(Citation: Samsung Knox Mobile Threat Defense)",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--91dd9ddf-185f-496d-a20f-88c66476cfdd.json b/mobile-attack/relationship/relationship--91dd9ddf-185f-496d-a20f-88c66476cfdd.json
new file mode 100644
index 0000000000..948f27a51b
--- /dev/null
+++ b/mobile-attack/relationship/relationship--91dd9ddf-185f-496d-a20f-88c66476cfdd.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--de69180a-dbfe-4302-abf5-7f99a0304848",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--91dd9ddf-185f-496d-a20f-88c66476cfdd",
+            "created": "2025-03-12T22:10:30.974Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Promon FjordPhantom Oct2024",
+                    "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.",
+                    "url": "https://promon.io/security-news/fjordphantom-android-malware"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:12.618Z",
+            "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) has masqueraded as legitimate banking applications.(Citation: Promon FjordPhantom Oct2024) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4",
+            "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27.json b/mobile-attack/relationship/relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27.json
index f4a2429fcd..8209e936ce 100644
--- a/mobile-attack/relationship/relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27.json
+++ b/mobile-attack/relationship/relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--68a69a5c-353a-4502-9a8e-4f5aa227ae20",
+    "id": "bundle--a0aede79-0522-470f-937d-2ca908b3c5ad",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27",
             "type": "relationship",
+            "id": "relationship--91de92af-fe1d-469e-8c36-1a9f4b621a27",
             "created": "2020-07-20T13:27:33.488Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos-WolfRAT",
-                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
-                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."
+                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.",
+                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"
                 }
             ],
-            "modified": "2020-08-10T21:57:54.704Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:12.812Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489)\u2019s code is obfuscated.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--91fa8232-f987-415b-8cb4-1ff3302a6c63.json b/mobile-attack/relationship/relationship--91fa8232-f987-415b-8cb4-1ff3302a6c63.json
new file mode 100644
index 0000000000..17a6cb4df1
--- /dev/null
+++ b/mobile-attack/relationship/relationship--91fa8232-f987-415b-8cb4-1ff3302a6c63.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--c966f0df-9bb7-4f93-a86c-8f69c8b88e42",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--91fa8232-f987-415b-8cb4-1ff3302a6c63",
+            "created": "2025-03-27T22:37:35.890Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Europol FluBot Jun2022",
+                    "description": "Europol. (2022, June 1). Takedown of SMS-based FluBot spyware infecting Android phones. Retrieved April 18, 2024.",
+                    "url": "https://www.europol.europa.eu/media-press/newsroom/news/takedown-of-sms-based-flubot-spyware-infecting-android-phones"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:13.011Z",
+            "description": "[FluBot](https://attack.mitre.org/software/S1067) has been distributed via malicious links in SMS messages.(Citation: Europol FluBot Jun2022) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
+            "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--92129d5b-7822-4e84-8a69-f96b598fba9e.json b/mobile-attack/relationship/relationship--92129d5b-7822-4e84-8a69-f96b598fba9e.json
index 51acdfc4e2..af266c6ef6 100644
--- a/mobile-attack/relationship/relationship--92129d5b-7822-4e84-8a69-f96b598fba9e.json
+++ b/mobile-attack/relationship/relationship--92129d5b-7822-4e84-8a69-f96b598fba9e.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--c5e55223-a45b-48c0-a9bb-d569587df2b2",
+    "id": "bundle--cd23e1a0-324a-4200-9b42-f9ee4c157430",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--92129d5b-7822-4e84-8a69-f96b598fba9e",
             "type": "relationship",
+            "id": "relationship--92129d5b-7822-4e84-8a69-f96b598fba9e",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
                 }
             ],
-            "modified": "2019-10-10T15:27:22.175Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:13.225Z",
             "description": "[Tangelo](https://attack.mitre.org/software/S0329) accesses databases from WhatsApp, Viber, Skype, and Line.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--922fa6eb-7274-477c-821e-ae6684c08934.json b/mobile-attack/relationship/relationship--922fa6eb-7274-477c-821e-ae6684c08934.json
index 39b598fbf2..e19b090c8c 100644
--- a/mobile-attack/relationship/relationship--922fa6eb-7274-477c-821e-ae6684c08934.json
+++ b/mobile-attack/relationship/relationship--922fa6eb-7274-477c-821e-ae6684c08934.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--9a24e076-293a-48fa-aa0f-1d5280c16b6e",
+    "id": "bundle--7e28b144-223b-471e-b106-720d826725a2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "fb_arid_viper",
-                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
+                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-17T16:33:17.876Z",
+            "modified": "2025-04-16T21:50:13.424Z",
             "description": "[Phenakite](https://attack.mitre.org/software/S1126) has used phishing sites for iCloud and Facebook if either of those were used for authentication during the chat sign up process.(Citation: fb_arid_viper)",
             "relationship_type": "uses",
             "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691",
             "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--92879f0e-d1db-4407-9cc6-c1dbcc47caea.json b/mobile-attack/relationship/relationship--92879f0e-d1db-4407-9cc6-c1dbcc47caea.json
index 4992753ea5..997d981dc2 100644
--- a/mobile-attack/relationship/relationship--92879f0e-d1db-4407-9cc6-c1dbcc47caea.json
+++ b/mobile-attack/relationship/relationship--92879f0e-d1db-4407-9cc6-c1dbcc47caea.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--0d4059f1-f60d-4804-a576-469daa5267d1",
+    "id": "bundle--02f71aae-a9be-468e-975b-6dc1d6caeb01",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--92879f0e-d1db-4407-9cc6-c1dbcc47caea",
             "created": "2019-10-18T14:52:53.193Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Device attestation could detect devices with unauthorized or unsafe modifications. ",
-            "modified": "2022-03-30T20:07:50.094Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:13.614Z",
+            "description": "Device attestation could detect devices with unauthorized or unsafe modifications. ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
             "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb.json b/mobile-attack/relationship/relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb.json
index adc52d7536..78d822ad12 100644
--- a/mobile-attack/relationship/relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb.json
+++ b/mobile-attack/relationship/relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--6df99822-c905-41a3-8059-89989c99cedb",
+    "id": "bundle--d8c74ad3-3041-4ae6-8af1-68e66b43b110",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb",
             "type": "relationship",
+            "id": "relationship--92c9106d-a71b-4a4f-a9d4-ef692a0294eb",
             "created": "2020-06-26T14:55:13.261Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Cybereason EventBot",
-                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
-                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
+                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.",
+                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"
                 }
             ],
-            "modified": "2020-06-26T14:55:13.261Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:13.803Z",
             "description": "[EventBot](https://attack.mitre.org/software/S0478) can collect system information such as OS version, device vendor, and the type of screen lock that is active on the device.(Citation: Cybereason EventBot)",
             "relationship_type": "uses",
             "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--92cc4942-453e-49af-bc04-18cb99493b73.json b/mobile-attack/relationship/relationship--92cc4942-453e-49af-bc04-18cb99493b73.json
new file mode 100644
index 0000000000..df9cae76fa
--- /dev/null
+++ b/mobile-attack/relationship/relationship--92cc4942-453e-49af-bc04-18cb99493b73.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--fd9615ba-0bba-413e-b38d-458698156583",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--92cc4942-453e-49af-bc04-18cb99493b73",
+            "created": "2025-03-28T15:13:08.761Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:14.000Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have collected and exfiltrated SMS messages.(Citation: SecureList OpTriangulation 23Oct2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0.json b/mobile-attack/relationship/relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0.json
index de056d0ca8..d2f355e84b 100644
--- a/mobile-attack/relationship/relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0.json
+++ b/mobile-attack/relationship/relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--fb6eacfd-3f5d-4b8a-90fc-05cc2ed490d0",
+    "id": "bundle--cedafece-197d-49fe-85e2-7fcb90b97f99",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--93395e61-0d3e-4ea6-9c1b-08d4a04005a0",
             "created": "2019-08-07T15:57:13.453Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Kaspersky Riltok June 2019",
-                    "url": "https://securelist.com/mobile-banker-riltok/91374/",
-                    "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."
+                    "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.",
+                    "url": "https://securelist.com/mobile-banker-riltok/91374/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:14.228Z",
             "description": "[Riltok](https://attack.mitre.org/software/S0403) can open a fake Google Play screen requesting bank card credentials and mimic the screen of relevant mobile banking apps to request user/bank card details.(Citation: Kaspersky Riltok June 2019)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--935d2296-2a9d-42dd-af8c-2d8873dd7e8f.json b/mobile-attack/relationship/relationship--935d2296-2a9d-42dd-af8c-2d8873dd7e8f.json
index e1c4131848..cc9ac206e7 100644
--- a/mobile-attack/relationship/relationship--935d2296-2a9d-42dd-af8c-2d8873dd7e8f.json
+++ b/mobile-attack/relationship/relationship--935d2296-2a9d-42dd-af8c-2d8873dd7e8f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8ec19248-6a48-4dd4-9604-558d6f54cf04",
+    "id": "bundle--eba0f4a5-15bb-4b1f-a3db-ee1153a6e3ff",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T21:39:42.031Z",
+            "modified": "2025-04-16T21:50:14.420Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to modify permissions on a rooted device and tried to disable the SecurityLogAgent application.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f.json b/mobile-attack/relationship/relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f.json
index 3be44b92e4..be0b391d8a 100644
--- a/mobile-attack/relationship/relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f.json
+++ b/mobile-attack/relationship/relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--7e695307-4029-4d46-a961-02aadea3d2f8",
+    "id": "bundle--10c928d3-d986-4722-9d59-5852fd902586",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--935fd3e3-dd47-4c43-bdd8-1668af26395f",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "PaloAlto-SpyDealer",
-                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
-                    "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018."
+                    "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
+                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:14.651Z",
             "description": "[SpyDealer](https://attack.mitre.org/software/S0324) enables remote control of the victim through SMS channels.(Citation: PaloAlto-SpyDealer)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c.json b/mobile-attack/relationship/relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c.json
index acefb6fc7b..33fa13e187 100644
--- a/mobile-attack/relationship/relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c.json
+++ b/mobile-attack/relationship/relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--c8c4f92c-57fe-4b7f-b179-7c267ac84f78",
+    "id": "bundle--b98998f7-a846-4699-b170-8bb6b683ce79",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c",
             "type": "relationship",
+            "id": "relationship--9366529d-fba9-4ef6-b4ee-b6b41aa3b18c",
             "created": "2019-07-10T15:35:43.631Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
+                    "source_name": "Lookout Dark Caracal Jan 2018",
                     "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
-                    "source_name": "Lookout Dark Caracal Jan 2018"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
                 }
             ],
-            "modified": "2019-08-09T18:06:11.741Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:14.846Z",
             "description": "[Pallas](https://attack.mitre.org/software/S0399) queries the device for metadata, such as device ID, OS version, and the number of cameras.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9373912a-affa-4a3c-ad97-1b8311e228ee.json b/mobile-attack/relationship/relationship--9373912a-affa-4a3c-ad97-1b8311e228ee.json
index 3b597fbc0f..f53d9324b1 100644
--- a/mobile-attack/relationship/relationship--9373912a-affa-4a3c-ad97-1b8311e228ee.json
+++ b/mobile-attack/relationship/relationship--9373912a-affa-4a3c-ad97-1b8311e228ee.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--0c0e631e-e1a6-4b5c-87e7-a31d7e00cb90",
+    "id": "bundle--ac3db017-ef6c-4faf-a31d-e61dd7d6700f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--9373912a-affa-4a3c-ad97-1b8311e228ee",
             "type": "relationship",
+            "id": "relationship--9373912a-affa-4a3c-ad97-1b8311e228ee",
             "created": "2019-09-04T14:28:15.991Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Lookout-Monokle",
                     "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
-                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
-                    "source_name": "Lookout-Monokle"
+                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
                 }
             ],
-            "modified": "2019-09-04T14:32:12.803Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:15.041Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) checks if the device is connected via Wi-Fi or mobile data.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9398bf9d-be77-4ac2-acea-893152cafd16.json b/mobile-attack/relationship/relationship--9398bf9d-be77-4ac2-acea-893152cafd16.json
index 2ed0672119..e8605e81ac 100644
--- a/mobile-attack/relationship/relationship--9398bf9d-be77-4ac2-acea-893152cafd16.json
+++ b/mobile-attack/relationship/relationship--9398bf9d-be77-4ac2-acea-893152cafd16.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--871c937e-d523-4bf8-a4f1-475a437388b5",
+    "id": "bundle--11a14249-2d4b-4d86-b611-358850ed4c34",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--9398bf9d-be77-4ac2-acea-893152cafd16",
             "created": "2022-03-30T14:43:46.034Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:15.255Z",
             "description": "",
-            "modified": "2022-03-30T14:43:46.034Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--bd4d32f5-eed4-4018-a649-40b229dd1d69",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--93b2474b-0ba6-469e-a4e8-d17a41d0d016.json b/mobile-attack/relationship/relationship--93b2474b-0ba6-469e-a4e8-d17a41d0d016.json
index 947038bf6c..926827610e 100644
--- a/mobile-attack/relationship/relationship--93b2474b-0ba6-469e-a4e8-d17a41d0d016.json
+++ b/mobile-attack/relationship/relationship--93b2474b-0ba6-469e-a4e8-d17a41d0d016.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--491a91c3-4406-4912-9887-dc2bb84ce4ff",
+    "id": "bundle--9e4f7509-fc82-4035-81c2-35fa22b69c58",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:28:29.839Z",
+            "modified": "2025-04-16T21:50:15.458Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can install attacker-specified certificates to the device's trusted certificate store, enabling an adversary to perform adversary-in-the-middle attacks.(Citation: Xiao-KeyRaider)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--93b6bf37-5614-4317-8ed7-42f098152c40.json b/mobile-attack/relationship/relationship--93b6bf37-5614-4317-8ed7-42f098152c40.json
index e9235a987f..1b43b51504 100644
--- a/mobile-attack/relationship/relationship--93b6bf37-5614-4317-8ed7-42f098152c40.json
+++ b/mobile-attack/relationship/relationship--93b6bf37-5614-4317-8ed7-42f098152c40.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f6c0d6f2-660e-4e74-8f72-e19afaa61bee",
+    "id": "bundle--ef3acdca-6d98-4c97-ba6c-f81a7fc8ff74",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-31T22:10:38.672Z",
+            "modified": "2025-04-16T21:50:15.670Z",
             "description": "[FluBot](https://attack.mitre.org/software/S1067) can use a SOCKS proxy to evade C2 IP detection.(Citation: proofpoint_flubot_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
             "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--93c16b23-305c-418d-9792-6e44525ed85a.json b/mobile-attack/relationship/relationship--93c16b23-305c-418d-9792-6e44525ed85a.json
index 00fff87dc5..50aa950f59 100644
--- a/mobile-attack/relationship/relationship--93c16b23-305c-418d-9792-6e44525ed85a.json
+++ b/mobile-attack/relationship/relationship--93c16b23-305c-418d-9792-6e44525ed85a.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--8a1361ed-09ab-49fb-ba36-b11734b59eb3",
+    "id": "bundle--e35c39f7-1742-4ab4-9ae0-6c9882876bdf",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--93c16b23-305c-418d-9792-6e44525ed85a",
             "created": "2024-04-02T19:14:26.097Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-02T19:14:26.097Z",
+            "modified": "2025-04-16T21:50:15.862Z",
             "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can access a device\u2019s location.(Citation: Meta Adversarial Threat Report 2022)",
             "relationship_type": "uses",
             "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--93c20f43-6684-471c-910f-d9577f289677.json b/mobile-attack/relationship/relationship--93c20f43-6684-471c-910f-d9577f289677.json
index 9ede19a210..1bac503bcf 100644
--- a/mobile-attack/relationship/relationship--93c20f43-6684-471c-910f-d9577f289677.json
+++ b/mobile-attack/relationship/relationship--93c20f43-6684-471c-910f-d9577f289677.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--e932400e-0660-4c9a-a330-7a5afab46e5c",
+    "id": "bundle--ced7fe45-6821-4163-b015-cfc76f0d9efd",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--93c20f43-6684-471c-910f-d9577f289677",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Lookout-StealthMango",
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
-                    "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018."
+                    "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:16.045Z",
             "description": "In at least one case, [Stealth Mango](https://attack.mitre.org/software/S0328) may have been installed using physical access to the device by a repair shop.(Citation: Lookout-StealthMango)",
-            "modified": "2022-04-19T15:47:05.436Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
             "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d.json b/mobile-attack/relationship/relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d.json
index 097bcbc129..7a7d60104b 100644
--- a/mobile-attack/relationship/relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d.json
+++ b/mobile-attack/relationship/relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--77aceeca-f68e-4832-95f8-b81e97041094",
+    "id": "bundle--de710d61-197b-452f-9e5d-c8d802a7928f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d",
             "type": "relationship",
+            "id": "relationship--94040d2e-3f60-423c-8a93-a83b61cafe7d",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:16.258Z",
             "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) update and sends the location of the phone.(Citation: Lookout-Pegasus)",
             "relationship_type": "uses",
             "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9424ebbb-d375-4bfa-96f9-a24d00dfbd6a.json b/mobile-attack/relationship/relationship--9424ebbb-d375-4bfa-96f9-a24d00dfbd6a.json
index d5b371fcb5..ca4a19fd4c 100644
--- a/mobile-attack/relationship/relationship--9424ebbb-d375-4bfa-96f9-a24d00dfbd6a.json
+++ b/mobile-attack/relationship/relationship--9424ebbb-d375-4bfa-96f9-a24d00dfbd6a.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--a6d53cba-2996-4995-b825-c537e3580ee0",
+    "id": "bundle--4d38bc86-9f78-4519-98b3-c9d2d41845d5",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--9424ebbb-d375-4bfa-96f9-a24d00dfbd6a",
             "created": "2024-03-29T15:05:34.232Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-29T15:05:34.232Z",
+            "modified": "2025-04-16T21:50:16.448Z",
             "description": "Certain enterprise policies can be applied to prevent users from adding certificates to the device and to prevent applications from being able to install their own certificates. ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9432fabf-9487-469c-86c9-b9d26b013c85.json b/mobile-attack/relationship/relationship--9432fabf-9487-469c-86c9-b9d26b013c85.json
index 73cd1da78a..2134923ad5 100644
--- a/mobile-attack/relationship/relationship--9432fabf-9487-469c-86c9-b9d26b013c85.json
+++ b/mobile-attack/relationship/relationship--9432fabf-9487-469c-86c9-b9d26b013c85.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--aa1a9e60-e836-4428-b3c6-9f9f9b5671e5",
+    "id": "bundle--6d324a8a-a708-47c5-9148-70d9e9f286f8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--9432fabf-9487-469c-86c9-b9d26b013c85",
             "created": "2022-04-01T13:13:10.587Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:16.672Z",
             "description": "Call Log access an uncommonly needed permission, so users should be instructedto use extra scrutiny when granting access to their call logs. ",
-            "modified": "2022-04-01T13:13:10.587Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--945db15a-b356-4e05-a6a0-9b24ca9aa348.json b/mobile-attack/relationship/relationship--945db15a-b356-4e05-a6a0-9b24ca9aa348.json
index c35bb94241..98cbe447b7 100644
--- a/mobile-attack/relationship/relationship--945db15a-b356-4e05-a6a0-9b24ca9aa348.json
+++ b/mobile-attack/relationship/relationship--945db15a-b356-4e05-a6a0-9b24ca9aa348.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f0bcaef5-87cf-4a37-bec1-42dc79ee34b5",
+    "id": "bundle--439f7e26-e682-433c-9c62-d343059a8185",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "Wandera-RedDrop",
-                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
-                    "url": "https://www.wandera.com/reddrop-malware/"
+                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:40:15.440Z",
+            "modified": "2025-04-16T21:50:16.854Z",
             "description": "[RedDrop](https://attack.mitre.org/software/S0326) uses standard HTTP for exfiltration.(Citation: Wandera-RedDrop)",
             "relationship_type": "uses",
             "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--947e2398-4565-4ae0-8cc2-fb0ef5f9c73f.json b/mobile-attack/relationship/relationship--947e2398-4565-4ae0-8cc2-fb0ef5f9c73f.json
index 154449511f..8aee4773f7 100644
--- a/mobile-attack/relationship/relationship--947e2398-4565-4ae0-8cc2-fb0ef5f9c73f.json
+++ b/mobile-attack/relationship/relationship--947e2398-4565-4ae0-8cc2-fb0ef5f9c73f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--32c7b13b-f9b3-4dd6-bcdb-3c8736fbc2f2",
+    "id": "bundle--65e29642-5930-4f9c-824a-0cf9ccd8c8ef",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:21:03.081Z",
+            "modified": "2025-04-16T21:50:17.054Z",
             "description": "[Dvmap](https://attack.mitre.org/software/S0420) can enable installation of apps from unknown sources.(Citation: SecureList DVMap June 2017)",
             "relationship_type": "uses",
             "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514",
             "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--94bf07c4-3bf0-4ecc-8043-644e59fb9ec4.json b/mobile-attack/relationship/relationship--94bf07c4-3bf0-4ecc-8043-644e59fb9ec4.json
index a21e801ff3..46adbdb682 100644
--- a/mobile-attack/relationship/relationship--94bf07c4-3bf0-4ecc-8043-644e59fb9ec4.json
+++ b/mobile-attack/relationship/relationship--94bf07c4-3bf0-4ecc-8043-644e59fb9ec4.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--14c1f99d-ef1f-49b4-a8d4-4c6564ebb77a",
+    "id": "bundle--dda7c615-b5f9-4ebf-9bbb-b79c71828543",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--94bf07c4-3bf0-4ecc-8043-644e59fb9ec4",
             "created": "2022-03-28T19:30:27.364Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:17.261Z",
             "description": "Security updates may contain patches to integrity checking mechanisms that can detect unauthorized hardware modifications.",
-            "modified": "2022-03-28T19:30:27.364Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--94e111fa-81d1-4882-ae73-4d6ad6367b9f.json b/mobile-attack/relationship/relationship--94e111fa-81d1-4882-ae73-4d6ad6367b9f.json
index 6f6c9ebb3f..76fcd7747d 100644
--- a/mobile-attack/relationship/relationship--94e111fa-81d1-4882-ae73-4d6ad6367b9f.json
+++ b/mobile-attack/relationship/relationship--94e111fa-81d1-4882-ae73-4d6ad6367b9f.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--75cf750f-829f-42d9-aeb3-3138b4e5b7fc",
+    "id": "bundle--19b0d0b0-12e3-4d6e-a5b1-f3b867f689e0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--94e111fa-81d1-4882-ae73-4d6ad6367b9f",
             "created": "2022-03-28T19:25:38.355Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:17.452Z",
             "description": "Security updates may contain patches that inhibit system software compromises.",
-            "modified": "2022-03-28T19:25:38.355Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--950e1476-83ca-4e81-b542-c91a19b206d7.json b/mobile-attack/relationship/relationship--950e1476-83ca-4e81-b542-c91a19b206d7.json
index 3af461004d..988ad792aa 100644
--- a/mobile-attack/relationship/relationship--950e1476-83ca-4e81-b542-c91a19b206d7.json
+++ b/mobile-attack/relationship/relationship--950e1476-83ca-4e81-b542-c91a19b206d7.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--364d1e12-766c-4e5b-9dad-a995b71130f9",
+    "id": "bundle--5a5aef41-16e5-4315-a538-16845262b444",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--950e1476-83ca-4e81-b542-c91a19b206d7",
             "type": "relationship",
+            "id": "relationship--950e1476-83ca-4e81-b542-c91a19b206d7",
             "created": "2020-04-24T17:46:31.466Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecurityIntelligence TrickMo",
-                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
-                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
+                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.",
+                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"
                 }
             ],
-            "modified": "2020-04-24T17:46:31.466Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:17.671Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) can collect device information such as network operator, model, brand, and OS version.(Citation: SecurityIntelligence TrickMo)",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9557dc5c-272d-46ba-bd39-0ac2be35df19.json b/mobile-attack/relationship/relationship--9557dc5c-272d-46ba-bd39-0ac2be35df19.json
new file mode 100644
index 0000000000..893a0fab58
--- /dev/null
+++ b/mobile-attack/relationship/relationship--9557dc5c-272d-46ba-bd39-0ac2be35df19.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--762118b0-2a22-4193-affe-83c1f819ffe1",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--9557dc5c-272d-46ba-bd39-0ac2be35df19",
+            "created": "2024-04-02T19:42:50.418Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:17.876Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) has disabled play protect.(Citation: welivesecurity_apt-c-23)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--95725b00-f40e-4a3a-af2a-92156595cd37.json b/mobile-attack/relationship/relationship--95725b00-f40e-4a3a-af2a-92156595cd37.json
index 2b2fcce26b..536a34d03b 100644
--- a/mobile-attack/relationship/relationship--95725b00-f40e-4a3a-af2a-92156595cd37.json
+++ b/mobile-attack/relationship/relationship--95725b00-f40e-4a3a-af2a-92156595cd37.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ab86223d-389a-478a-b404-3043fd0bc7ac",
+    "id": "bundle--1f5975f7-1085-40c8-84f0-001c295b9b44",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-03T20:12:37.698Z",
+            "modified": "2025-04-16T21:50:18.077Z",
             "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) has used zero-day iMessage exploits for initial access.(Citation: CitizenLab Great iPwn)",
             "relationship_type": "uses",
             "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
             "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--95bf4e8b-f388-48a0-b236-c2077252e71e.json b/mobile-attack/relationship/relationship--95bf4e8b-f388-48a0-b236-c2077252e71e.json
index b416cd08eb..9fde3c2580 100644
--- a/mobile-attack/relationship/relationship--95bf4e8b-f388-48a0-b236-c2077252e71e.json
+++ b/mobile-attack/relationship/relationship--95bf4e8b-f388-48a0-b236-c2077252e71e.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--0c8eafd1-c6c6-4abb-b7fb-b304d58ea2de",
+    "id": "bundle--b0a885f6-1753-49ca-8c9b-e79d5af7eeaa",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--95bf4e8b-f388-48a0-b236-c2077252e71e",
             "type": "relationship",
+            "id": "relationship--95bf4e8b-f388-48a0-b236-c2077252e71e",
             "created": "2019-09-03T20:08:00.757Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Talos Gustuff Apr 2019",
                     "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
-                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
-                    "source_name": "Talos Gustuff Apr 2019"
+                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"
                 }
             ],
-            "modified": "2019-09-15T15:35:33.380Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:18.330Z",
             "description": "[Gustuff](https://attack.mitre.org/software/S0406) gathers the device IMEI to send to the command and control server.(Citation: Talos Gustuff Apr 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--95fec5e4-d48a-471f-8223-711cd32659b8.json b/mobile-attack/relationship/relationship--95fec5e4-d48a-471f-8223-711cd32659b8.json
index 2c46b204de..ec52ef1b2c 100644
--- a/mobile-attack/relationship/relationship--95fec5e4-d48a-471f-8223-711cd32659b8.json
+++ b/mobile-attack/relationship/relationship--95fec5e4-d48a-471f-8223-711cd32659b8.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--3aacf243-37e7-4139-9775-0b20df18b395",
+    "id": "bundle--e0b1d342-b88a-4b4f-ac30-b8ab6da1e5b1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--95fec5e4-d48a-471f-8223-711cd32659b8",
             "created": "2022-04-01T18:49:51.050Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:18.519Z",
             "description": "",
-            "modified": "2022-04-01T18:49:51.050Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--9d7c32f4-ab39-49dc-8055-8106bc2294a1",
             "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--96298aed-9e9f-4836-b29b-04c88e79e53e.json b/mobile-attack/relationship/relationship--96298aed-9e9f-4836-b29b-04c88e79e53e.json
index 52fb700705..f9749840fb 100644
--- a/mobile-attack/relationship/relationship--96298aed-9e9f-4836-b29b-04c88e79e53e.json
+++ b/mobile-attack/relationship/relationship--96298aed-9e9f-4836-b29b-04c88e79e53e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b952e369-8cc1-4d52-a996-3e4b106944d4",
+    "id": "bundle--fb96967f-11fa-4480-b4df-73eb4cf6e388",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--96298aed-9e9f-4836-b29b-04c88e79e53e",
             "created": "2022-04-01T18:42:37.987Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:18.713Z",
             "description": "Security updates often contain patches for vulnerabilities that could be exploited for root access. Root access is often a requirement to impairing defenses.",
-            "modified": "2022-04-01T18:42:37.987Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9634001c-575b-47aa-acd2-c3b1e900bd0b.json b/mobile-attack/relationship/relationship--9634001c-575b-47aa-acd2-c3b1e900bd0b.json
index b024851e9d..c15a4d8d99 100644
--- a/mobile-attack/relationship/relationship--9634001c-575b-47aa-acd2-c3b1e900bd0b.json
+++ b/mobile-attack/relationship/relationship--9634001c-575b-47aa-acd2-c3b1e900bd0b.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a3c1c8e2-6211-4e12-a938-c5223f08b850",
+    "id": "bundle--85bc5339-efd2-467e-9a5c-749743d24d54",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--9634001c-575b-47aa-acd2-c3b1e900bd0b",
             "type": "relationship",
+            "id": "relationship--9634001c-575b-47aa-acd2-c3b1e900bd0b",
             "created": "2020-12-17T20:15:22.397Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Palo Alto HenBox",
-                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/",
-                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."
+                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.",
+                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
                 }
             ],
-            "modified": "2020-12-17T20:15:22.397Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:18.907Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) can steal data from various sources, including chat, communication, and social media apps.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--96475ee5-39ed-46c5-85f6-f08462875a9e.json b/mobile-attack/relationship/relationship--96475ee5-39ed-46c5-85f6-f08462875a9e.json
index 1a46211e57..240e74e9d6 100644
--- a/mobile-attack/relationship/relationship--96475ee5-39ed-46c5-85f6-f08462875a9e.json
+++ b/mobile-attack/relationship/relationship--96475ee5-39ed-46c5-85f6-f08462875a9e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--ef159f46-bda5-4a29-a6dd-b7d272562e11",
+    "id": "bundle--73e75a76-7363-4c43-9a0e-79cd367d84ba",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--96475ee5-39ed-46c5-85f6-f08462875a9e",
             "created": "2024-03-26T18:43:39.910Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T18:43:39.910Z",
+            "modified": "2025-04-16T21:50:19.140Z",
             "description": "",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394",
             "target_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306.json b/mobile-attack/relationship/relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306.json
index ae55895e4e..ac1c179a38 100644
--- a/mobile-attack/relationship/relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306.json
+++ b/mobile-attack/relationship/relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--c4adfe07-1822-4182-b3a4-65bfd2b517e6",
+    "id": "bundle--d38f417c-1100-44bb-a454-d5d35b560855",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306",
             "type": "relationship",
+            "id": "relationship--96490f73-d8ef-4c6b-9a3a-3c66fc963306",
             "created": "2020-05-07T15:33:32.778Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "CheckPoint Agent Smith",
-                    "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
-                    "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
+                    "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.",
+                    "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"
                 }
             ],
-            "modified": "2020-05-07T15:33:32.778Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:19.372Z",
             "description": "[Agent Smith](https://attack.mitre.org/software/S0440) exploits known OS vulnerabilities, including Janus, to replace legitimate applications with malicious versions.(Citation: CheckPoint Agent Smith)",
             "relationship_type": "uses",
             "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--96569099-db95-4f3c-8ded-6d9cf023e55e.json b/mobile-attack/relationship/relationship--96569099-db95-4f3c-8ded-6d9cf023e55e.json
index 3648f110c8..14423d37ab 100644
--- a/mobile-attack/relationship/relationship--96569099-db95-4f3c-8ded-6d9cf023e55e.json
+++ b/mobile-attack/relationship/relationship--96569099-db95-4f3c-8ded-6d9cf023e55e.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--4227ecaf-aa4c-4aaa-bc6c-777ca231fa30",
+    "id": "bundle--e20952ef-eba3-4d6e-a3c7-767854ac1144",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--96569099-db95-4f3c-8ded-6d9cf023e55e",
             "created": "2019-09-03T20:08:00.717Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Talos Gustuff Apr 2019",
-                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
-                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."
+                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
+                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:19.557Z",
             "description": " [Gustuff](https://attack.mitre.org/software/S0406) can use SMS for command and control from a defined admin phone number.(Citation: Talos Gustuff Apr 2019) ",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--96ec33c8-78b6-421f-bab3-bd9d0564db31.json b/mobile-attack/relationship/relationship--96ec33c8-78b6-421f-bab3-bd9d0564db31.json
index 910f85d353..dba1cd5421 100644
--- a/mobile-attack/relationship/relationship--96ec33c8-78b6-421f-bab3-bd9d0564db31.json
+++ b/mobile-attack/relationship/relationship--96ec33c8-78b6-421f-bab3-bd9d0564db31.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--319f1666-596f-4a46-a278-d63039e4d172",
+    "id": "bundle--48ae4695-b1e0-4661-9b12-a4219752c42c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2022-09-30T18:39:16.003Z",
+            "modified": "2025-04-16T21:50:19.772Z",
             "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors capable of enumerating specific files on the infected devices.(Citation: Cylance Dust Storm)",
             "relationship_type": "uses",
             "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--97158eda-5092-4939-8b5c-1ef5ab918089.json b/mobile-attack/relationship/relationship--97158eda-5092-4939-8b5c-1ef5ab918089.json
index 11ca2b139b..ce20c1e0be 100644
--- a/mobile-attack/relationship/relationship--97158eda-5092-4939-8b5c-1ef5ab918089.json
+++ b/mobile-attack/relationship/relationship--97158eda-5092-4939-8b5c-1ef5ab918089.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--fb9f970b-b4dd-43b9-9df6-293965199e70",
+    "id": "bundle--1e63db44-176b-40fc-a1a7-e93f05bc044e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--97158eda-5092-4939-8b5c-1ef5ab918089",
             "type": "relationship",
+            "id": "relationship--97158eda-5092-4939-8b5c-1ef5ab918089",
             "created": "2020-04-24T15:12:11.189Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "TrendMicro Coronavirus Updates",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
-                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
+                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"
                 }
             ],
-            "modified": "2020-04-24T15:12:11.189Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:19.968Z",
             "description": "[Concipit1248](https://attack.mitre.org/software/S0426) can collect device photos.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--89c3dbf6-f281-41b7-be1d-a0e641014853",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf.json b/mobile-attack/relationship/relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf.json
index 473d109a97..34111e2ba2 100644
--- a/mobile-attack/relationship/relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf.json
+++ b/mobile-attack/relationship/relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--2b70f15f-a6e6-4f56-b6af-1e1c53e4d16f",
+    "id": "bundle--7ab3078e-c812-41af-9d4c-37e3f86a0f15",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf",
             "type": "relationship",
+            "id": "relationship--972f0703-f4d7-42d2-8ca2-bec175dac0bf",
             "created": "2020-09-11T14:54:16.617Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Desert Scorpion",
-                    "url": "https://blog.lookout.com/desert-scorpion-google-play",
-                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
+                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/desert-scorpion-google-play"
                 }
             ],
-            "modified": "2020-09-11T14:54:16.617Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:20.171Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can collect account information stored on the device.(Citation: Lookout Desert Scorpion)",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--97408547-bacd-4308-a8be-556e9ff04951.json b/mobile-attack/relationship/relationship--97408547-bacd-4308-a8be-556e9ff04951.json
index 163f8a724f..daee7c15f9 100644
--- a/mobile-attack/relationship/relationship--97408547-bacd-4308-a8be-556e9ff04951.json
+++ b/mobile-attack/relationship/relationship--97408547-bacd-4308-a8be-556e9ff04951.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--52b46bdf-4dff-4912-8c7b-2030cb658e67",
+    "id": "bundle--33511e96-d35e-47e2-9f6c-e4a256b737ff",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T16:43:16.137Z",
+            "modified": "2025-04-16T21:50:20.364Z",
             "description": "Mobile security products can typically detect rooted devices, which is an indication that Process Discovery is possible. Application vetting could potentially detect when applications attempt to abuse root access or root the system itself. Further, application vetting services could look for attempted usage of legacy process discovery mechanisms, such as the usage of `ps` or inspection of the `/proc` directory.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--97417113-1840-4e00-98d3-bb222e1a1f60.json b/mobile-attack/relationship/relationship--97417113-1840-4e00-98d3-bb222e1a1f60.json
index 080cb24780..b22b67291e 100644
--- a/mobile-attack/relationship/relationship--97417113-1840-4e00-98d3-bb222e1a1f60.json
+++ b/mobile-attack/relationship/relationship--97417113-1840-4e00-98d3-bb222e1a1f60.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--17d31ab2-ee40-4b28-801c-71efba9925b4",
+    "id": "bundle--c260bd98-95d7-4775-b1a6-29e7983c894f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--97417113-1840-4e00-98d3-bb222e1a1f60",
             "type": "relationship",
+            "id": "relationship--97417113-1840-4e00-98d3-bb222e1a1f60",
             "created": "2020-07-27T14:14:56.980Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Google Security Zen",
-                    "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
-                    "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
+                    "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.",
+                    "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"
                 }
             ],
-            "modified": "2020-08-10T22:18:20.815Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:20.558Z",
             "description": "[Zen](https://attack.mitre.org/software/S0494) base64 encodes one of the strings it searches for.(Citation: Google Security Zen)",
             "relationship_type": "uses",
             "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--97738857-d496-4d39-9809-1921e0ad10b7.json b/mobile-attack/relationship/relationship--97738857-d496-4d39-9809-1921e0ad10b7.json
index faa2128926..9074459887 100644
--- a/mobile-attack/relationship/relationship--97738857-d496-4d39-9809-1921e0ad10b7.json
+++ b/mobile-attack/relationship/relationship--97738857-d496-4d39-9809-1921e0ad10b7.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--c41164b3-5f8f-450c-be2f-14d4256674a7",
+    "id": "bundle--a1e6144d-e663-4b22-87d4-5dcae3fa2b48",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--97738857-d496-4d39-9809-1921e0ad10b7",
             "type": "relationship",
+            "id": "relationship--97738857-d496-4d39-9809-1921e0ad10b7",
             "created": "2020-12-31T18:25:05.125Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "CYBERWARCON CHEMISTGAMES",
-                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w",
-                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."
+                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.",
+                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"
                 }
             ],
-            "modified": "2020-12-31T18:25:05.125Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:20.757Z",
             "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can collect files from the filesystem and account information from Google Chrome.(Citation: CYBERWARCON CHEMISTGAMES)",
             "relationship_type": "uses",
             "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--980430c1-6173-440e-b75e-c1cdb4c41560.json b/mobile-attack/relationship/relationship--980430c1-6173-440e-b75e-c1cdb4c41560.json
index 36159cace2..4081d80d0b 100644
--- a/mobile-attack/relationship/relationship--980430c1-6173-440e-b75e-c1cdb4c41560.json
+++ b/mobile-attack/relationship/relationship--980430c1-6173-440e-b75e-c1cdb4c41560.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--7399fbaf-c61d-4fba-bf07-ae4e1fe0b927",
+    "id": "bundle--3338db23-50cf-4741-8da0-ce95c6ecc568",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--980430c1-6173-440e-b75e-c1cdb4c41560",
             "created": "2023-09-28T17:40:16.985Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:40:16.985Z",
+            "modified": "2025-04-16T21:50:20.946Z",
             "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can use HTTP to exfiltrate data to the C2 server.(Citation: Zimperium FlyTrap)",
             "relationship_type": "uses",
             "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f.json b/mobile-attack/relationship/relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f.json
index 1720e66db9..d25a3e01a7 100644
--- a/mobile-attack/relationship/relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f.json
+++ b/mobile-attack/relationship/relationship--980c49f8-d991-4e1f-8feb-6173e3dfca1f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--fc81553e-92ad-464d-a819-33818d4bbef6",
+    "id": "bundle--31043652-f4f3-4edd-8534-bd69229efa84",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T16:16:47.577Z",
+            "modified": "2025-04-16T21:50:21.130Z",
             "description": "[AndroRAT](https://attack.mitre.org/software/S0292) captures SMS messages.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ",
             "relationship_type": "uses",
             "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9814ecd5-911a-4776-9dc0-4a4ae0bf6a39.json b/mobile-attack/relationship/relationship--9814ecd5-911a-4776-9dc0-4a4ae0bf6a39.json
index a78c6c40b9..bdf41e1d29 100644
--- a/mobile-attack/relationship/relationship--9814ecd5-911a-4776-9dc0-4a4ae0bf6a39.json
+++ b/mobile-attack/relationship/relationship--9814ecd5-911a-4776-9dc0-4a4ae0bf6a39.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--354f593e-07cf-4e48-a023-fd453b6a77b1",
+    "id": "bundle--eb27bef5-0084-4568-a913-92bcc046977e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.111Z",
+            "modified": "2025-04-16T21:50:21.364Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) can take screenshots.(Citation: Cofense Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9819974c-f093-482b-8b2b-93a05ab7382e.json b/mobile-attack/relationship/relationship--9819974c-f093-482b-8b2b-93a05ab7382e.json
index 63985d8023..20333b926f 100644
--- a/mobile-attack/relationship/relationship--9819974c-f093-482b-8b2b-93a05ab7382e.json
+++ b/mobile-attack/relationship/relationship--9819974c-f093-482b-8b2b-93a05ab7382e.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--b8a488f5-b3a9-47d8-8c1a-62d044c9db56",
+    "id": "bundle--463cb77f-9554-4e49-bd36-615c09deb164",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--9819974c-f093-482b-8b2b-93a05ab7382e",
             "created": "2023-08-04T18:31:48.507Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T18:31:48.507Z",
+            "modified": "2025-04-16T21:50:21.571Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate browser history, BlackBerry Messenger files, IMO instant messaging content, and WhatsApp voice notes.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--98360714-5239-442f-9619-d562b4b7ce76.json b/mobile-attack/relationship/relationship--98360714-5239-442f-9619-d562b4b7ce76.json
index 584045bd57..ddcaba25a7 100644
--- a/mobile-attack/relationship/relationship--98360714-5239-442f-9619-d562b4b7ce76.json
+++ b/mobile-attack/relationship/relationship--98360714-5239-442f-9619-d562b4b7ce76.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b699006b-3aea-48f9-a6dc-6cd228fbc10e",
+    "id": "bundle--968882e2-531b-453b-b6f1-5c3d7f0b9faf",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-16T15:55:55.477Z",
+            "modified": "2025-04-16T21:50:21.765Z",
             "description": "[FlixOnline](https://attack.mitre.org/software/S1103) can steal data from a user\u2019s WhatsApp account(s).(Citation: checkpoint_flixonline_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9858ae0b-140b-4dd2-8ba9-1ef22183dec3.json b/mobile-attack/relationship/relationship--9858ae0b-140b-4dd2-8ba9-1ef22183dec3.json
index 33cdbd5df2..ded4215488 100644
--- a/mobile-attack/relationship/relationship--9858ae0b-140b-4dd2-8ba9-1ef22183dec3.json
+++ b/mobile-attack/relationship/relationship--9858ae0b-140b-4dd2-8ba9-1ef22183dec3.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--589c34a0-b546-48f2-97db-369d0eda07ac",
+    "id": "bundle--cb25ff10-8aae-4195-abf9-e26fdf69d5a1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--9858ae0b-140b-4dd2-8ba9-1ef22183dec3",
             "created": "2021-02-08T16:36:20.788Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "BlackBerry Bahamut",
-                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf",
-                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."
+                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.",
+                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:21.988Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included keylogging capabilities as part of Operation ROCK.(Citation: BlackBerry Bahamut)",
-            "modified": "2022-04-15T17:35:26.197Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--98632824-9fe4-4992-aafe-31c5eac66ec1.json b/mobile-attack/relationship/relationship--98632824-9fe4-4992-aafe-31c5eac66ec1.json
index 91afa5b9ca..794f347ebc 100644
--- a/mobile-attack/relationship/relationship--98632824-9fe4-4992-aafe-31c5eac66ec1.json
+++ b/mobile-attack/relationship/relationship--98632824-9fe4-4992-aafe-31c5eac66ec1.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5c117b32-c005-4c0c-8143-e172f63ccd2d",
+    "id": "bundle--c28589e5-0653-4bc4-a936-6cc86fe16601",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-16T15:47:55.600Z",
+            "modified": "2025-04-16T21:50:22.220Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) has exfiltrated data to the C2 server using HTTP requests.(Citation: cleafy_brata_0122)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--98a4a746-e7bf-494c-9ee3-584403d76d3e.json b/mobile-attack/relationship/relationship--98a4a746-e7bf-494c-9ee3-584403d76d3e.json
index 2945318f85..5b2a440fa5 100644
--- a/mobile-attack/relationship/relationship--98a4a746-e7bf-494c-9ee3-584403d76d3e.json
+++ b/mobile-attack/relationship/relationship--98a4a746-e7bf-494c-9ee3-584403d76d3e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--832d228e-6a34-4555-a95c-72fdbe402997",
+    "id": "bundle--df7f418d-7e17-4c6f-bab2-20f6bbb8d281",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-31T22:12:45.147Z",
+            "modified": "2025-04-16T21:50:22.408Z",
             "description": "[FluBot](https://attack.mitre.org/software/S1067) can use HTTP POST requests on port 80 for communicating with its C2 server.(Citation: proofpoint_flubot_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--98ae9cb2-1141-48c6-81fd-f16adb430031.json b/mobile-attack/relationship/relationship--98ae9cb2-1141-48c6-81fd-f16adb430031.json
index 36a76996b3..5b5961ee02 100644
--- a/mobile-attack/relationship/relationship--98ae9cb2-1141-48c6-81fd-f16adb430031.json
+++ b/mobile-attack/relationship/relationship--98ae9cb2-1141-48c6-81fd-f16adb430031.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d07ce6be-408a-4eac-8f2d-3077aa81ba39",
+    "id": "bundle--d46530c0-93b2-40ac-8a09-aefcbaf98fb5",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "cyble_drinik_1022",
-                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.",
-                    "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:07:52.850Z",
+            "modified": "2025-04-16T21:50:22.600Z",
             "description": "[Drinik](https://attack.mitre.org/software/S1054) can request the `READ_EXTERNAL_STORAGE` and `WRITE_EXTERNAL_STORAGE` Android permissions.(Citation: cyble_drinik_1022)",
             "relationship_type": "uses",
             "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--98aee077-156a-4d11-94fe-b5b7c4945ff9.json b/mobile-attack/relationship/relationship--98aee077-156a-4d11-94fe-b5b7c4945ff9.json
index d4937d15fa..0b054f3492 100644
--- a/mobile-attack/relationship/relationship--98aee077-156a-4d11-94fe-b5b7c4945ff9.json
+++ b/mobile-attack/relationship/relationship--98aee077-156a-4d11-94fe-b5b7c4945ff9.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--f8c6b735-e803-434a-ac64-f3d996be0999",
+    "id": "bundle--2aca620c-0c69-4c74-9a7b-c934c309f000",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--98aee077-156a-4d11-94fe-b5b7c4945ff9",
             "created": "2023-12-18T18:17:36.795Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -23,16 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:17:36.796Z",
+            "modified": "2025-04-16T21:50:22.823Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) has masqueraded as legitimate WhatsApp updates and app security scanners.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--98b14660-79e1-4244-99c2-3dedd84eb68d.json b/mobile-attack/relationship/relationship--98b14660-79e1-4244-99c2-3dedd84eb68d.json
index 6f2d90cbd3..3885e60b43 100644
--- a/mobile-attack/relationship/relationship--98b14660-79e1-4244-99c2-3dedd84eb68d.json
+++ b/mobile-attack/relationship/relationship--98b14660-79e1-4244-99c2-3dedd84eb68d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--045aa205-2413-4c63-9a1d-5c32b4efe2c1",
+    "id": "bundle--88cb809d-6a8f-479d-bc2b-b93a924ce4f0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--98b14660-79e1-4244-99c2-3dedd84eb68d",
             "type": "relationship",
+            "id": "relationship--98b14660-79e1-4244-99c2-3dedd84eb68d",
             "created": "2020-09-11T14:54:16.582Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Desert Scorpion",
-                    "url": "https://blog.lookout.com/desert-scorpion-google-play",
-                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
+                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/desert-scorpion-google-play"
                 }
             ],
-            "modified": "2020-09-11T14:54:16.582Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:23.044Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can track the device\u2019s location.(Citation: Lookout Desert Scorpion)",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--98dec4bf-6753-4d7a-8983-d4fd6d1d892a.json b/mobile-attack/relationship/relationship--98dec4bf-6753-4d7a-8983-d4fd6d1d892a.json
index 32f2cc6230..6c051bc167 100644
--- a/mobile-attack/relationship/relationship--98dec4bf-6753-4d7a-8983-d4fd6d1d892a.json
+++ b/mobile-attack/relationship/relationship--98dec4bf-6753-4d7a-8983-d4fd6d1d892a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5d327b89-dbb8-44bd-b91d-1221eba38377",
+    "id": "bundle--8734d54a-bff9-4eb5-99b4-8a701a7c8aea",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:52:20.309Z",
+            "modified": "2025-04-16T21:50:23.271Z",
             "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect the device\u2019s contact list.(Citation: Symantec GoldenCup)",
             "relationship_type": "uses",
             "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--98fb2884-c912-42ff-9c87-4fbabfa70115.json b/mobile-attack/relationship/relationship--98fb2884-c912-42ff-9c87-4fbabfa70115.json
index 33ec5e257f..b3c5e61f37 100644
--- a/mobile-attack/relationship/relationship--98fb2884-c912-42ff-9c87-4fbabfa70115.json
+++ b/mobile-attack/relationship/relationship--98fb2884-c912-42ff-9c87-4fbabfa70115.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--6c1f3cb0-368c-43c7-b32d-54986a67193c",
+    "id": "bundle--b1ddf501-f3c7-408c-bdcc-6711f1d4878d",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--98fb2884-c912-42ff-9c87-4fbabfa70115",
             "created": "2023-08-08T16:14:01.661Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T16:14:01.661Z",
+            "modified": "2025-04-16T21:50:23.460Z",
             "description": "Application vetting services may potentially determine if an application contains suspicious code and/or metadata.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--99011840-f920-44d1-82f9-a6ff0d4f8c07.json b/mobile-attack/relationship/relationship--99011840-f920-44d1-82f9-a6ff0d4f8c07.json
index 91c0197304..0d97057a04 100644
--- a/mobile-attack/relationship/relationship--99011840-f920-44d1-82f9-a6ff0d4f8c07.json
+++ b/mobile-attack/relationship/relationship--99011840-f920-44d1-82f9-a6ff0d4f8c07.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--970347bc-d3b6-4f2e-8896-76ade0a33051",
+    "id": "bundle--139f2998-4598-4c8b-8787-edb07e01f7e0",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "fb_arid_viper",
-                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
+                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-16T16:35:49.743Z",
+            "modified": "2025-04-16T21:50:23.677Z",
             "description": "[Phenakite](https://attack.mitre.org/software/S1126) can collect device metadata.(Citation: fb_arid_viper) ",
             "relationship_type": "uses",
             "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--991ef2f2-c196-4d5d-bd29-504ea25831f4.json b/mobile-attack/relationship/relationship--991ef2f2-c196-4d5d-bd29-504ea25831f4.json
index b5521d33cf..dea2ca2e8a 100644
--- a/mobile-attack/relationship/relationship--991ef2f2-c196-4d5d-bd29-504ea25831f4.json
+++ b/mobile-attack/relationship/relationship--991ef2f2-c196-4d5d-bd29-504ea25831f4.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ddff62fa-c2c3-4a93-b854-1d8b6cb0e266",
+    "id": "bundle--3a5fb22b-37b0-499f-a767-14500fd5d872",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--991ef2f2-c196-4d5d-bd29-504ea25831f4",
             "type": "relationship",
+            "id": "relationship--991ef2f2-c196-4d5d-bd29-504ea25831f4",
             "created": "2021-10-01T14:42:48.815Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList BusyGasper",
-                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/",
-                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021."
+                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.",
+                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"
                 }
             ],
-            "modified": "2021-10-01T14:42:48.815Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:23.870Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can record from the device\u2019s camera.(Citation: SecureList BusyGasper)",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9951d8c0-d210-4776-808b-421b613f244f.json b/mobile-attack/relationship/relationship--9951d8c0-d210-4776-808b-421b613f244f.json
index 8e5d0d6fe8..7b7fb047b2 100644
--- a/mobile-attack/relationship/relationship--9951d8c0-d210-4776-808b-421b613f244f.json
+++ b/mobile-attack/relationship/relationship--9951d8c0-d210-4776-808b-421b613f244f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6c72f062-b982-4e5c-8ee3-e43823ed7abc",
+    "id": "bundle--2b5d648a-4427-4b0e-9e09-bf971389e773",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T16:55:41.638Z",
+            "modified": "2025-04-16T21:50:24.065Z",
             "description": "[Rotexy](https://attack.mitre.org/software/S0411) hides its icon after first launch.(Citation: securelist rotexy 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--99b4be95-74f2-48f7-b4e9-8b4d88ecd31f.json b/mobile-attack/relationship/relationship--99b4be95-74f2-48f7-b4e9-8b4d88ecd31f.json
index 53a03151d6..6a0cd1f51e 100644
--- a/mobile-attack/relationship/relationship--99b4be95-74f2-48f7-b4e9-8b4d88ecd31f.json
+++ b/mobile-attack/relationship/relationship--99b4be95-74f2-48f7-b4e9-8b4d88ecd31f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--1749d976-37f3-4cd0-8584-6d15b18b878e",
+    "id": "bundle--897c252a-34f7-433e-a790-ef36ad3d4ef1",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:21:19.617Z",
+            "modified": "2025-04-16T21:50:24.268Z",
             "description": "If running on a Huawei device, [Desert Scorpion](https://attack.mitre.org/software/S0505) adds itself to the protected apps list, which allows it to run with the screen off.(Citation: Lookout Desert Scorpion)",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--99fabe9d-0202-4d12-aa7c-34e2a15b2648.json b/mobile-attack/relationship/relationship--99fabe9d-0202-4d12-aa7c-34e2a15b2648.json
new file mode 100644
index 0000000000..df991c7f95
--- /dev/null
+++ b/mobile-attack/relationship/relationship--99fabe9d-0202-4d12-aa7c-34e2a15b2648.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--f802e848-7b8a-45f3-b1e2-e4ab5473d4f9",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--99fabe9d-0202-4d12-aa7c-34e2a15b2648",
+            "created": "2024-04-02T19:45:43.976Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:24.463Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) can hide its icon.(Citation: welivesecurity_apt-c-23)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9a575420-cdce-4a9f-9ea9-2ae5c469cad9.json b/mobile-attack/relationship/relationship--9a575420-cdce-4a9f-9ea9-2ae5c469cad9.json
index 71807b728a..40102b48c4 100644
--- a/mobile-attack/relationship/relationship--9a575420-cdce-4a9f-9ea9-2ae5c469cad9.json
+++ b/mobile-attack/relationship/relationship--9a575420-cdce-4a9f-9ea9-2ae5c469cad9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4a542793-f092-447f-a219-e2a8ee127f26",
+    "id": "bundle--f5f0ffc2-4a0d-44cf-832a-6d9a62fe94f7",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-30T22:22:13.142Z",
+            "modified": "2025-04-16T21:50:24.674Z",
             "description": "[MoustachedBouncer](https://attack.mitre.org/groups/G1019) has used legitimate looking filenames for malicious executables including MicrosoftUpdate845255.exe.(Citation: MoustachedBouncer ESET August 2023)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--7251b44b-6072-476c-b8d9-a6e32c355b28",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9a90aacf-3b03-4100-a600-5c455d4e48de.json b/mobile-attack/relationship/relationship--9a90aacf-3b03-4100-a600-5c455d4e48de.json
new file mode 100644
index 0000000000..b98a846d4d
--- /dev/null
+++ b/mobile-attack/relationship/relationship--9a90aacf-3b03-4100-a600-5c455d4e48de.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--0b516b23-d07f-4067-a1e4-3b838612e0dd",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--9a90aacf-3b03-4100-a600-5c455d4e48de",
+            "created": "2025-03-28T15:10:00.440Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:24.860Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used a microphone-recording module.(Citation: SecureList OpTriangulation 23Oct2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9b34ae1e-027f-4b52-9a4f-1e58f6efdc25.json b/mobile-attack/relationship/relationship--9b34ae1e-027f-4b52-9a4f-1e58f6efdc25.json
index 94eaca51c1..c6c87646b8 100644
--- a/mobile-attack/relationship/relationship--9b34ae1e-027f-4b52-9a4f-1e58f6efdc25.json
+++ b/mobile-attack/relationship/relationship--9b34ae1e-027f-4b52-9a4f-1e58f6efdc25.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--240cb819-6465-487e-a7e9-7f47c91a4f28",
+    "id": "bundle--9a295d7f-4e3c-4a2f-9efc-6186b5270511",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-22T20:48:05.605Z",
+            "modified": "2025-04-16T21:50:25.056Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can take screenshots and can abuse accessibility services to scrape WhatsApp messages, contacts, and notifications.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9b56528f-cf04-4d81-80ee-7bacb862383a.json b/mobile-attack/relationship/relationship--9b56528f-cf04-4d81-80ee-7bacb862383a.json
index 8ef3391bdb..c3267a15b0 100644
--- a/mobile-attack/relationship/relationship--9b56528f-cf04-4d81-80ee-7bacb862383a.json
+++ b/mobile-attack/relationship/relationship--9b56528f-cf04-4d81-80ee-7bacb862383a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3170ac25-8e0f-4dc7-ac56-0a4ee54d0923",
+    "id": "bundle--51b35381-a4bb-4347-ac37-875cadfaac33",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T20:52:56.065Z",
+            "modified": "2025-04-16T21:50:25.266Z",
             "description": "Application vetting services can detect when applications request the `SEND_SMS` permission, which should be infrequently used.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9b5ec339-28f3-40b2-b5b2-450e1e303e78.json b/mobile-attack/relationship/relationship--9b5ec339-28f3-40b2-b5b2-450e1e303e78.json
index f81bf3fefd..ca4105c44d 100644
--- a/mobile-attack/relationship/relationship--9b5ec339-28f3-40b2-b5b2-450e1e303e78.json
+++ b/mobile-attack/relationship/relationship--9b5ec339-28f3-40b2-b5b2-450e1e303e78.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--35a8fbea-c538-4e16-8a12-3d215b8a579d",
+    "id": "bundle--40eda10a-a7e0-46bc-91d4-8cf6278b10b2",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--9b5ec339-28f3-40b2-b5b2-450e1e303e78",
             "created": "2024-04-02T19:13:50.668Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-02T19:13:50.668Z",
+            "modified": "2025-04-16T21:50:25.461Z",
             "description": "[HilalRAT](https://attack.mitre.org/software/S1128) can activate a device\u2019s camera.(Citation: Meta Adversarial Threat Report 2022)",
             "relationship_type": "uses",
             "source_ref": "malware--55714f87-6178-4b89-b3e5-d3a643f647ca",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9b8b51fb-c380-4516-b109-821f015506d4.json b/mobile-attack/relationship/relationship--9b8b51fb-c380-4516-b109-821f015506d4.json
index 7a32d547df..eba91da107 100644
--- a/mobile-attack/relationship/relationship--9b8b51fb-c380-4516-b109-821f015506d4.json
+++ b/mobile-attack/relationship/relationship--9b8b51fb-c380-4516-b109-821f015506d4.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--cbed6ce6-4743-47c3-9c99-ca252ea73257",
+    "id": "bundle--951c0b03-c6bb-4f17-9f27-ff83b61a604c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T22:16:28.207Z",
+            "modified": "2025-04-16T21:50:25.682Z",
             "description": "Application vetting services could look for `android.permission.READ_CONTACTS` in an Android application\u2019s manifest, or `NSContactsUsageDescription` in an iOS application\u2019s `Info.plist` file. Most applications do not need contact list access, so extra scrutiny could be applied to those that request it.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9bbfa759-5555-4048-a79d-fed27a1efd93.json b/mobile-attack/relationship/relationship--9bbfa759-5555-4048-a79d-fed27a1efd93.json
index 3f90be0f62..43b8fdcc62 100644
--- a/mobile-attack/relationship/relationship--9bbfa759-5555-4048-a79d-fed27a1efd93.json
+++ b/mobile-attack/relationship/relationship--9bbfa759-5555-4048-a79d-fed27a1efd93.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--65cf402a-be12-4ee9-a865-c47e749edf8d",
+    "id": "bundle--75f20cf8-2cb8-4d71-9322-8507df116ef0",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--9bbfa759-5555-4048-a79d-fed27a1efd93",
             "created": "2023-06-09T19:14:21.299Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-06-09T19:14:21.299Z",
+            "modified": "2025-04-16T21:50:25.878Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can access images stored on external storage.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9c02b7a3-df00-4191-8249-ed53d9bb954d.json b/mobile-attack/relationship/relationship--9c02b7a3-df00-4191-8249-ed53d9bb954d.json
new file mode 100644
index 0000000000..028bc25dc8
--- /dev/null
+++ b/mobile-attack/relationship/relationship--9c02b7a3-df00-4191-8249-ed53d9bb954d.json
@@ -0,0 +1,25 @@
+{
+    "type": "bundle",
+    "id": "bundle--e2c29fb3-8a6a-4746-ab55-2e9c3fa13844",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--9c02b7a3-df00-4191-8249-ed53d9bb954d",
+            "created": "2025-03-14T17:58:40.269Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:26.080Z",
+            "description": "Application vetting services can look for applications that request permissions to Accessibility services or application overlay. ",
+            "relationship_type": "detects",
+            "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+            "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9c284d41-21ef-4009-bb47-3ae09b08f38d.json b/mobile-attack/relationship/relationship--9c284d41-21ef-4009-bb47-3ae09b08f38d.json
index c020d6a6e4..2bf365d7da 100644
--- a/mobile-attack/relationship/relationship--9c284d41-21ef-4009-bb47-3ae09b08f38d.json
+++ b/mobile-attack/relationship/relationship--9c284d41-21ef-4009-bb47-3ae09b08f38d.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--967ae224-24d8-4db5-b977-4c37b6831e29",
+    "id": "bundle--206b8112-1126-4b48-8703-e00e84f35654",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--9c284d41-21ef-4009-bb47-3ae09b08f38d",
             "created": "2022-04-01T17:06:06.950Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:26.276Z",
             "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to location information. Users should also protect their account credentials and enable multi-factor authentication options when available. ",
-            "modified": "2022-04-01T17:06:06.950Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9c302eb1-1810-48a5-b34d-6aae303d2097.json b/mobile-attack/relationship/relationship--9c302eb1-1810-48a5-b34d-6aae303d2097.json
index b1227dddcc..fdb33c4e0e 100644
--- a/mobile-attack/relationship/relationship--9c302eb1-1810-48a5-b34d-6aae303d2097.json
+++ b/mobile-attack/relationship/relationship--9c302eb1-1810-48a5-b34d-6aae303d2097.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--79281c8f-2eb7-4ae9-9697-2ec7f35b3db2",
+    "id": "bundle--4178f163-ddcc-46bb-807a-316fa41cdc0f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--9c302eb1-1810-48a5-b34d-6aae303d2097",
             "created": "2022-04-01T15:16:26.387Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:26.465Z",
             "description": "Users should be instructed to not open links in applications they don\u2019t recognize.",
-            "modified": "2022-04-01T15:16:26.387Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9c545cbb-4949-4695-8d6b-b480478d3e20.json b/mobile-attack/relationship/relationship--9c545cbb-4949-4695-8d6b-b480478d3e20.json
index b68b9ca2a4..2e756bb156 100644
--- a/mobile-attack/relationship/relationship--9c545cbb-4949-4695-8d6b-b480478d3e20.json
+++ b/mobile-attack/relationship/relationship--9c545cbb-4949-4695-8d6b-b480478d3e20.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--0e63a6b4-217c-4a9c-8f5e-e0bce7b9abfc",
+    "id": "bundle--77cfeb49-c460-4e20-8686-57349b0575fb",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--9c545cbb-4949-4695-8d6b-b480478d3e20",
             "created": "2023-12-18T18:08:42.383Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:08:42.383Z",
+            "modified": "2025-04-16T21:50:26.660Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can turn off or fake turning off the screen while performing malicious activities.(Citation: securelist_brata_0819)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9c6b1915-24e2-48ac-909a-0af43053b053.json b/mobile-attack/relationship/relationship--9c6b1915-24e2-48ac-909a-0af43053b053.json
new file mode 100644
index 0000000000..d3db66c307
--- /dev/null
+++ b/mobile-attack/relationship/relationship--9c6b1915-24e2-48ac-909a-0af43053b053.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--def2feec-e77e-4c03-a192-fcd562d5d929",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--9c6b1915-24e2-48ac-909a-0af43053b053",
+            "created": "2025-03-28T14:35:37.765Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:26.868Z",
+            "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has encrypted data using RSA.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f",
+            "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708.json b/mobile-attack/relationship/relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708.json
index d8557fa4d1..96e1001ec3 100644
--- a/mobile-attack/relationship/relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708.json
+++ b/mobile-attack/relationship/relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--80b8d0a5-d58d-43d6-b2be-7423404e1f3c",
+    "id": "bundle--24e827f8-e0e5-44e7-a2eb-51239fc5cd5c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708",
             "type": "relationship",
+            "id": "relationship--9c7c302a-d5ba-4fc9-a4e5-e865fd7fb708",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
                 }
             ],
-            "modified": "2019-10-15T19:54:10.284Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:27.065Z",
             "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole geo-location data.(Citation: Kaspersky-WUC)",
             "relationship_type": "uses",
             "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9c853c22-7607-4cbd-b114-08aaa4625c35.json b/mobile-attack/relationship/relationship--9c853c22-7607-4cbd-b114-08aaa4625c35.json
index a1a78ae1eb..ea7f35e475 100644
--- a/mobile-attack/relationship/relationship--9c853c22-7607-4cbd-b114-08aaa4625c35.json
+++ b/mobile-attack/relationship/relationship--9c853c22-7607-4cbd-b114-08aaa4625c35.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--76298129-15aa-488d-92cb-16df087f9222",
+    "id": "bundle--9d32ad62-e99e-46f4-bf9a-d93fec0d48ce",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--9c853c22-7607-4cbd-b114-08aaa4625c35",
             "type": "relationship",
+            "id": "relationship--9c853c22-7607-4cbd-b114-08aaa4625c35",
             "created": "2020-12-17T20:15:22.405Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Palo Alto HenBox",
-                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/",
-                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."
+                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.",
+                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
                 }
             ],
-            "modified": "2020-12-28T18:47:52.600Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:27.280Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) can collect device information and can check if the device is running MIUI on a Xiaomi device.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9caeaf97-ca4e-4417-8148-d9a38b141047.json b/mobile-attack/relationship/relationship--9caeaf97-ca4e-4417-8148-d9a38b141047.json
new file mode 100644
index 0000000000..5d62dfe2d8
--- /dev/null
+++ b/mobile-attack/relationship/relationship--9caeaf97-ca4e-4417-8148-d9a38b141047.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--825979c9-3780-462c-86df-4f5a8e8b2ff2",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--9caeaf97-ca4e-4417-8148-d9a38b141047",
+            "created": "2025-03-28T15:02:22.972Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:27.469Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors used RSA to encrypt C2 communication.(Citation: SecureList OpTriangulation 21Jun2023)",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9caf7cd5-fa15-45f0-8e1e-75917ea33af2.json b/mobile-attack/relationship/relationship--9caf7cd5-fa15-45f0-8e1e-75917ea33af2.json
index 58da950fb7..4a8f7408b5 100644
--- a/mobile-attack/relationship/relationship--9caf7cd5-fa15-45f0-8e1e-75917ea33af2.json
+++ b/mobile-attack/relationship/relationship--9caf7cd5-fa15-45f0-8e1e-75917ea33af2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a357787e-d80b-45d5-b1e7-bb839b831e03",
+    "id": "bundle--772a5f7d-e08c-4fdf-9d3e-e95dc7c3e65a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T16:45:40.815Z",
+            "modified": "2025-04-16T21:50:27.672Z",
             "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9cfc30de-3e68-4361-a213-3c37ce27b70e.json b/mobile-attack/relationship/relationship--9cfc30de-3e68-4361-a213-3c37ce27b70e.json
index 6aac44804a..d9fe9248d1 100644
--- a/mobile-attack/relationship/relationship--9cfc30de-3e68-4361-a213-3c37ce27b70e.json
+++ b/mobile-attack/relationship/relationship--9cfc30de-3e68-4361-a213-3c37ce27b70e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--60f2badf-f3b5-4e5d-9e4c-044c8aac3be8",
+    "id": "bundle--90afa75c-11d9-4973-98b7-db9b670e11e2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T14:51:29.206Z",
+            "modified": "2025-04-16T21:50:27.872Z",
             "description": "On Android, the user can use the device settings menu to view trusted CA certificates and look for unexpected or unknown certificates. A mobile security product could similarly examine the trusted CA certificate store for anomalies. Users can use the device settings menu to view which applications on the device are allowed to install unknown applications.\n\nOn iOS, the user can use the device settings menu to view installed Configuration Profiles and look for unexpected or unknown profiles. A Mobile Device Management (MDM) system could use the iOS MDM APIs to examine the list of installed Configuration Profiles for anomalies.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9cfcda7d-bb82-4122-a38b-fec4f5532856.json b/mobile-attack/relationship/relationship--9cfcda7d-bb82-4122-a38b-fec4f5532856.json
index 853fa72ec8..b6fd0917e1 100644
--- a/mobile-attack/relationship/relationship--9cfcda7d-bb82-4122-a38b-fec4f5532856.json
+++ b/mobile-attack/relationship/relationship--9cfcda7d-bb82-4122-a38b-fec4f5532856.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--332f2ae6-4192-419d-94a0-797c89d7d0cd",
+    "id": "bundle--4fbdbe26-b75c-47b3-a530-47d9c9a7ff7a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:03:51.504Z",
+            "modified": "2025-04-16T21:50:28.073Z",
             "description": "[Bread](https://attack.mitre.org/software/S0432) communicates with the C2 server using HTTP requests.(Citation: Google Bread)",
             "relationship_type": "uses",
             "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9d264e84-27b2-4867-82c8-55486a969d7c.json b/mobile-attack/relationship/relationship--9d264e84-27b2-4867-82c8-55486a969d7c.json
index befb86a2a0..eee1a9e329 100644
--- a/mobile-attack/relationship/relationship--9d264e84-27b2-4867-82c8-55486a969d7c.json
+++ b/mobile-attack/relationship/relationship--9d264e84-27b2-4867-82c8-55486a969d7c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--6371e1ca-4ebe-468c-8f98-f1b910622149",
+    "id": "bundle--61db5334-3b70-4582-8c94-26c52435f810",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--9d264e84-27b2-4867-82c8-55486a969d7c",
             "type": "relationship",
+            "id": "relationship--9d264e84-27b2-4867-82c8-55486a969d7c",
             "created": "2020-12-17T20:15:22.489Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Palo Alto HenBox",
-                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/",
-                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."
+                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.",
+                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
                 }
             ],
-            "modified": "2020-12-17T20:15:22.489Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:28.277Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) can obtain a list of running processes.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9d2a9348-5d0a-43b0-8776-e9bbddc659c7.json b/mobile-attack/relationship/relationship--9d2a9348-5d0a-43b0-8776-e9bbddc659c7.json
index 112c689896..1e86fecfdd 100644
--- a/mobile-attack/relationship/relationship--9d2a9348-5d0a-43b0-8776-e9bbddc659c7.json
+++ b/mobile-attack/relationship/relationship--9d2a9348-5d0a-43b0-8776-e9bbddc659c7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--30e892a5-5733-4a3c-aa67-d86408c4df2c",
+    "id": "bundle--82d3ceef-12a3-44f4-af59-d0f1eba995ad",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T15:53:41.268Z",
+            "modified": "2025-04-16T21:50:28.468Z",
             "description": "Application vetting services can look for applications requesting the `android.permission.BIND_ACCESSIBILITY_SERVICE` permission in a service declaration. On Android, the user can view and manage which applications can use accessibility services through the device settings in Accessibility. The exact device settings menu locations may vary between operating system versions.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de.json b/mobile-attack/relationship/relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de.json
index b444e3171b..d050a5b2bc 100644
--- a/mobile-attack/relationship/relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de.json
+++ b/mobile-attack/relationship/relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--0a41065a-69e6-44d1-9a2a-42b74438ec6d",
+    "id": "bundle--a62e48a9-9f9b-4996-b23a-1262de393789",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de",
             "type": "relationship",
+            "id": "relationship--9d4c1d68-3cc8-4cf9-b3ee-1525d0ce32de",
             "created": "2019-10-14T20:49:24.571Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "securelist rotexy 2018",
                     "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
-                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
-                    "source_name": "securelist rotexy 2018"
+                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"
                 }
             ],
-            "modified": "2019-10-14T20:49:24.571Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:28.676Z",
             "description": "[Rotexy](https://attack.mitre.org/software/S0411) collects information about running processes.(Citation: securelist rotexy 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9d72c60b-d5d1-4b50-a01f-3882ddb335d9.json b/mobile-attack/relationship/relationship--9d72c60b-d5d1-4b50-a01f-3882ddb335d9.json
index a334636567..e464937ac8 100644
--- a/mobile-attack/relationship/relationship--9d72c60b-d5d1-4b50-a01f-3882ddb335d9.json
+++ b/mobile-attack/relationship/relationship--9d72c60b-d5d1-4b50-a01f-3882ddb335d9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--69af78c4-b4ef-4149-ae00-b86df9c997e4",
+    "id": "bundle--3a3b0d2b-9776-47d4-8253-59e238985bb6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:26:48.912Z",
+            "modified": "2025-04-16T21:50:28.870Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can remount the system partition as read/write to install attacker-specified certificates.(Citation: Lookout-Monokle) ",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c.json b/mobile-attack/relationship/relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c.json
index f37470405c..731313a54f 100644
--- a/mobile-attack/relationship/relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c.json
+++ b/mobile-attack/relationship/relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--f21874c5-0909-4e46-bfff-a40e1a8d4123",
+    "id": "bundle--d4e2a5d3-59cc-4e57-bb10-3f49fbc98635",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c",
             "type": "relationship",
+            "id": "relationship--9dec6b2f-790a-4da9-86c9-1f4b7141c32c",
             "created": "2019-09-04T15:38:56.562Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "FortiGuard-FlexiSpy",
                     "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.",
-                    "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf",
-                    "source_name": "FortiGuard-FlexiSpy"
+                    "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf"
                 }
             ],
-            "modified": "2019-10-14T18:08:28.500Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:29.070Z",
             "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can communicate with the command and control server over ports 12512 and 12514.(Citation: FortiGuard-FlexiSpy)",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63.json b/mobile-attack/relationship/relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63.json
index 819134ad20..cf31dd8ba4 100644
--- a/mobile-attack/relationship/relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63.json
+++ b/mobile-attack/relationship/relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e1f84e5c-00bc-4593-991d-e5452b442534",
+    "id": "bundle--d1ada5db-0eba-4cf8-83fd-4f7fec02c7f1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63",
             "type": "relationship",
+            "id": "relationship--9e3921a8-a9e1-48c4-9b61-ff190c104f63",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
+                    "source_name": "TrendMicro-RCSAndroid",
                     "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
-                    "source_name": "TrendMicro-RCSAndroid"
+                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
                 }
             ],
-            "modified": "2019-08-09T17:53:48.793Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:29.266Z",
             "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can monitor clipboard content.(Citation: TrendMicro-RCSAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
             "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9e458d77-c856-4b02-82a7-50947b232dc3.json b/mobile-attack/relationship/relationship--9e458d77-c856-4b02-82a7-50947b232dc3.json
index d5e0503188..10d9ecfc97 100644
--- a/mobile-attack/relationship/relationship--9e458d77-c856-4b02-82a7-50947b232dc3.json
+++ b/mobile-attack/relationship/relationship--9e458d77-c856-4b02-82a7-50947b232dc3.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--2fba55bb-6830-4995-a614-ee30eeb82fc6",
+    "id": "bundle--54ea0f38-7bf8-4cce-9c41-f07be1daf8a6",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--9e458d77-c856-4b02-82a7-50947b232dc3",
             "type": "relationship",
+            "id": "relationship--9e458d77-c856-4b02-82a7-50947b232dc3",
             "created": "2021-10-01T14:42:49.183Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList BusyGasper",
-                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/",
-                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021."
+                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.",
+                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"
                 }
             ],
-            "modified": "2021-10-06T15:32:46.533Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:29.460Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can download a payload or updates from either its C2 server or email attachments in the adversary\u2019s inbox.(Citation: SecureList BusyGasper)",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15.json b/mobile-attack/relationship/relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15.json
index 93b1f32e5a..ca61a00aad 100644
--- a/mobile-attack/relationship/relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15.json
+++ b/mobile-attack/relationship/relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--17adc6e4-9072-4aab-a330-f93bfabbb9e9",
+    "id": "bundle--f8dc9126-5df2-4465-9dd9-01f0c5850251",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15",
             "type": "relationship",
+            "id": "relationship--9e66ec3b-cdd6-461c-bd84-e75316818e15",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:29.656Z",
             "description": "[X-Agent for Android](https://attack.mitre.org/software/S0314) was believed to have been used to obtain locational data of Ukrainian artillery forces.(Citation: CrowdStrike-Android)",
             "relationship_type": "uses",
             "source_ref": "malware--56660521-6db4-4e5a-a927-464f22954b7c",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9e95ef68-0650-49eb-888f-47c211481be9.json b/mobile-attack/relationship/relationship--9e95ef68-0650-49eb-888f-47c211481be9.json
index 5ab79e1499..58864a72f0 100644
--- a/mobile-attack/relationship/relationship--9e95ef68-0650-49eb-888f-47c211481be9.json
+++ b/mobile-attack/relationship/relationship--9e95ef68-0650-49eb-888f-47c211481be9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2ef2cf0e-4ace-43b8-87db-f3bcd4d6e8b4",
+    "id": "bundle--edcad423-a17e-4fb9-8a68-e51213437555",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T17:16:36.672Z",
+            "modified": "2025-04-16T21:50:29.844Z",
             "description": "Application vetting may be able to identify applications that perform [Discovery](https://attack.mitre.org/tactics/TA0032) or utilize existing connectivity to remotely access hosts within an internal enterprise network. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
             "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9f83d618-a42d-4797-b9fe-030affdbd13f.json b/mobile-attack/relationship/relationship--9f83d618-a42d-4797-b9fe-030affdbd13f.json
index b292a3862a..d70e1929f7 100644
--- a/mobile-attack/relationship/relationship--9f83d618-a42d-4797-b9fe-030affdbd13f.json
+++ b/mobile-attack/relationship/relationship--9f83d618-a42d-4797-b9fe-030affdbd13f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--9ec20ded-0abe-4f0f-8eb4-9c3ebbc9ad62",
+    "id": "bundle--865e4d81-d326-40b8-871d-845459eb91be",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:49:35.020Z",
+            "modified": "2025-04-16T21:50:30.046Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) can hide and send SMS messages. [SharkBot](https://attack.mitre.org/software/S1055) can also change which application is the device\u2019s default SMS handler.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9f9a0349-ca95-4bde-8d8d-af524ce19bc7.json b/mobile-attack/relationship/relationship--9f9a0349-ca95-4bde-8d8d-af524ce19bc7.json
index 01c52f5563..8ac1bf338f 100644
--- a/mobile-attack/relationship/relationship--9f9a0349-ca95-4bde-8d8d-af524ce19bc7.json
+++ b/mobile-attack/relationship/relationship--9f9a0349-ca95-4bde-8d8d-af524ce19bc7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--58980eed-7692-4e8b-97eb-428b8e462e05",
+    "id": "bundle--be75e7ac-1ad6-4451-9209-e563d69b3ee3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:52:33.829Z",
+            "modified": "2025-04-16T21:50:30.267Z",
             "description": "[Dvmap](https://attack.mitre.org/software/S0420) can turn off `VerifyApps`, and can grant Device Administrator permissions via commands only, rather than using the UI.(Citation: SecureList DVMap June 2017)",
             "relationship_type": "uses",
             "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9fa03a70-ad00-4148-ae5e-8315f3e618d2.json b/mobile-attack/relationship/relationship--9fa03a70-ad00-4148-ae5e-8315f3e618d2.json
index 9041bd0347..dd3b24de50 100644
--- a/mobile-attack/relationship/relationship--9fa03a70-ad00-4148-ae5e-8315f3e618d2.json
+++ b/mobile-attack/relationship/relationship--9fa03a70-ad00-4148-ae5e-8315f3e618d2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--bec08ec9-ad5e-498e-ac40-519336a8906d",
+    "id": "bundle--64dc8473-4ba9-4a4e-8298-702134ca691e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:29:29.307Z",
+            "modified": "2025-04-16T21:50:30.464Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can abuse device administrator permissions to ensure that it cannot be uninstalled until its permissions are revoked.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9fb0c414-6216-4b42-a080-cb42ef4011c5.json b/mobile-attack/relationship/relationship--9fb0c414-6216-4b42-a080-cb42ef4011c5.json
index de07993ddd..68e1ba5cd8 100644
--- a/mobile-attack/relationship/relationship--9fb0c414-6216-4b42-a080-cb42ef4011c5.json
+++ b/mobile-attack/relationship/relationship--9fb0c414-6216-4b42-a080-cb42ef4011c5.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--5b0fcf5b-5d01-4afa-b26b-955b31b32354",
+    "id": "bundle--b4a77c47-6a0c-4727-972a-4cdcdf567010",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--9fb0c414-6216-4b42-a080-cb42ef4011c5",
             "created": "2024-04-17T13:12:54.126Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-17T13:12:54.126Z",
+            "modified": "2025-04-16T21:50:30.671Z",
             "description": "[AhRat](https://attack.mitre.org/software/S1095) can communicate with the C2 using HTTPS requests.(Citation: welivesecurity_ahrat_0523)",
             "relationship_type": "uses",
             "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5",
             "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--9fdc5fee-2250-4894-8333-466910023533.json b/mobile-attack/relationship/relationship--9fdc5fee-2250-4894-8333-466910023533.json
index 7d426b5a1f..f6746309f5 100644
--- a/mobile-attack/relationship/relationship--9fdc5fee-2250-4894-8333-466910023533.json
+++ b/mobile-attack/relationship/relationship--9fdc5fee-2250-4894-8333-466910023533.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--a9475109-b11e-4b2a-b4ad-d945bb3cf010",
+    "id": "bundle--407a177e-a126-400a-8b32-d1489a3b627f",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--9fdc5fee-2250-4894-8333-466910023533",
             "created": "2024-02-20T23:42:43.674Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:42:43.674Z",
+            "modified": "2025-04-16T21:50:30.862Z",
             "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a011bcc6-b5d8-4923-b533-55abec69ff2f.json b/mobile-attack/relationship/relationship--a011bcc6-b5d8-4923-b533-55abec69ff2f.json
index 0806be6d07..666a1e7fa3 100644
--- a/mobile-attack/relationship/relationship--a011bcc6-b5d8-4923-b533-55abec69ff2f.json
+++ b/mobile-attack/relationship/relationship--a011bcc6-b5d8-4923-b533-55abec69ff2f.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--cf8daeb3-b03e-4c65-b10f-f44f01f4ec3e",
+    "id": "bundle--64de839f-f339-4f0c-88bc-2023ab497030",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--a011bcc6-b5d8-4923-b533-55abec69ff2f",
             "created": "2022-03-30T20:07:33.291Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:31.052Z",
             "description": "",
-            "modified": "2022-03-30T20:07:33.291Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--fd658820-cbba-4c95-8ac9-0fac6b1099e2",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a042d55c-b31e-41c1-9cd0-66070ec9a11d.json b/mobile-attack/relationship/relationship--a042d55c-b31e-41c1-9cd0-66070ec9a11d.json
index dd92c12ba6..40da86eb29 100644
--- a/mobile-attack/relationship/relationship--a042d55c-b31e-41c1-9cd0-66070ec9a11d.json
+++ b/mobile-attack/relationship/relationship--a042d55c-b31e-41c1-9cd0-66070ec9a11d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--c78a32dd-d999-4835-824e-7be847b025b3",
+    "id": "bundle--31d375ac-6796-45b6-86f7-a74b2ff1ce9f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a042d55c-b31e-41c1-9cd0-66070ec9a11d",
             "type": "relationship",
+            "id": "relationship--a042d55c-b31e-41c1-9cd0-66070ec9a11d",
             "created": "2020-10-29T19:21:23.235Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "WeLiveSecurity AdDisplayAshas",
-                    "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/",
-                    "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020."
+                    "description": "L. Stefanko. (2019, October 24). Tracking down the developer of Android adware affecting millions of users. Retrieved October 29, 2020.",
+                    "url": "https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/"
                 }
             ],
-            "modified": "2020-10-29T19:21:23.235Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:31.272Z",
             "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has hidden the C2 server address using base-64 encoding. (Citation: WeLiveSecurity AdDisplayAshas)",
             "relationship_type": "uses",
             "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a0464679-71b6-4ab4-a72d-0428e4d75d5e.json b/mobile-attack/relationship/relationship--a0464679-71b6-4ab4-a72d-0428e4d75d5e.json
index 516b0ba993..dc3adb9567 100644
--- a/mobile-attack/relationship/relationship--a0464679-71b6-4ab4-a72d-0428e4d75d5e.json
+++ b/mobile-attack/relationship/relationship--a0464679-71b6-4ab4-a72d-0428e4d75d5e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--5753b25a-8a51-40f2-b2ad-d7932a1e64af",
+    "id": "bundle--9e3a8da7-fe32-42b5-af6c-c2c52e087590",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--a0464679-71b6-4ab4-a72d-0428e4d75d5e",
             "created": "2022-03-30T13:45:39.184Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:31.464Z",
             "description": "Device attestation can often detect jailbroken or rooted devices.",
-            "modified": "2022-03-30T13:45:39.184Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
             "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a04ae7d7-1500-49c9-bada-1a75a8670f5c.json b/mobile-attack/relationship/relationship--a04ae7d7-1500-49c9-bada-1a75a8670f5c.json
index 4d8ca24fc2..c2d74004e6 100644
--- a/mobile-attack/relationship/relationship--a04ae7d7-1500-49c9-bada-1a75a8670f5c.json
+++ b/mobile-attack/relationship/relationship--a04ae7d7-1500-49c9-bada-1a75a8670f5c.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--118053ed-34cd-4b0d-b166-53a72ed34813",
+    "id": "bundle--89064c5e-86d3-4a34-a3bb-be6bec12b963",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--a04ae7d7-1500-49c9-bada-1a75a8670f5c",
             "created": "2019-11-21T19:16:34.820Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "CheckPoint SimBad 2019",
-                    "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/",
-                    "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019."
+                    "description": "Elena Root, Andrey Polkovnichenko. (2019, March 13). SimBad: A Rogue Adware Campaign On Google Play. Retrieved November 21, 2019.",
+                    "url": "https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:31.679Z",
             "description": "[SimBad](https://attack.mitre.org/software/S0419) generates fraudulent advertising revenue by displaying ads in the background and by opening the browser and displaying ads.(Citation: CheckPoint SimBad 2019)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965.json b/mobile-attack/relationship/relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965.json
index 91ef0c4215..4ba76f01d9 100644
--- a/mobile-attack/relationship/relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965.json
+++ b/mobile-attack/relationship/relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--541503b2-95ab-4254-845f-8d1dda4c119b",
+    "id": "bundle--0138116f-42e1-45fb-b18a-4e4b1394dc5d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965",
             "type": "relationship",
+            "id": "relationship--a04dfb58-b7d3-4abe-9f4a-fad4f7158965",
             "created": "2020-04-08T15:51:25.106Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "ThreatFabric Ginp",
-                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
-                    "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."
+                    "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"
                 }
             ],
-            "modified": "2020-04-08T15:51:25.106Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:31.872Z",
             "description": "[Ginp](https://attack.mitre.org/software/S0423) can obtain a list of installed applications.(Citation: ThreatFabric Ginp)",
             "relationship_type": "uses",
             "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a09f8daa-aa02-45f1-8dac-9bea355c9415.json b/mobile-attack/relationship/relationship--a09f8daa-aa02-45f1-8dac-9bea355c9415.json
index e3f0a6fdf6..078cb3eff2 100644
--- a/mobile-attack/relationship/relationship--a09f8daa-aa02-45f1-8dac-9bea355c9415.json
+++ b/mobile-attack/relationship/relationship--a09f8daa-aa02-45f1-8dac-9bea355c9415.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--9f15a3a5-a57f-4767-b1fa-cb76e584fd67",
+    "id": "bundle--11c8ff28-6297-4f06-bed1-3fb97cef13f0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a09f8daa-aa02-45f1-8dac-9bea355c9415",
             "type": "relationship",
+            "id": "relationship--a09f8daa-aa02-45f1-8dac-9bea355c9415",
             "created": "2020-11-10T17:08:35.819Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-11-10T17:08:35.819Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:32.058Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can access the device\u2019s location and track the device over time.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6.json b/mobile-attack/relationship/relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6.json
index 094e1185ff..3ca12a721d 100644
--- a/mobile-attack/relationship/relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6.json
+++ b/mobile-attack/relationship/relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6.json
@@ -1,35 +1,35 @@
 {
     "type": "bundle",
-    "id": "bundle--84aa859f-c80d-4164-bdc7-c72b640c1cb2",
+    "id": "bundle--48fe3996-1cfd-4ec3-9dd6-0ef813b5f415",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6",
             "type": "relationship",
+            "id": "relationship--a1023a75-31cc-420a-9c59-b440f7fb27e6",
             "created": "2019-11-21T16:42:48.501Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "SecureList - ViceLeaker 2019",
                     "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.",
-                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
-                    "source_name": "SecureList - ViceLeaker 2019"
+                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"
                 },
                 {
                     "source_name": "Bitdefender - Triout 2018",
-                    "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/",
-                    "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020."
+                    "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.",
+                    "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/"
                 }
             ],
-            "modified": "2020-01-21T14:20:50.492Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:32.263Z",
             "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can collect location information, including GPS coordinates.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a111958f-bb98-48c1-ad44-bf55fad232e9.json b/mobile-attack/relationship/relationship--a111958f-bb98-48c1-ad44-bf55fad232e9.json
new file mode 100644
index 0000000000..a7998e196b
--- /dev/null
+++ b/mobile-attack/relationship/relationship--a111958f-bb98-48c1-ad44-bf55fad232e9.json
@@ -0,0 +1,52 @@
+{
+    "type": "bundle",
+    "id": "bundle--ac1e781b-6f55-4497-a5c0-bd47b19d895f",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--a111958f-bb98-48c1-ad44-bf55fad232e9",
+            "created": "2025-03-24T17:50:41.036Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "FirshSecureList LightSpy 2020",
+                    "description": "Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.",
+                    "url": "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Shoshin_Kaspersky LightSpy 2020",
+                    "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.",
+                    "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:32.461Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has collected a list of cellular networks and connected Wi-Fi history using a LAN scanner based on MMLanScan.(Citation: FirshSecureList LightSpy 2020)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a111ab3c-97f2-4b17-b291-f141e9b7613f.json b/mobile-attack/relationship/relationship--a111ab3c-97f2-4b17-b291-f141e9b7613f.json
index 0cb92eb031..dac6133943 100644
--- a/mobile-attack/relationship/relationship--a111ab3c-97f2-4b17-b291-f141e9b7613f.json
+++ b/mobile-attack/relationship/relationship--a111ab3c-97f2-4b17-b291-f141e9b7613f.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--418c7bf5-03f7-4e37-b0da-453b2b21855e",
+    "id": "bundle--ba2cbcb4-6fc6-449e-9f17-3b274e40240d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--a111ab3c-97f2-4b17-b291-f141e9b7613f",
             "created": "2022-04-01T12:50:48.459Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:32.662Z",
             "description": "",
-            "modified": "2022-04-01T12:50:48.459Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--62adb627-f647-498e-b4cc-41499361bacb",
             "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a120ac54-32fa-43ad-a826-8325823b656d.json b/mobile-attack/relationship/relationship--a120ac54-32fa-43ad-a826-8325823b656d.json
index 07ae81b22c..7447d0ca12 100644
--- a/mobile-attack/relationship/relationship--a120ac54-32fa-43ad-a826-8325823b656d.json
+++ b/mobile-attack/relationship/relationship--a120ac54-32fa-43ad-a826-8325823b656d.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--dcc1cdab-e157-40d1-8904-b1b91529eb3e",
+    "id": "bundle--018ade60-9a28-4ae6-b349-bd5f69d929fc",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--a120ac54-32fa-43ad-a826-8325823b656d",
             "created": "2023-09-22T19:14:12.741Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-22T19:14:12.741Z",
+            "modified": "2025-04-16T21:50:32.861Z",
             "description": "Users should be trained on what device administrator permission request prompts look like, and how to avoid granting permissions on phishing popups.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a153f40b-ba34-4419-9189-d61b5cd29802.json b/mobile-attack/relationship/relationship--a153f40b-ba34-4419-9189-d61b5cd29802.json
new file mode 100644
index 0000000000..41a007c760
--- /dev/null
+++ b/mobile-attack/relationship/relationship--a153f40b-ba34-4419-9189-d61b5cd29802.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--94904645-37ef-4c2b-9f65-7bed99878ecb",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--a153f40b-ba34-4419-9189-d61b5cd29802",
+            "created": "2025-01-10T18:39:06.605Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "threatpost AndroidSpyware 2020",
+                    "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.",
+                    "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:33.059Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) can exfiltrate the call log.(Citation: threatpost AndroidSpyware 2020)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9.json b/mobile-attack/relationship/relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9.json
index 394e3310e8..dff887098c 100644
--- a/mobile-attack/relationship/relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9.json
+++ b/mobile-attack/relationship/relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--53d1e3ac-759c-410c-96a0-a33a06fd4077",
+    "id": "bundle--3be57cb1-1661-42d6-b135-af82612b4450",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9",
             "type": "relationship",
+            "id": "relationship--a1814198-1f91-41d4-a413-d55e1a66c8e9",
             "created": "2020-07-20T13:27:33.548Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos-WolfRAT",
-                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
-                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."
+                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.",
+                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"
                 }
             ],
-            "modified": "2020-08-10T22:00:43.490Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:33.274Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) uses `dumpsys` to determine if certain applications are running.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a186540d-d235-48f1-8757-d0b46f13c6ce.json b/mobile-attack/relationship/relationship--a186540d-d235-48f1-8757-d0b46f13c6ce.json
index b6219617ef..5c574894b4 100644
--- a/mobile-attack/relationship/relationship--a186540d-d235-48f1-8757-d0b46f13c6ce.json
+++ b/mobile-attack/relationship/relationship--a186540d-d235-48f1-8757-d0b46f13c6ce.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6e02ac3d-feb6-441d-b710-faac106f9636",
+    "id": "bundle--7e080e31-6abb-4d78-b481-08e830218fee",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-22T20:42:33.371Z",
+            "modified": "2025-04-16T21:50:33.480Z",
             "description": "(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f",
             "target_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a1a9db79-4a80-4e65-91bf-72e358d2ce41.json b/mobile-attack/relationship/relationship--a1a9db79-4a80-4e65-91bf-72e358d2ce41.json
index e99c09ecb8..0e4890dd0e 100644
--- a/mobile-attack/relationship/relationship--a1a9db79-4a80-4e65-91bf-72e358d2ce41.json
+++ b/mobile-attack/relationship/relationship--a1a9db79-4a80-4e65-91bf-72e358d2ce41.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d7299493-cc29-42d0-91cb-b378e6c15582",
+    "id": "bundle--45559498-a4d7-4199-99e5-87d19ef55dfa",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-21T18:44:26.569Z",
+            "modified": "2025-04-16T21:50:33.684Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) can download attacker-specified files.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a1c53fcf-a691-4233-a136-0a51d5a3840f.json b/mobile-attack/relationship/relationship--a1c53fcf-a691-4233-a136-0a51d5a3840f.json
index d472d96689..6305acfc6d 100644
--- a/mobile-attack/relationship/relationship--a1c53fcf-a691-4233-a136-0a51d5a3840f.json
+++ b/mobile-attack/relationship/relationship--a1c53fcf-a691-4233-a136-0a51d5a3840f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b131066d-d1d9-4f67-8dd5-042c3a6d980f",
+    "id": "bundle--b83ce652-5635-4b49-8363-5bb6734a2fef",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:11:03.802Z",
+            "modified": "2025-04-16T21:50:33.882Z",
             "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can capture SMS messages.(Citation: SWB Exodus March 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a1fac829-275a-409a-9060-e7bd7c63057e.json b/mobile-attack/relationship/relationship--a1fac829-275a-409a-9060-e7bd7c63057e.json
index 9315cafd64..20f7fe99fd 100644
--- a/mobile-attack/relationship/relationship--a1fac829-275a-409a-9060-e7bd7c63057e.json
+++ b/mobile-attack/relationship/relationship--a1fac829-275a-409a-9060-e7bd7c63057e.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--6b9fee7e-4c49-402e-a513-36a7c18af2bd",
+    "id": "bundle--bcfc6d9b-6ca9-4940-8b47-24e71fc5b0b2",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a1fac829-275a-409a-9060-e7bd7c63057e",
             "type": "relationship",
+            "id": "relationship--a1fac829-275a-409a-9060-e7bd7c63057e",
             "created": "2020-12-18T20:14:47.375Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "WhiteOps TERRACOTTA",
-                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study",
-                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."
+                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.",
+                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"
                 }
             ],
-            "modified": "2020-12-18T20:14:47.375Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:34.093Z",
             "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can obtain a list of installed apps.(Citation: WhiteOps TERRACOTTA)",
             "relationship_type": "uses",
             "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a1ff77ee-76fd-4dd3-94aa-dbf35d971e58.json b/mobile-attack/relationship/relationship--a1ff77ee-76fd-4dd3-94aa-dbf35d971e58.json
index 4e0b56b402..c181a4ab7e 100644
--- a/mobile-attack/relationship/relationship--a1ff77ee-76fd-4dd3-94aa-dbf35d971e58.json
+++ b/mobile-attack/relationship/relationship--a1ff77ee-76fd-4dd3-94aa-dbf35d971e58.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--7de2a44f-d9e9-48c0-90b5-ba49aaf4eccc",
+    "id": "bundle--60d8e173-c976-4516-a52d-8087f868697b",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--a1ff77ee-76fd-4dd3-94aa-dbf35d971e58",
             "created": "2023-12-18T18:11:53.531Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:11:53.531Z",
+            "modified": "2025-04-16T21:50:34.330Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can use both HTTP and WebSockets to communicate with the C2 server.(Citation: cleafy_brata_0122)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a20493e1-4699-405d-a291-c28aae8ed737.json b/mobile-attack/relationship/relationship--a20493e1-4699-405d-a291-c28aae8ed737.json
index 70b7621b25..22dae2e1af 100644
--- a/mobile-attack/relationship/relationship--a20493e1-4699-405d-a291-c28aae8ed737.json
+++ b/mobile-attack/relationship/relationship--a20493e1-4699-405d-a291-c28aae8ed737.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--a2fa7acf-ef4b-44c1-a6bd-41c40cf19c9d",
+    "id": "bundle--66ac1c64-d629-443b-9b62-f60cd5f2b196",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--a20493e1-4699-405d-a291-c28aae8ed737",
             "created": "2022-04-18T16:53:24.617Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Wandera-RedDrop",
-                    "url": "https://www.wandera.com/reddrop-malware/",
-                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018."
+                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:34.529Z",
             "description": "[RedDrop](https://attack.mitre.org/software/S0326) uses ads or other links within websites to encourage users to download the malicious apps using a complex content distribution network (CDN) and series of network redirects. [RedDrop](https://attack.mitre.org/software/S0326) also downloads additional components (APKs, JAR files) from different C2 servers.(Citation: Wandera-RedDrop) ",
-            "modified": "2022-04-20T16:33:23.507Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
             "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a20581b4-21fa-4ed9-b056-d139998868e8.json b/mobile-attack/relationship/relationship--a20581b4-21fa-4ed9-b056-d139998868e8.json
index 4d373df70e..ad41acde96 100644
--- a/mobile-attack/relationship/relationship--a20581b4-21fa-4ed9-b056-d139998868e8.json
+++ b/mobile-attack/relationship/relationship--a20581b4-21fa-4ed9-b056-d139998868e8.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--85f0d76f-d10f-4c22-940f-6e71211376bb",
+    "id": "bundle--8f9383a5-bb8c-4d68-9aca-4d165a8927b2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:52:44.819Z",
+            "modified": "2025-04-16T21:50:34.727Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve the device's contact list.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457.json b/mobile-attack/relationship/relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457.json
index 4bfc6a8f5e..9cb7517531 100644
--- a/mobile-attack/relationship/relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457.json
+++ b/mobile-attack/relationship/relationship--a2323d47-348c-4e3c-9c25-7feb20e2e457.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--777a870b-f73a-4672-981f-26184223dcca",
+    "id": "bundle--1cc2c5d7-1146-463d-b29b-5468b84523eb",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:53:03.638Z",
+            "modified": "2025-04-16T21:50:34.953Z",
             "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads contact lists for various third-party applications such as Yahoo, AIM, GoogleTalk, Skype, QQ, and others.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a2365c91-60f6-4249-af13-6bc2fdb80d52.json b/mobile-attack/relationship/relationship--a2365c91-60f6-4249-af13-6bc2fdb80d52.json
index db17c8ae49..29c9721a9b 100644
--- a/mobile-attack/relationship/relationship--a2365c91-60f6-4249-af13-6bc2fdb80d52.json
+++ b/mobile-attack/relationship/relationship--a2365c91-60f6-4249-af13-6bc2fdb80d52.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--42021e8e-dcf1-4c21-acc7-95bdaf24473b",
+    "id": "bundle--9c1ec807-7c50-4ac9-bcd9-55c7f4fe805e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--a2365c91-60f6-4249-af13-6bc2fdb80d52",
             "created": "2019-09-23T13:36:08.459Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "securelist rotexy 2018",
-                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
-                    "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019."
+                    "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
+                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:35.136Z",
             "description": "[Rotexy](https://attack.mitre.org/software/S0411) can use phishing overlays to capture users' credit card information.(Citation: securelist rotexy 2018)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a25a0454-d6da-4448-a3c5-33648ee6675a.json b/mobile-attack/relationship/relationship--a25a0454-d6da-4448-a3c5-33648ee6675a.json
index 905908ec53..e574bab52d 100644
--- a/mobile-attack/relationship/relationship--a25a0454-d6da-4448-a3c5-33648ee6675a.json
+++ b/mobile-attack/relationship/relationship--a25a0454-d6da-4448-a3c5-33648ee6675a.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--cdc8901a-f748-4b76-8064-25aca06df41a",
+    "id": "bundle--6c03bf0b-be8d-4860-aecd-bb91cd8ec4bf",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--a25a0454-d6da-4448-a3c5-33648ee6675a",
             "created": "2023-07-21T19:36:50.262Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:36:50.262Z",
+            "modified": "2025-04-16T21:50:35.361Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect system information, such as Android version and device identifiers.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3.json b/mobile-attack/relationship/relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3.json
index 12674168db..215cf5afc3 100644
--- a/mobile-attack/relationship/relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3.json
+++ b/mobile-attack/relationship/relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--fa3bf28b-7bd2-4910-9e90-cab2c27c6b6e",
+    "id": "bundle--92bcd084-d27d-474c-bbee-59c74a650211",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3",
             "type": "relationship",
+            "id": "relationship--a25d58af-dbb3-4025-b91d-898c6adffcb3",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"
                 }
             ],
-            "modified": "2019-10-10T15:18:51.121Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:35.549Z",
             "description": "[Gooligan](https://attack.mitre.org/software/S0290) steals authentication tokens that can be used to access data from multiple Google applications.(Citation: Gooligan Citation)",
             "relationship_type": "uses",
             "source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a26a09cd-1718-403f-99f3-fdb127ac3599.json b/mobile-attack/relationship/relationship--a26a09cd-1718-403f-99f3-fdb127ac3599.json
new file mode 100644
index 0000000000..d993099feb
--- /dev/null
+++ b/mobile-attack/relationship/relationship--a26a09cd-1718-403f-99f3-fdb127ac3599.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--d9e0c19e-30f9-4878-b584-6f3f72e8996f",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--a26a09cd-1718-403f-99f3-fdb127ac3599",
+            "created": "2025-04-15T17:51:41.973Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:35.766Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has used the DeleteSpring plugin to render the device\u2019s user interface inoperable.(Citation: LinkedIn Dmitry LightSpy 2025) [LightSpy](https://attack.mitre.org/software/S1185) has prevented the victim device from booting by modifying the NVRAM parameter `auto-boot` to `false`.(Citation: LinkedIn Dmitry LightSpy 2025) Additionally, [LightSpy](https://attack.mitre.org/software/S1185) has renamed the Wi-Fi daemon to disable wireless connectivity.(Citation: LinkedIn Dmitry LightSpy 2025) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a27b771e-430b-4044-aa04-7e755f74ae2f.json b/mobile-attack/relationship/relationship--a27b771e-430b-4044-aa04-7e755f74ae2f.json
new file mode 100644
index 0000000000..8998625c3e
--- /dev/null
+++ b/mobile-attack/relationship/relationship--a27b771e-430b-4044-aa04-7e755f74ae2f.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--340bb8d9-86b1-4dab-a91d-dec7926b6fc5",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--a27b771e-430b-4044-aa04-7e755f74ae2f",
+            "created": "2025-03-27T22:47:30.734Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:35.979Z",
+            "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has searched for and has deleted the malicious iMessage attachment used in the initial access phase in various databases.(Citation: SecureList OpTriangulation 23Oct2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20",
+            "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a2803d73-f5bf-4815-bfbf-662c372e1f5a.json b/mobile-attack/relationship/relationship--a2803d73-f5bf-4815-bfbf-662c372e1f5a.json
index 18ba40a847..5b5ac0cf67 100644
--- a/mobile-attack/relationship/relationship--a2803d73-f5bf-4815-bfbf-662c372e1f5a.json
+++ b/mobile-attack/relationship/relationship--a2803d73-f5bf-4815-bfbf-662c372e1f5a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--62e84b4e-45ae-4420-8587-01095c0355eb",
+    "id": "bundle--555e86e0-ae51-4507-92b0-79070cf9dc83",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T16:08:37.797Z",
+            "modified": "2025-04-16T21:50:36.174Z",
             "description": "When vetting applications for potential security weaknesses, the vetting process could look for insecure use of Intents. Developers should be encouraged to use techniques to ensure that the intent can only be sent to an appropriate destination (e.g., use explicit rather than implicit intents, permission checking, checking of the destination app's signing certificate, or utilizing the App Links feature). For mobile applications using OAuth, encourage use of best practice.(Citation: IETF-OAuthNativeApps)(Citation: Android-AppLinks)",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a285f343-09c3-49af-9c18-1dccf89e9009.json b/mobile-attack/relationship/relationship--a285f343-09c3-49af-9c18-1dccf89e9009.json
index 94cd28e184..33b1c0de95 100644
--- a/mobile-attack/relationship/relationship--a285f343-09c3-49af-9c18-1dccf89e9009.json
+++ b/mobile-attack/relationship/relationship--a285f343-09c3-49af-9c18-1dccf89e9009.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--48af09f3-a117-458e-83fd-4f99665cc7a3",
+    "id": "bundle--4e1d946e-3ee0-492a-97cf-aa0c567bb06d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a285f343-09c3-49af-9c18-1dccf89e9009",
             "type": "relationship",
+            "id": "relationship--a285f343-09c3-49af-9c18-1dccf89e9009",
             "created": "2020-11-20T16:37:28.391Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Symantec GoldenCup",
-                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans",
-                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."
+                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.",
+                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"
                 }
             ],
-            "modified": "2020-11-20T16:37:28.391Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:36.381Z",
             "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect a directory listing of external storage.(Citation: Symantec GoldenCup)",
             "relationship_type": "uses",
             "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd.json b/mobile-attack/relationship/relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd.json
index 771fdffdf6..214829c025 100644
--- a/mobile-attack/relationship/relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd.json
+++ b/mobile-attack/relationship/relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--c38fbaa3-67f6-4b93-b29f-4a3a98a5a13a",
+    "id": "bundle--ef61de6b-2cd5-4c60-99f3-d8a054154158",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd",
             "type": "relationship",
+            "id": "relationship--a28a53e9-7a42-4f81-bced-0efbc3128cbd",
             "created": "2019-09-04T15:38:56.597Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "FortiGuard-FlexiSpy",
                     "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.",
-                    "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf",
-                    "source_name": "FortiGuard-FlexiSpy"
+                    "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf"
                 }
             ],
-            "modified": "2019-09-10T14:59:25.979Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:36.571Z",
             "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) encrypts its configuration file using AES.(Citation: FortiGuard-FlexiSpy)",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e.json b/mobile-attack/relationship/relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e.json
index a4b3598af1..abf2ecaa17 100644
--- a/mobile-attack/relationship/relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e.json
+++ b/mobile-attack/relationship/relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--f611f958-ca27-43b3-87b3-79072f78d38f",
+    "id": "bundle--4c4f6abc-0693-4ada-8696-ec0827a96205",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e",
             "type": "relationship",
+            "id": "relationship--a290a8ca-e650-456c-b33e-03343fe5ea4e",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:36.784Z",
             "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) accesses sensitive data in files, such as saving Skype calls by reading them out of the Skype database files.(Citation: Lookout-Pegasus)",
             "relationship_type": "uses",
             "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a299e0a6-cada-4629-a6c6-ed73dc4422aa.json b/mobile-attack/relationship/relationship--a299e0a6-cada-4629-a6c6-ed73dc4422aa.json
index e28bc324af..9946e3ee57 100644
--- a/mobile-attack/relationship/relationship--a299e0a6-cada-4629-a6c6-ed73dc4422aa.json
+++ b/mobile-attack/relationship/relationship--a299e0a6-cada-4629-a6c6-ed73dc4422aa.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e7b02f2c-e795-47a0-ad22-234a6ad9a8ce",
+    "id": "bundle--1685ea20-8ca5-4d67-b69b-d2d1dc3fbf99",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a299e0a6-cada-4629-a6c6-ed73dc4422aa",
             "type": "relationship",
+            "id": "relationship--a299e0a6-cada-4629-a6c6-ed73dc4422aa",
             "created": "2020-11-24T17:55:12.903Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos GPlayed",
-                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html",
-                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."
+                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.",
+                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"
                 }
             ],
-            "modified": "2020-11-24T17:55:12.903Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:36.974Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) has base64-encoded the exfiltrated data, replacing some of the base64 characters to further obfuscate the data.(Citation: Talos GPlayed)",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a2ca7663-5ce0-447f-beeb-ad0f66a1a1e7.json b/mobile-attack/relationship/relationship--a2ca7663-5ce0-447f-beeb-ad0f66a1a1e7.json
index dfe7a2f955..a2cf71cfb2 100644
--- a/mobile-attack/relationship/relationship--a2ca7663-5ce0-447f-beeb-ad0f66a1a1e7.json
+++ b/mobile-attack/relationship/relationship--a2ca7663-5ce0-447f-beeb-ad0f66a1a1e7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--497b874a-5686-4bfc-b9cf-338a65c3e3fd",
+    "id": "bundle--c06885cd-0593-4bc3-90ba-ee405e1ea119",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,13 +12,13 @@
             "external_references": [
                 {
                     "source_name": "checkpoint_hamas_android_malware",
-                    "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20240226125457/https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"
+                    "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"
                 },
                 {
                     "source_name": "sophos_android_apt_spyware",
-                    "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20231208015605/https://news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"
+                    "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"
                 },
                 {
                     "source_name": "welivesecurity_apt-c-23",
@@ -29,15 +29,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-02T19:23:23.538Z",
+            "modified": "2025-04-16T21:50:37.165Z",
             "description": "[APT-C-23](https://attack.mitre.org/groups/G1028) has masqueraded malware as legitimate applications.(Citation: welivesecurity_apt-c-23)(Citation: checkpoint_hamas_android_malware)(Citation: sophos_android_apt_spyware)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1.json b/mobile-attack/relationship/relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1.json
index 7ba245a531..c2009e1e69 100644
--- a/mobile-attack/relationship/relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1.json
+++ b/mobile-attack/relationship/relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--194696a8-df5a-489d-ab0c-47c6c26cc755",
+    "id": "bundle--5c1d52e8-d210-4662-9946-d9c216e366e4",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1",
             "type": "relationship",
+            "id": "relationship--a32db277-593f-4fd1-bdcb-9f677b1a05e1",
             "created": "2020-06-26T14:55:13.289Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Cybereason EventBot",
-                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
-                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
+                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.",
+                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"
                 }
             ],
-            "modified": "2020-06-26T14:55:13.289Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:37.388Z",
             "description": "[EventBot](https://attack.mitre.org/software/S0478) can abuse Android\u2019s accessibility service to capture data from installed applications.(Citation: Cybereason EventBot)",
             "relationship_type": "uses",
             "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a34f3873-3df7-4e93-915c-fc2b4af3444d.json b/mobile-attack/relationship/relationship--a34f3873-3df7-4e93-915c-fc2b4af3444d.json
index 971415ff92..43b142e1b5 100644
--- a/mobile-attack/relationship/relationship--a34f3873-3df7-4e93-915c-fc2b4af3444d.json
+++ b/mobile-attack/relationship/relationship--a34f3873-3df7-4e93-915c-fc2b4af3444d.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--90f7ff1b-5554-4a54-841e-a5c67e446004",
+    "id": "bundle--dbf3cbfc-6f9d-4514-9e01-102b261d302d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--a34f3873-3df7-4e93-915c-fc2b4af3444d",
             "created": "2020-07-15T20:20:59.380Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:37.581Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) has used Firebase for C2.(Citation: Bitdefender Mandrake)",
-            "modified": "2022-04-18T19:18:24.378Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a394e5e5-1d98-4e08-ba29-866cf7ff9a62.json b/mobile-attack/relationship/relationship--a394e5e5-1d98-4e08-ba29-866cf7ff9a62.json
new file mode 100644
index 0000000000..112799d264
--- /dev/null
+++ b/mobile-attack/relationship/relationship--a394e5e5-1d98-4e08-ba29-866cf7ff9a62.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--95ce6655-6704-4c7f-b272-fcefcca4544d",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--a394e5e5-1d98-4e08-ba29-866cf7ff9a62",
+            "created": "2025-04-15T18:08:29.509Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:37.790Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) injects libcynject.dylib into the SpringBoard process to enable audio/video recording.(Citation: LinkedIn Dmitry LightSpy 2025) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--b7c0e45f-0206-4f75-96e7-fe7edad3aaff",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a3a8b2f2-f1aa-49ba-be55-a674f371f209.json b/mobile-attack/relationship/relationship--a3a8b2f2-f1aa-49ba-be55-a674f371f209.json
index 680eb95f89..ef80983b8f 100644
--- a/mobile-attack/relationship/relationship--a3a8b2f2-f1aa-49ba-be55-a674f371f209.json
+++ b/mobile-attack/relationship/relationship--a3a8b2f2-f1aa-49ba-be55-a674f371f209.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--963aa09e-ccfc-4345-8e19-15ca3db8df3c",
+    "id": "bundle--67208a50-a380-4ad2-8314-664f45785242",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:48:05.159Z",
+            "modified": "2025-04-16T21:50:37.983Z",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device network configuration information, such as Wi-Fi SSID and IMSI.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a3c4b392-2879-4f31-9431-3398e034851b.json b/mobile-attack/relationship/relationship--a3c4b392-2879-4f31-9431-3398e034851b.json
index 093114f22e..65c4a9d1ee 100644
--- a/mobile-attack/relationship/relationship--a3c4b392-2879-4f31-9431-3398e034851b.json
+++ b/mobile-attack/relationship/relationship--a3c4b392-2879-4f31-9431-3398e034851b.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--1b19e105-8c8c-4969-ad28-4ee9a5b4802b",
+    "id": "bundle--cdc3ebdf-ac47-4fb5-9098-bb8c59867f4f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--a3c4b392-2879-4f31-9431-3398e034851b",
             "created": "2022-04-06T13:52:37.470Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:38.228Z",
             "description": "Users should be cautioned against granting administrative access to applications.",
-            "modified": "2022-04-06T13:52:37.470Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a3c9d5d6-acc5-46e9-9e4f-b078aeac553c.json b/mobile-attack/relationship/relationship--a3c9d5d6-acc5-46e9-9e4f-b078aeac553c.json
index d31b971357..b272c6befa 100644
--- a/mobile-attack/relationship/relationship--a3c9d5d6-acc5-46e9-9e4f-b078aeac553c.json
+++ b/mobile-attack/relationship/relationship--a3c9d5d6-acc5-46e9-9e4f-b078aeac553c.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--2997f088-da87-49aa-8169-d14953dbb633",
+    "id": "bundle--b67d8042-91e9-4c97-a979-0d3a2966bcc9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--a3c9d5d6-acc5-46e9-9e4f-b078aeac553c",
             "created": "2020-12-14T14:52:03.385Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Sophos Red Alert 2.0",
-                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/",
-                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."
+                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.",
+                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:38.417Z",
             "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can fetch a backup C2 domain from Twitter if the primary C2 is unresponsive.(Citation: Sophos Red Alert 2.0)",
-            "modified": "2022-04-20T17:56:51.457Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
             "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d.json b/mobile-attack/relationship/relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d.json
index 5c5fb2f757..e9af674c45 100644
--- a/mobile-attack/relationship/relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d.json
+++ b/mobile-attack/relationship/relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--fc799cf0-c8ea-42c0-a628-86bd9e90ddc2",
+    "id": "bundle--f67ecd9f-977b-4258-8ebb-45565ccd4d4c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d",
             "type": "relationship",
+            "id": "relationship--a3f36e9e-e2f4-4745-a9a3-0d1231db116d",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/",
+                    "source_name": "Kaspersky-Skygofree",
                     "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
-                    "source_name": "Kaspersky-Skygofree"
+                    "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
                 }
             ],
-            "modified": "2019-08-09T18:08:07.183Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:38.616Z",
             "description": "[Skygofree](https://attack.mitre.org/software/S0327) can download executable code from the C2 server after the implant starts or after a specific command.(Citation: Kaspersky-Skygofree)",
             "relationship_type": "uses",
             "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a427ce33-d1e1-4c38-a024-e44fc00033d3.json b/mobile-attack/relationship/relationship--a427ce33-d1e1-4c38-a024-e44fc00033d3.json
index 94f5841e0d..048cb0a667 100644
--- a/mobile-attack/relationship/relationship--a427ce33-d1e1-4c38-a024-e44fc00033d3.json
+++ b/mobile-attack/relationship/relationship--a427ce33-d1e1-4c38-a024-e44fc00033d3.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--c012b348-ce86-4bcc-9f85-c44816f53d7b",
+    "id": "bundle--48881dd4-411e-4295-bb76-f00c14a4ac99",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--a427ce33-d1e1-4c38-a024-e44fc00033d3",
             "created": "2020-12-14T14:52:03.283Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Sophos Red Alert 2.0",
-                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/",
-                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."
+                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.",
+                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:38.816Z",
             "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has communicated with the C2 using HTTP requests over port 7878.(Citation: Sophos Red Alert 2.0)",
-            "modified": "2022-04-20T16:43:23.973Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
             "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a451966b-f826-422b-9505-f564b9988a9c.json b/mobile-attack/relationship/relationship--a451966b-f826-422b-9505-f564b9988a9c.json
index 6a2e41e90e..53815de363 100644
--- a/mobile-attack/relationship/relationship--a451966b-f826-422b-9505-f564b9988a9c.json
+++ b/mobile-attack/relationship/relationship--a451966b-f826-422b-9505-f564b9988a9c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--831f3362-2b15-4bc4-ba19-c2ee9cafbd51",
+    "id": "bundle--f4684f1a-e89c-42e7-883d-e2b4b1799a92",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:27:39.012Z",
+            "modified": "2025-04-16T21:50:39.015Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used both FTP and TCP sockets for data exfiltration.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a466f8f0-c9da-46d1-80d0-b8654e727526.json b/mobile-attack/relationship/relationship--a466f8f0-c9da-46d1-80d0-b8654e727526.json
index 9660a3c720..5beb16bd9e 100644
--- a/mobile-attack/relationship/relationship--a466f8f0-c9da-46d1-80d0-b8654e727526.json
+++ b/mobile-attack/relationship/relationship--a466f8f0-c9da-46d1-80d0-b8654e727526.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--6305996f-b877-42be-b800-3fa5f48385d9",
+    "id": "bundle--e6d235a2-31c8-44cd-9e7a-98ff3f2be369",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--a466f8f0-c9da-46d1-80d0-b8654e727526",
             "created": "2023-08-04T18:33:37.920Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T18:33:37.920Z",
+            "modified": "2025-04-16T21:50:39.232Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate a list of installed applications.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a46c3b05-07d5-461c-b1b1-4a81912b79f8.json b/mobile-attack/relationship/relationship--a46c3b05-07d5-461c-b1b1-4a81912b79f8.json
index f733d0c07a..ab2ef6fb64 100644
--- a/mobile-attack/relationship/relationship--a46c3b05-07d5-461c-b1b1-4a81912b79f8.json
+++ b/mobile-attack/relationship/relationship--a46c3b05-07d5-461c-b1b1-4a81912b79f8.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--eca33dc8-d406-40a6-b2c1-c8e27f9a3efd",
+    "id": "bundle--61bcb218-ae21-473a-ab17-d198a9ff955c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:21:10.915Z",
+            "modified": "2025-04-16T21:50:39.435Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect device information such as manufacturer, model, version, serial number, and telephone number.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a4e72b4f-7ee4-4ee3-82c9-acc3aedb1f2d.json b/mobile-attack/relationship/relationship--a4e72b4f-7ee4-4ee3-82c9-acc3aedb1f2d.json
index 167b4421bb..5d9610f858 100644
--- a/mobile-attack/relationship/relationship--a4e72b4f-7ee4-4ee3-82c9-acc3aedb1f2d.json
+++ b/mobile-attack/relationship/relationship--a4e72b4f-7ee4-4ee3-82c9-acc3aedb1f2d.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--6876e623-0c51-4c43-ac05-13bff0d5ad0a",
+    "id": "bundle--fe2a8b37-4ae7-4185-9206-f0a5ec0b54bc",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--a4e72b4f-7ee4-4ee3-82c9-acc3aedb1f2d",
             "created": "2023-12-18T18:09:34.167Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -23,16 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:09:34.167Z",
+            "modified": "2025-04-16T21:50:39.632Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can insert a given string of text into a data field. [BRATA](https://attack.mitre.org/software/S1094) can abuse the Accessibility Service to interact with other installed applications and inject screen taps to grant permissions.(Citation: securelist_brata_0819)(Citation: mcafee_brata_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a501b700-250f-4e9a-a20f-656ae9bf90f9.json b/mobile-attack/relationship/relationship--a501b700-250f-4e9a-a20f-656ae9bf90f9.json
index 5945b9b990..f067319d05 100644
--- a/mobile-attack/relationship/relationship--a501b700-250f-4e9a-a20f-656ae9bf90f9.json
+++ b/mobile-attack/relationship/relationship--a501b700-250f-4e9a-a20f-656ae9bf90f9.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--d9309ebf-ed57-4f50-9f11-ad1ce7b5fc28",
+    "id": "bundle--b2b34f5e-6bb2-43d2-9c4e-09353db94b5f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a501b700-250f-4e9a-a20f-656ae9bf90f9",
             "type": "relationship",
+            "id": "relationship--a501b700-250f-4e9a-a20f-656ae9bf90f9",
             "created": "2020-12-24T21:55:56.753Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T21:55:56.753Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:39.840Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used exploit tools to gain root, such as TowelRoot.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a503ca06-7f98-4ab4-a8fc-ff55c3da7f0a.json b/mobile-attack/relationship/relationship--a503ca06-7f98-4ab4-a8fc-ff55c3da7f0a.json
index 51fa674e0f..deb641a1e9 100644
--- a/mobile-attack/relationship/relationship--a503ca06-7f98-4ab4-a8fc-ff55c3da7f0a.json
+++ b/mobile-attack/relationship/relationship--a503ca06-7f98-4ab4-a8fc-ff55c3da7f0a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--69bb4dd4-70ab-4a7d-9ec1-01129c0e4c71",
+    "id": "bundle--26413dda-4762-47cc-ab98-b03e3239c36c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:48:18.023Z",
+            "modified": "2025-04-16T21:50:40.035Z",
             "description": "[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) has registered to receive the `BOOT_COMPLETED` broadcast intent to activate on device startup.(Citation: WeLiveSecurity AdDisplayAshas)",
             "relationship_type": "uses",
             "source_ref": "malware--f7e7b736-2cff-4c2a-9232-352cd383463a",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a54c8c09-c849-4146-a7cc-158887222a6d.json b/mobile-attack/relationship/relationship--a54c8c09-c849-4146-a7cc-158887222a6d.json
index 6a9f7605f0..726795f2e5 100644
--- a/mobile-attack/relationship/relationship--a54c8c09-c849-4146-a7cc-158887222a6d.json
+++ b/mobile-attack/relationship/relationship--a54c8c09-c849-4146-a7cc-158887222a6d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3ec45e1c-d5f5-412d-941f-ffd786da74d2",
+    "id": "bundle--1f0096b2-381b-4e15-955f-369068ec22c4",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:15:05.454Z",
+            "modified": "2025-04-16T21:50:40.234Z",
             "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access SMS messages.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a563fc97-a452-4348-a831-f4fb55c71e35.json b/mobile-attack/relationship/relationship--a563fc97-a452-4348-a831-f4fb55c71e35.json
index 27a20bbb72..96a85f8f14 100644
--- a/mobile-attack/relationship/relationship--a563fc97-a452-4348-a831-f4fb55c71e35.json
+++ b/mobile-attack/relationship/relationship--a563fc97-a452-4348-a831-f4fb55c71e35.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--48537677-7f42-4ac3-b09f-4a35d57c062b",
+    "id": "bundle--4c9e5f24-888c-4dbc-9204-09164f075938",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--a563fc97-a452-4348-a831-f4fb55c71e35",
             "created": "2023-03-03T16:22:45.712Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-03T16:22:45.712Z",
+            "modified": "2025-04-16T21:50:40.437Z",
             "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has used fake Verisign and Symantec certificates to bypass malware detection systems. [YiSpecter](https://attack.mitre.org/software/S0311) has also signed malicious apps with iOS enterprise certificates to work on non-jailbroken iOS devices.(Citation: paloalto_yispecter_1015)",
             "relationship_type": "uses",
             "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
             "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a585e2dd-83c9-461c-8631-25d58c6ba74e.json b/mobile-attack/relationship/relationship--a585e2dd-83c9-461c-8631-25d58c6ba74e.json
index bebce34504..5e6a06c0fb 100644
--- a/mobile-attack/relationship/relationship--a585e2dd-83c9-461c-8631-25d58c6ba74e.json
+++ b/mobile-attack/relationship/relationship--a585e2dd-83c9-461c-8631-25d58c6ba74e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--466670ce-7ea9-436b-b6e3-926b3d05ab9c",
+    "id": "bundle--9de37e00-5a45-4e07-b13a-273891c32e5f",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--a585e2dd-83c9-461c-8631-25d58c6ba74e",
             "created": "2023-12-05T22:15:36.939Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-05T22:15:36.939Z",
+            "modified": "2025-04-16T21:50:40.639Z",
             "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
             "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a5b37f26-7629-4195-9536-12e349e5843b.json b/mobile-attack/relationship/relationship--a5b37f26-7629-4195-9536-12e349e5843b.json
index 8e68830922..950928d6d9 100644
--- a/mobile-attack/relationship/relationship--a5b37f26-7629-4195-9536-12e349e5843b.json
+++ b/mobile-attack/relationship/relationship--a5b37f26-7629-4195-9536-12e349e5843b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f6766a72-4cac-43eb-abae-003496b77fdb",
+    "id": "bundle--f9444832-4d18-450d-bb0d-80b56f21b83a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T14:54:47.199Z",
+            "modified": "2025-04-16T21:50:40.830Z",
             "description": "Application vetting services could look for applications attempting to get `android.os.SystemProperties` or `getprop` with the runtime `exec()` commands. This could indicate some level of sandbox evasion, as Google recommends against using system properties within applications.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a5b72279-f99e-4f03-8669-04322b40ee6b.json b/mobile-attack/relationship/relationship--a5b72279-f99e-4f03-8669-04322b40ee6b.json
index f4a232321f..69d8b287d3 100644
--- a/mobile-attack/relationship/relationship--a5b72279-f99e-4f03-8669-04322b40ee6b.json
+++ b/mobile-attack/relationship/relationship--a5b72279-f99e-4f03-8669-04322b40ee6b.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--5d1c014e-ea1d-412b-98f5-e8c4717be3b5",
+    "id": "bundle--e574182f-e4e4-4742-823c-671dd0f428db",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a5b72279-f99e-4f03-8669-04322b40ee6b",
             "type": "relationship",
+            "id": "relationship--a5b72279-f99e-4f03-8669-04322b40ee6b",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/"
                 }
             ],
-            "modified": "2020-07-20T13:49:03.710Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:41.018Z",
             "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) loads an encrypted DEX code payload.(Citation: TrendMicro-XLoader)",
             "relationship_type": "uses",
             "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a5dac41f-4a16-44ea-b279-b84c927ce62d.json b/mobile-attack/relationship/relationship--a5dac41f-4a16-44ea-b279-b84c927ce62d.json
index b36c92343f..cc7a511188 100644
--- a/mobile-attack/relationship/relationship--a5dac41f-4a16-44ea-b279-b84c927ce62d.json
+++ b/mobile-attack/relationship/relationship--a5dac41f-4a16-44ea-b279-b84c927ce62d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--cc913596-a26c-4c89-aaec-7e222daf4aba",
+    "id": "bundle--0ac85dd3-8cb3-4174-9769-e55b09d82aa6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:11:36.853Z",
+            "modified": "2025-04-16T21:50:41.240Z",
             "description": "[Gustuff](https://attack.mitre.org/software/S0406) communicates with the command and control server using HTTP requests.(Citation: Talos Gustuff Apr 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a5f64f9e-3ed9-442b-a244-9857b926d93b.json b/mobile-attack/relationship/relationship--a5f64f9e-3ed9-442b-a244-9857b926d93b.json
index a28e561c94..67b6f49232 100644
--- a/mobile-attack/relationship/relationship--a5f64f9e-3ed9-442b-a244-9857b926d93b.json
+++ b/mobile-attack/relationship/relationship--a5f64f9e-3ed9-442b-a244-9857b926d93b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f9c55ff3-9712-477c-a69c-e1b8ca554186",
+    "id": "bundle--af29f35d-a315-42da-b99a-21cb09472ad7",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T15:03:56.766Z",
+            "modified": "2025-04-16T21:50:41.425Z",
             "description": "Mobile threat defense agents could detect unauthorized operating system modifications by using attestation.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
             "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a609b20b-6955-4c59-84d4-a3496d95fba1.json b/mobile-attack/relationship/relationship--a609b20b-6955-4c59-84d4-a3496d95fba1.json
index 6bac252d84..5b6eb31bfe 100644
--- a/mobile-attack/relationship/relationship--a609b20b-6955-4c59-84d4-a3496d95fba1.json
+++ b/mobile-attack/relationship/relationship--a609b20b-6955-4c59-84d4-a3496d95fba1.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--23189102-6928-408e-bcd1-cf1b4da85f32",
+    "id": "bundle--35bd9c2b-9189-40f4-9a52-347f6df69874",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--a609b20b-6955-4c59-84d4-a3496d95fba1",
             "created": "2023-12-18T18:18:05.554Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:18:05.554Z",
+            "modified": "2025-04-16T21:50:41.626Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) has compressed data with the `zlib` library before exfiltration.(Citation: cleafy_brata_0122)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a617fa0d-0dfc-432a-95f5-94ee4ae63860.json b/mobile-attack/relationship/relationship--a617fa0d-0dfc-432a-95f5-94ee4ae63860.json
index c9eb349bf9..853a9531dd 100644
--- a/mobile-attack/relationship/relationship--a617fa0d-0dfc-432a-95f5-94ee4ae63860.json
+++ b/mobile-attack/relationship/relationship--a617fa0d-0dfc-432a-95f5-94ee4ae63860.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--d391e987-d62a-4362-9ff1-aa25d9b05c4c",
+    "id": "bundle--34f59192-0588-4507-bb2e-154f23769a6f",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--a617fa0d-0dfc-432a-95f5-94ee4ae63860",
             "created": "2023-12-18T19:07:14.211Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T19:07:14.211Z",
+            "modified": "2025-04-16T21:50:41.823Z",
             "description": "[AhRat](https://attack.mitre.org/software/S1095) can record the screen.(Citation: welivesecurity_ahrat_0523)",
             "relationship_type": "uses",
             "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a63bafb6-6647-410f-8673-a53ef2dee5e2.json b/mobile-attack/relationship/relationship--a63bafb6-6647-410f-8673-a53ef2dee5e2.json
index b67d1de0a7..367de412e4 100644
--- a/mobile-attack/relationship/relationship--a63bafb6-6647-410f-8673-a53ef2dee5e2.json
+++ b/mobile-attack/relationship/relationship--a63bafb6-6647-410f-8673-a53ef2dee5e2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d8f0554e-4dd3-4b41-963e-b549af41073d",
+    "id": "bundle--61a98d5a-1d81-421c-a884-9e76c6411751",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:52:46.975Z",
+            "modified": "2025-04-16T21:50:42.033Z",
             "description": "[Zen](https://attack.mitre.org/software/S0494) can modify the SELinux enforcement mode.(Citation: Google Security Zen)",
             "relationship_type": "uses",
             "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072.json b/mobile-attack/relationship/relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072.json
index 42e062c403..f137bf59b2 100644
--- a/mobile-attack/relationship/relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072.json
+++ b/mobile-attack/relationship/relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--7e08241b-4bac-47c6-86ce-c3cea4384771",
+    "id": "bundle--04dd11e8-7547-48b7-a0f5-0c20d3437c70",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072",
             "type": "relationship",
+            "id": "relationship--a67c5611-00bc-4e1a-a1be-2512a2bcf072",
             "created": "2020-09-11T15:14:34.064Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SMS KitKat",
-                    "url": "https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html",
-                    "description": "S.Main, D. Braun. (2013, October 14).  Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020."
+                    "description": "S.Main, D. Braun. (2013, October 14).  Getting Your SMS Apps Ready for KitKat. Retrieved September 11, 2020.",
+                    "url": "https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html"
                 }
             ],
-            "modified": "2020-10-22T17:04:15.708Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:42.277Z",
             "description": "Users should be encouraged to be very careful with what applications they grant SMS access to. Further, users should not change their default SMS handler to applications they do not recognize.(Citation: SMS KitKat)",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a68b17af-5277-4722-9a2d-0924f07ca421.json b/mobile-attack/relationship/relationship--a68b17af-5277-4722-9a2d-0924f07ca421.json
index f77431ebe1..dc8002c4e7 100644
--- a/mobile-attack/relationship/relationship--a68b17af-5277-4722-9a2d-0924f07ca421.json
+++ b/mobile-attack/relationship/relationship--a68b17af-5277-4722-9a2d-0924f07ca421.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--d65121c1-756a-4356-af9b-68fa3c9e5300",
+    "id": "bundle--557ffa27-aa3e-48de-9ff8-5ce72bb59a0e",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--a68b17af-5277-4722-9a2d-0924f07ca421",
             "created": "2023-12-18T18:12:15.138Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:12:15.138Z",
+            "modified": "2025-04-16T21:50:42.470Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can view a device through VNC.(Citation: cleafy_brata_0122)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a6bb6c55-3b33-4cd4-981b-055551edc4c2.json b/mobile-attack/relationship/relationship--a6bb6c55-3b33-4cd4-981b-055551edc4c2.json
index beabafd818..3ff325ad10 100644
--- a/mobile-attack/relationship/relationship--a6bb6c55-3b33-4cd4-981b-055551edc4c2.json
+++ b/mobile-attack/relationship/relationship--a6bb6c55-3b33-4cd4-981b-055551edc4c2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e2f921ce-06d3-4f34-b040-5fc966772f8b",
+    "id": "bundle--36cc5be9-ba1f-4744-b65e-4bc7e2bde134",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:55:39.648Z",
+            "modified": "2025-04-16T21:50:42.674Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use a Domain Generation Algorithm to decode the C2 server location.(Citation: nccgroup_sharkbot_0322) ",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943.json b/mobile-attack/relationship/relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943.json
index 0ebf892c0d..c8f5e02d43 100644
--- a/mobile-attack/relationship/relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943.json
+++ b/mobile-attack/relationship/relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--985a8a2f-c8c2-4134-992e-a46a17cd6181",
+    "id": "bundle--2a8e9764-9946-450d-acd6-37c451c6a317",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943",
             "type": "relationship",
+            "id": "relationship--a7336f2c-8f89-4d54-ac2b-77743afb2943",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
+                    "source_name": "Lookout-StealthMango",
                     "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
-                    "source_name": "Lookout-StealthMango"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
                 }
             ],
-            "modified": "2019-10-15T19:44:36.177Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:42.860Z",
             "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) collects and uploads information about changes in SIM card or phone numbers on the device.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a76d731b-484c-442a-b1a3-255d8398aefd.json b/mobile-attack/relationship/relationship--a76d731b-484c-442a-b1a3-255d8398aefd.json
index 42825546e5..292dbf36ac 100644
--- a/mobile-attack/relationship/relationship--a76d731b-484c-442a-b1a3-255d8398aefd.json
+++ b/mobile-attack/relationship/relationship--a76d731b-484c-442a-b1a3-255d8398aefd.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--70033d67-57cf-40d6-96ed-cf7e16a257d5",
+    "id": "bundle--ae5be247-a789-4b6b-9f15-7d40f355f984",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a76d731b-484c-442a-b1a3-255d8398aefd",
             "type": "relationship",
+            "id": "relationship--a76d731b-484c-442a-b1a3-255d8398aefd",
             "created": "2019-10-10T15:22:52.545Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
                 }
             ],
-            "modified": "2019-10-10T15:22:52.545Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:43.048Z",
             "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can collect passwords for Wi-Fi networks and online accounts, including Skype, Facebook, Twitter, Google, WhatsApp, Mail, and LinkedIn.(Citation: TrendMicro-RCSAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a772d1fc-e2d1-4553-b93f-12412cdc8360.json b/mobile-attack/relationship/relationship--a772d1fc-e2d1-4553-b93f-12412cdc8360.json
index 68ebdc0db7..8192a9278f 100644
--- a/mobile-attack/relationship/relationship--a772d1fc-e2d1-4553-b93f-12412cdc8360.json
+++ b/mobile-attack/relationship/relationship--a772d1fc-e2d1-4553-b93f-12412cdc8360.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f989f837-0e05-490b-b16d-78630719c17d",
+    "id": "bundle--c088dff0-6fd6-49ca-9df0-592345f03246",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:52:18.036Z",
+            "modified": "2025-04-16T21:50:43.270Z",
             "description": "The user can view applications that have registered accessibility services in the accessibility menu within the device settings.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d.json b/mobile-attack/relationship/relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d.json
index 226e202821..02a6a5cb94 100644
--- a/mobile-attack/relationship/relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d.json
+++ b/mobile-attack/relationship/relationship--a7b276ac-6f07-4d1f-8d24-dc5682acf62d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3de7d32f-a14c-4f2e-be7d-1d86bdf42279",
+    "id": "bundle--21c5ec37-6888-4fab-8bdf-c973c84b5f2f",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:13:36.481Z",
+            "modified": "2025-04-16T21:50:43.463Z",
             "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses calendar entries.(Citation: Lookout-PegasusAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
             "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c.json b/mobile-attack/relationship/relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c.json
index 335cea7928..2ca1c61d4d 100644
--- a/mobile-attack/relationship/relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c.json
+++ b/mobile-attack/relationship/relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c.json
@@ -1,22 +1,22 @@
 {
     "type": "bundle",
-    "id": "bundle--15fa7e48-225f-46e1-820e-30c6eaeb35ff",
+    "id": "bundle--ea4643f5-cf6a-47c6-b68e-93541ea8c7f3",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c",
+            "created": "2018-10-17T00:14:20.652Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--a7cc0168-247d-4a6d-b6f4-d5a04f99216c",
-            "type": "relationship",
-            "created": "2018-10-17T00:14:20.652Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2018-10-17T00:14:20.652Z",
+            "modified": "2025-04-16T21:50:43.676Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--b928b94a-4966-4e2a-9e61-36505b896ebc",
             "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892.json b/mobile-attack/relationship/relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892.json
index 54322e005f..5147c0c5f2 100644
--- a/mobile-attack/relationship/relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892.json
+++ b/mobile-attack/relationship/relationship--a8079e6a-ef87-4e3b-9f71-cf1ea2360892.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c577c322-bf39-4221-acf3-d5f2d50ad7da",
+    "id": "bundle--d02c6b93-1a31-49e7-884a-5334e558eaca",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:53:24.312Z",
+            "modified": "2025-04-16T21:50:43.860Z",
             "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted contact lists.(Citation: NYTimes-BackDoor)",
             "relationship_type": "uses",
             "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a808c887-b2b8-4b05-9cab-47c918e48d48.json b/mobile-attack/relationship/relationship--a808c887-b2b8-4b05-9cab-47c918e48d48.json
index 78e353f487..90589f7266 100644
--- a/mobile-attack/relationship/relationship--a808c887-b2b8-4b05-9cab-47c918e48d48.json
+++ b/mobile-attack/relationship/relationship--a808c887-b2b8-4b05-9cab-47c918e48d48.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--fc1ffd3a-5185-4408-ba6e-9dd8d26c0a0c",
+    "id": "bundle--9cf16c47-7572-4502-9159-06ee4b852b55",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a808c887-b2b8-4b05-9cab-47c918e48d48",
             "type": "relationship",
+            "id": "relationship--a808c887-b2b8-4b05-9cab-47c918e48d48",
             "created": "2020-12-14T15:02:35.257Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Securelist Asacub",
-                    "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/",
-                    "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020."
+                    "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.",
+                    "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"
                 }
             ],
-            "modified": "2020-12-14T15:02:35.257Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:44.052Z",
             "description": "[Asacub](https://attack.mitre.org/software/S0540) can send SMS messages from compromised devices.(Citation: Securelist Asacub) ",
             "relationship_type": "uses",
             "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a81431c4-ac34-4b63-9647-eb7c8e529e03.json b/mobile-attack/relationship/relationship--a81431c4-ac34-4b63-9647-eb7c8e529e03.json
index d311909b24..ec3249ca1e 100644
--- a/mobile-attack/relationship/relationship--a81431c4-ac34-4b63-9647-eb7c8e529e03.json
+++ b/mobile-attack/relationship/relationship--a81431c4-ac34-4b63-9647-eb7c8e529e03.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--dea58c72-ec8b-411e-869e-74b871aef84b",
+    "id": "bundle--66b983a6-79cc-4eec-974a-343670f700e9",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:14:46.472Z",
+            "modified": "2025-04-16T21:50:44.274Z",
             "description": "[SilkBean](https://attack.mitre.org/software/S0549) can access call logs.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7.json b/mobile-attack/relationship/relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7.json
index 56674c188d..86e1e7174d 100644
--- a/mobile-attack/relationship/relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7.json
+++ b/mobile-attack/relationship/relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--34b6cc3e-f5c2-4d83-a41b-1f79efcc4f38",
+    "id": "bundle--05a36f19-3266-4395-8204-42ec83d39d22",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7",
             "type": "relationship",
+            "id": "relationship--a82d3cfb-7ef2-4e39-a6e1-3097d7b106f7",
             "created": "2019-03-11T15:13:40.425Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "TrendMicro-Anserver2",
                     "description": "Karl Dominguez. (2011, September 27). ANDROIDOS_ANSERVER.A. Retrieved November 30, 2018.",
-                    "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A",
-                    "source_name": "TrendMicro-Anserver2"
+                    "url": "https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/ANDROIDOS_ANSERVER.A"
                 }
             ],
-            "modified": "2019-10-15T19:55:04.517Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:44.484Z",
             "description": "[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) gathers the device OS version, device build version, manufacturer, and model.(Citation: TrendMicro-Anserver2)",
             "relationship_type": "uses",
             "source_ref": "malware--4bf6ba32-4165-42c1-b911-9c36165891c8",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a8565c17-7054-4d3f-bca5-6e17dc931491.json b/mobile-attack/relationship/relationship--a8565c17-7054-4d3f-bca5-6e17dc931491.json
index 843ebc1dfe..b587dd3b9b 100644
--- a/mobile-attack/relationship/relationship--a8565c17-7054-4d3f-bca5-6e17dc931491.json
+++ b/mobile-attack/relationship/relationship--a8565c17-7054-4d3f-bca5-6e17dc931491.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--f28b7869-da7e-4c60-b480-01e1a48dc856",
+    "id": "bundle--ed1fc689-5c3b-44ee-a318-07cd658cb622",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--a8565c17-7054-4d3f-bca5-6e17dc931491",
             "created": "2023-03-03T16:20:08.033Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-03T16:20:08.033Z",
+            "modified": "2025-04-16T21:50:44.683Z",
             "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has used private APIs to download and install other pieces of itself, as well as other malicious apps. (Citation: paloalto_yispecter_1015)",
             "relationship_type": "uses",
             "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5.json b/mobile-attack/relationship/relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5.json
index abcf4630c0..c4640d60bf 100644
--- a/mobile-attack/relationship/relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5.json
+++ b/mobile-attack/relationship/relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--63b1d01b-d5c0-49c7-9f5c-6ceccb9388e5",
+    "id": "bundle--229e34e0-22f9-49d9-8309-5feb308c4730",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5",
             "type": "relationship",
+            "id": "relationship--a87fa426-3968-4d3b-8f8d-8e3c3a9c32f5",
             "created": "2019-09-03T20:08:00.764Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Talos Gustuff Apr 2019",
                     "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
-                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
-                    "source_name": "Talos Gustuff Apr 2019"
+                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"
                 }
             ],
-            "modified": "2019-09-15T15:35:33.379Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:44.891Z",
             "description": "[Gustuff](https://attack.mitre.org/software/S0406) gathers information about the device, including the default SMS application, if SafetyNet is enabled, the battery level, the operating system version, and if the malware has elevated permissions.(Citation: Talos Gustuff Apr 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84.json b/mobile-attack/relationship/relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84.json
index 52d8d3800f..d4ef8d2eb9 100644
--- a/mobile-attack/relationship/relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84.json
+++ b/mobile-attack/relationship/relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--7c44bd46-d5b3-4f87-b23a-443c39b84ae9",
+    "id": "bundle--39f8ba2d-eeb0-4049-82f4-6b33a3f20697",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84",
             "type": "relationship",
+            "id": "relationship--a8ac5084-5631-4670-8ac6-6fbe7bdb0a84",
             "created": "2019-07-10T15:35:43.708Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
+                    "source_name": "Lookout Dark Caracal Jan 2018",
                     "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
-                    "source_name": "Lookout Dark Caracal Jan 2018"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
                 }
             ],
-            "modified": "2019-08-09T18:06:11.797Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:45.098Z",
             "description": "[Pallas](https://attack.mitre.org/software/S0399) tracks the latitude and longitude coordinates of the infected device.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a8bf6bbd-88f0-4725-ba4f-3b9317dca388.json b/mobile-attack/relationship/relationship--a8bf6bbd-88f0-4725-ba4f-3b9317dca388.json
index 3fdadc2596..e0d59fb933 100644
--- a/mobile-attack/relationship/relationship--a8bf6bbd-88f0-4725-ba4f-3b9317dca388.json
+++ b/mobile-attack/relationship/relationship--a8bf6bbd-88f0-4725-ba4f-3b9317dca388.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--84192f07-8431-4890-91a2-4aa8d9bf5eb6",
+    "id": "bundle--1924e163-2bb1-443b-b493-bba09ccdaa82",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--a8bf6bbd-88f0-4725-ba4f-3b9317dca388",
             "created": "2022-03-30T20:36:18.656Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:45.328Z",
             "description": "Attestation can typically detect rooted devices. For MDM-enrolled devices, action can be taken if a device fails an attestation check. ",
-            "modified": "2022-03-30T20:36:18.656Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
             "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a8c21a71-f3e9-43e9-9212-faf9181e70ce.json b/mobile-attack/relationship/relationship--a8c21a71-f3e9-43e9-9212-faf9181e70ce.json
index d33da8ca72..9b1f29757c 100644
--- a/mobile-attack/relationship/relationship--a8c21a71-f3e9-43e9-9212-faf9181e70ce.json
+++ b/mobile-attack/relationship/relationship--a8c21a71-f3e9-43e9-9212-faf9181e70ce.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--c104892a-23bc-46d5-b6ee-5b16111dcc15",
+    "id": "bundle--211082dc-a49b-48e4-ad48-512c428c4dc1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--a8c21a71-f3e9-43e9-9212-faf9181e70ce",
             "created": "2022-04-01T18:42:50.381Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:45.524Z",
             "description": "Providing user guidance around commonly abused features, such as the modal that requests for administrator permissions, should aid in preventing impairing defenses.",
-            "modified": "2022-04-01T18:42:50.381Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c.json b/mobile-attack/relationship/relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c.json
index 5bbfdb4c67..77d3cde14a 100644
--- a/mobile-attack/relationship/relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c.json
+++ b/mobile-attack/relationship/relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--10c30eeb-4a64-4fde-a737-39e518902a8c",
+    "id": "bundle--ff8673ea-7970-4a22-9ca4-1b32c743c1dc",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c",
             "type": "relationship",
+            "id": "relationship--a8dd6ed7-910d-4bae-a2a8-19f3f32c915c",
             "created": "2019-09-23T13:36:08.390Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "securelist rotexy 2018",
                     "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
-                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
-                    "source_name": "securelist rotexy 2018"
+                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"
                 }
             ],
-            "modified": "2019-10-14T20:49:24.646Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:45.732Z",
             "description": "Starting in 2017, the [Rotexy](https://attack.mitre.org/software/S0411) DEX file was packed with garbage strings and/or operations.(Citation: securelist rotexy 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a92a805e-d5f5-4e94-8592-c253e03e4476.json b/mobile-attack/relationship/relationship--a92a805e-d5f5-4e94-8592-c253e03e4476.json
index 657a8c7b2c..b0e5a74e98 100644
--- a/mobile-attack/relationship/relationship--a92a805e-d5f5-4e94-8592-c253e03e4476.json
+++ b/mobile-attack/relationship/relationship--a92a805e-d5f5-4e94-8592-c253e03e4476.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--0957ff9a-e166-4b6a-8de9-b9ca77c70a48",
+    "id": "bundle--902e99e9-af5c-4537-a872-8992c2f6de66",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--a92a805e-d5f5-4e94-8592-c253e03e4476",
             "created": "2022-03-31T19:51:15.415Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Android Package Visibility",
-                    "url": "https://developer.android.com/training/package-visibility",
-                    "description": "Google. (n.d.). Package visibility filtering on Android. Retrieved April 11, 2022."
+                    "description": "Google. (n.d.). Package visibility filtering on Android. Retrieved April 11, 2022.",
+                    "url": "https://developer.android.com/training/package-visibility"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:45.924Z",
             "description": "Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.(Citation: Android Package Visibility)",
-            "modified": "2022-04-11T19:19:34.658Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--1d44f529-6fe6-489f-8a01-6261ac43f05e",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a93ee044-bd5d-48f3-972e-0abab780c35c.json b/mobile-attack/relationship/relationship--a93ee044-bd5d-48f3-972e-0abab780c35c.json
index a7388c40f2..5b309d3d89 100644
--- a/mobile-attack/relationship/relationship--a93ee044-bd5d-48f3-972e-0abab780c35c.json
+++ b/mobile-attack/relationship/relationship--a93ee044-bd5d-48f3-972e-0abab780c35c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--fd770f85-b15b-441d-8dff-f9937882907a",
+    "id": "bundle--10e02d61-f3e1-49be-985d-e1d2d911c4c2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:21:22.070Z",
+            "modified": "2025-04-16T21:50:46.122Z",
             "description": "[TianySpy](https://attack.mitre.org/software/S1056) can steal information via malicious JavaScript.(Citation: trendmicro_tianyspy_0122)",
             "relationship_type": "uses",
             "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6",
             "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a95fe853-d1d1-47dc-a776-b905daacfe32.json b/mobile-attack/relationship/relationship--a95fe853-d1d1-47dc-a776-b905daacfe32.json
index 58370004d0..93556b72ff 100644
--- a/mobile-attack/relationship/relationship--a95fe853-d1d1-47dc-a776-b905daacfe32.json
+++ b/mobile-attack/relationship/relationship--a95fe853-d1d1-47dc-a776-b905daacfe32.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--599817b7-8116-4736-90bd-752ee4c67e71",
+    "id": "bundle--f93045eb-22d6-422b-a270-73b86808b2c3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:11:53.609Z",
+            "modified": "2025-04-16T21:50:46.339Z",
             "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) has used Firebase Cloud Messaging for C2.(Citation: ESET DEFENSOR ID) ",
             "relationship_type": "uses",
             "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530.json b/mobile-attack/relationship/relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530.json
index e94e45befc..2ca2c267db 100644
--- a/mobile-attack/relationship/relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530.json
+++ b/mobile-attack/relationship/relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--c98801ab-2c82-45b7-920b-e7f276fcf927",
+    "id": "bundle--29554f41-f8e3-41d4-90aa-e6882dbbf8f8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530",
             "type": "relationship",
+            "id": "relationship--a9689f2c-ad8f-4861-8cad-d78e07fd1530",
             "created": "2020-01-27T17:05:58.213Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Trend Micro Bouncing Golf 2019",
                     "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
-                    "source_name": "Trend Micro Bouncing Golf 2019"
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
                 }
             ],
-            "modified": "2020-01-27T17:05:58.213Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:46.525Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain a list of installed applications.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a98c127b-8da9-4ea5-980e-d154ea541ec9.json b/mobile-attack/relationship/relationship--a98c127b-8da9-4ea5-980e-d154ea541ec9.json
index 28a127ee50..cab4e0c298 100644
--- a/mobile-attack/relationship/relationship--a98c127b-8da9-4ea5-980e-d154ea541ec9.json
+++ b/mobile-attack/relationship/relationship--a98c127b-8da9-4ea5-980e-d154ea541ec9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--33e92b17-0123-482f-9447-2f017594973b",
+    "id": "bundle--2726ebfe-c3a6-4098-82c1-ec574e2e3e00",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-15T15:06:03.429Z",
+            "modified": "2025-04-16T21:50:46.741Z",
             "description": "Filtering requests by checking request origin information may provide some defense against spurious operators.(Citation: CSRIC5-WG10-FinalReport) ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--e829ee51-1caf-4665-ba15-7f8979634124",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--a9e97a14-ea3c-47b1-a865-0a1edea9c81c.json b/mobile-attack/relationship/relationship--a9e97a14-ea3c-47b1-a865-0a1edea9c81c.json
index fd4a539810..9c9a74e375 100644
--- a/mobile-attack/relationship/relationship--a9e97a14-ea3c-47b1-a865-0a1edea9c81c.json
+++ b/mobile-attack/relationship/relationship--a9e97a14-ea3c-47b1-a865-0a1edea9c81c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--f7784f8f-0085-4991-b0dd-c557a933da5f",
+    "id": "bundle--a32ea2c0-31ff-4d0e-a619-2d67c0c9cd3b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--a9e97a14-ea3c-47b1-a865-0a1edea9c81c",
             "type": "relationship",
+            "id": "relationship--a9e97a14-ea3c-47b1-a865-0a1edea9c81c",
             "created": "2021-02-17T20:43:52.410Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout FrozenCell",
-                    "url": "https://blog.lookout.com/frozencell-mobile-threat",
-                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."
+                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.",
+                    "url": "https://blog.lookout.com/frozencell-mobile-threat"
                 }
             ],
-            "modified": "2021-02-17T20:43:52.410Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:46.932Z",
             "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has searched for pdf, doc, docx, ppt, pptx, xls, and xlsx file types for exfiltration.(Citation: Lookout FrozenCell)",
             "relationship_type": "uses",
             "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0.json b/mobile-attack/relationship/relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0.json
index 949fcb7067..2076f3dc95 100644
--- a/mobile-attack/relationship/relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0.json
+++ b/mobile-attack/relationship/relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0.json
@@ -1,38 +1,37 @@
 {
     "type": "bundle",
-    "id": "bundle--22456e58-c455-4d1c-a45d-b6177d5a1748",
+    "id": "bundle--864a8c65-8bdd-4476-b395-61da8e98f3fe",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--aa1deed1-800c-470b-ac88-eb8013c11ec0",
             "created": "2019-09-03T20:08:00.711Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Group IB Gustuff Mar 2019",
-                    "url": "https://www.group-ib.com/blog/gustuff",
-                    "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019."
+                    "description": "Group-IB. (2019, March 28). Group-IB uncovers Android Trojan named \u00abGustuff\u00bb capable of targeting more than 100 global banking apps, cryptocurrency and marketplace applications. Retrieved September 3, 2019.",
+                    "url": "https://www.group-ib.com/blog/gustuff"
                 },
                 {
                     "source_name": "Talos Gustuff Apr 2019",
-                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
-                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019."
+                    "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
+                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:47.115Z",
             "description": "[Gustuff](https://attack.mitre.org/software/S0406) uses WebView overlays to prompt the user for their device unlock code, as well as banking and cryptocurrency application credentials. [Gustuff](https://attack.mitre.org/software/S0406) can also send push notifications pretending to be from a bank, triggering a phishing overlay.(Citation: Talos Gustuff Apr 2019)(Citation: Group IB Gustuff Mar 2019)",
-            "modified": "2022-04-19T19:42:17.904Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--aa40d01f-0741-4bf2-bacd-75e1f3a77af0.json b/mobile-attack/relationship/relationship--aa40d01f-0741-4bf2-bacd-75e1f3a77af0.json
index d4f93f37b4..159682fbe5 100644
--- a/mobile-attack/relationship/relationship--aa40d01f-0741-4bf2-bacd-75e1f3a77af0.json
+++ b/mobile-attack/relationship/relationship--aa40d01f-0741-4bf2-bacd-75e1f3a77af0.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--646ed911-a5fc-401f-adae-8af25efe4cdd",
+    "id": "bundle--9fd029dc-eb45-4cd0-9756-2100bd684293",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--aa40d01f-0741-4bf2-bacd-75e1f3a77af0",
             "created": "2022-04-01T16:52:03.322Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:47.328Z",
             "description": "",
-            "modified": "2022-04-01T16:52:03.322Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
             "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--aa468fe9-e580-41da-a888-100a799e8c6b.json b/mobile-attack/relationship/relationship--aa468fe9-e580-41da-a888-100a799e8c6b.json
index 5066ad0197..17427a54c9 100644
--- a/mobile-attack/relationship/relationship--aa468fe9-e580-41da-a888-100a799e8c6b.json
+++ b/mobile-attack/relationship/relationship--aa468fe9-e580-41da-a888-100a799e8c6b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b4b570d9-da9f-4e31-827b-2ecd43badf99",
+    "id": "bundle--ce7837e8-909f-4498-8515-a3d8d020870e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-02T19:00:02.189Z",
+            "modified": "2025-04-16T21:50:47.512Z",
             "description": "[UNC788](https://attack.mitre.org/groups/G1029) has used phishing and social engineering to distribute malware.(Citation: Meta Adversarial Threat Report 2022)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--1f322d74-4822-4d60-8f64-414eea8a9258",
             "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--aa490344-f7e0-4e5a-abb1-af9209f15ce4.json b/mobile-attack/relationship/relationship--aa490344-f7e0-4e5a-abb1-af9209f15ce4.json
new file mode 100644
index 0000000000..b0fd66fe35
--- /dev/null
+++ b/mobile-attack/relationship/relationship--aa490344-f7e0-4e5a-abb1-af9209f15ce4.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--10644eb5-98b5-40be-b43c-fdcf2cc85fce",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--aa490344-f7e0-4e5a-abb1-af9209f15ce4",
+            "created": "2024-03-26T19:36:18.184Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:47.738Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) can receive Command and Control commands from SMS messages.(Citation: welivesecurity_apt-c-23)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--aa5877fd-ef7d-435e-86af-c427f086b3c5.json b/mobile-attack/relationship/relationship--aa5877fd-ef7d-435e-86af-c427f086b3c5.json
index 82cfb8f901..0f8a129f10 100644
--- a/mobile-attack/relationship/relationship--aa5877fd-ef7d-435e-86af-c427f086b3c5.json
+++ b/mobile-attack/relationship/relationship--aa5877fd-ef7d-435e-86af-c427f086b3c5.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--ec2eb693-0553-4f9b-87ac-4f9810881577",
+    "id": "bundle--2c728f8d-b7b7-41ac-aed3-d9272dbd8349",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--aa5877fd-ef7d-435e-86af-c427f086b3c5",
             "created": "2019-08-08T18:47:57.655Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Android 10 Privacy Changes",
-                    "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data",
-                    "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019."
+                    "description": "Android Developers. (n.d.). Privacy changes in Android 10. Retrieved September 11, 2019.",
+                    "url": "https://developer.android.com/about/versions/10/privacy/changes#clipboard-data"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:47.935Z",
             "description": "Android 10 introduced changes to prevent applications from accessing clipboard data if they are not in the foreground or set as the device\u2019s default IME.(Citation: Android 10 Privacy Changes) ",
-            "modified": "2022-04-01T16:35:38.189Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--c4b96c0b-cb58-497a-a1c2-bb447d79d692",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--aa628e44-ff05-4ac9-bb0b-11c22384a443.json b/mobile-attack/relationship/relationship--aa628e44-ff05-4ac9-bb0b-11c22384a443.json
index d25adac98c..62c1a30dbc 100644
--- a/mobile-attack/relationship/relationship--aa628e44-ff05-4ac9-bb0b-11c22384a443.json
+++ b/mobile-attack/relationship/relationship--aa628e44-ff05-4ac9-bb0b-11c22384a443.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--0daaee6f-1c2c-47a5-869c-9f175104bfc7",
+    "id": "bundle--8a9d6bff-2dab-47e6-b8cb-5abb62512359",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--aa628e44-ff05-4ac9-bb0b-11c22384a443",
             "created": "2020-07-20T13:49:03.676Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "TrendMicro-XLoader-FakeSpy",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
-                    "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
+                    "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:48.130Z",
             "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) has fetched its C2 address from encoded Twitter names, as well as Instagram and Tumblr.(Citation: TrendMicro-XLoader-FakeSpy)",
-            "modified": "2022-04-20T17:58:16.567Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
             "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--aa65aa77-ce74-49fd-8295-c5b7395a703c.json b/mobile-attack/relationship/relationship--aa65aa77-ce74-49fd-8295-c5b7395a703c.json
new file mode 100644
index 0000000000..60d6d2eb34
--- /dev/null
+++ b/mobile-attack/relationship/relationship--aa65aa77-ce74-49fd-8295-c5b7395a703c.json
@@ -0,0 +1,52 @@
+{
+    "type": "bundle",
+    "id": "bundle--85de2f53-ed24-4244-9851-1f6055e2d186",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--aa65aa77-ce74-49fd-8295-c5b7395a703c",
+            "created": "2025-03-24T20:12:30.934Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Shoshin_Kaspersky LightSpy 2020",
+                    "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.",
+                    "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:48.335Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has collected and exfiltrated files from messaging applications, such as Telegram, QQ, WeChat, and Whatsapp, and browser history from Chrome and Safari.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a.json b/mobile-attack/relationship/relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a.json
index d863e6352b..1c4af35fe4 100644
--- a/mobile-attack/relationship/relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a.json
+++ b/mobile-attack/relationship/relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--c1348e11-f366-453e-8e3a-c5de93ca0ca3",
+    "id": "bundle--8834ee18-ef2b-4edc-9399-a2044805d3b4",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a",
             "type": "relationship",
+            "id": "relationship--aa8e45c2-4276-451b-b1eb-59c396bf720a",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/"
                 }
             ],
-            "modified": "2019-10-10T15:18:51.154Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:48.536Z",
             "description": "[Gooligan](https://attack.mitre.org/software/S0290) executes Android root exploits.(Citation: Gooligan Citation)",
             "relationship_type": "uses",
             "source_ref": "malware--20d56cd6-8dff-4871-9889-d32d254816de",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--aad084c4-97ea-4f4b-8d96-d18f57534e01.json b/mobile-attack/relationship/relationship--aad084c4-97ea-4f4b-8d96-d18f57534e01.json
new file mode 100644
index 0000000000..e0df4f6c51
--- /dev/null
+++ b/mobile-attack/relationship/relationship--aad084c4-97ea-4f4b-8d96-d18f57534e01.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--ed446679-d244-48cd-af6e-1d9bd0413456",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--aad084c4-97ea-4f4b-8d96-d18f57534e01",
+            "created": "2024-03-26T19:38:05.464Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "sophos_android_apt_spyware",
+                    "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"
+                },
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:48.734Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) can communicate with the Command and Control server using HTTPS and Firebase Cloud Messaging (FCM).(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33.json b/mobile-attack/relationship/relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33.json
index 85d58217de..7629acbb61 100644
--- a/mobile-attack/relationship/relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33.json
+++ b/mobile-attack/relationship/relationship--aaf55dd1-33df-4f02-8025-eaae01f30b33.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--00851e49-a8dc-4d91-ad9b-263d5ab51737",
+    "id": "bundle--6a41392a-7899-4f2f-b69e-05a71c71cdb9",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T16:16:25.430Z",
+            "modified": "2025-04-16T21:50:48.951Z",
             "description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects contact list information.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ",
             "relationship_type": "uses",
             "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ab18ee61-f94a-411c-9893-941714ce713e.json b/mobile-attack/relationship/relationship--ab18ee61-f94a-411c-9893-941714ce713e.json
index 70288091cc..f797689f89 100644
--- a/mobile-attack/relationship/relationship--ab18ee61-f94a-411c-9893-941714ce713e.json
+++ b/mobile-attack/relationship/relationship--ab18ee61-f94a-411c-9893-941714ce713e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--04af57e8-354c-4327-8e7b-50fa98e4694f",
+    "id": "bundle--b0198e97-d19f-4719-b707-aefbbfd0b36e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:47:05.294Z",
+            "modified": "2025-04-16T21:50:49.152Z",
             "description": "Applications could be vetted for their use of the clipboard manager APIs with extra scrutiny given to application that make use of them.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ab67b233-2c3d-4ac2-a3f0-13b6484ea920.json b/mobile-attack/relationship/relationship--ab67b233-2c3d-4ac2-a3f0-13b6484ea920.json
index 4709a6db7d..4d9be00369 100644
--- a/mobile-attack/relationship/relationship--ab67b233-2c3d-4ac2-a3f0-13b6484ea920.json
+++ b/mobile-attack/relationship/relationship--ab67b233-2c3d-4ac2-a3f0-13b6484ea920.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--02640762-2df3-4de0-8f24-4f29aee0b065",
+    "id": "bundle--2ed88d60-81d9-4d48-822b-af8455b22cdd",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--ab67b233-2c3d-4ac2-a3f0-13b6484ea920",
             "created": "2022-04-05T19:46:22.326Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:49.376Z",
             "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as keyboard registration or accessibility service access.",
-            "modified": "2022-04-05T19:46:22.326Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ab7cd212-7faa-46a8-9666-92a67ae7a6b0.json b/mobile-attack/relationship/relationship--ab7cd212-7faa-46a8-9666-92a67ae7a6b0.json
index 3565cfdda7..ddca452ab1 100644
--- a/mobile-attack/relationship/relationship--ab7cd212-7faa-46a8-9666-92a67ae7a6b0.json
+++ b/mobile-attack/relationship/relationship--ab7cd212-7faa-46a8-9666-92a67ae7a6b0.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--03daf176-4076-4b6c-a42b-35a789b372ed",
+    "id": "bundle--c84a2b79-bc50-46a4-8674-9a086861ee60",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--ab7cd212-7faa-46a8-9666-92a67ae7a6b0",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "",
-            "modified": "2022-04-06T15:41:16.869Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:49.562Z",
+            "description": "",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--51aedbd6-2837-4d15-aeb0-cb09f2bf22ac",
             "target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99.json b/mobile-attack/relationship/relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99.json
index f567e9fa55..2a464d63a7 100644
--- a/mobile-attack/relationship/relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99.json
+++ b/mobile-attack/relationship/relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--e0c04b67-bcc4-473e-8081-a3ded68b5c92",
+    "id": "bundle--c0833018-bb85-4d3e-b44e-8346bb01bc27",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--abd2e863-4bd3-4686-b2aa-f8a097a41c99",
             "created": "2017-10-25T14:48:53.742Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Elcomsoft-iOSRestricted",
-                    "url": "https://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mode/",
-                    "description": "Oleg Afonin. (2018, September 20). iOS 12 Enhances USB Restricted Mode. Retrieved September 21, 2018."
+                    "description": "Oleg Afonin. (2018, September 20). iOS 12 Enhances USB Restricted Mode. Retrieved September 21, 2018.",
+                    "url": "https://blog.elcomsoft.com/2018/09/ios-12-enhances-usb-restricted-mode/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:49.765Z",
             "description": "iOS 11.4.1 and higher introduce USB Restricted Mode, which disables data access through the device's charging port under certain conditions (making the port only usable for power), likely preventing this technique from working.(Citation: Elcomsoft-iOSRestricted)",
-            "modified": "2022-04-01T15:35:28.360Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--abf03652-acd0-4361-8a66-f7e70e8e4376.json b/mobile-attack/relationship/relationship--abf03652-acd0-4361-8a66-f7e70e8e4376.json
index a2d345d9a2..63a15a27fe 100644
--- a/mobile-attack/relationship/relationship--abf03652-acd0-4361-8a66-f7e70e8e4376.json
+++ b/mobile-attack/relationship/relationship--abf03652-acd0-4361-8a66-f7e70e8e4376.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--1aa86bd3-5351-4a92-9bb3-0bfb89f5e2dd",
+    "id": "bundle--ea5963e3-179a-44f1-8397-dc165cba5f2f",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:12:12.766Z",
+            "modified": "2025-04-16T21:50:49.959Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) communicates with the C2 server using HTTPS requests.(Citation: Volexity Insomnia)",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--abf3b5c8-9ee5-42ff-ba94-2b3a15317783.json b/mobile-attack/relationship/relationship--abf3b5c8-9ee5-42ff-ba94-2b3a15317783.json
index 929b638383..327ec2a609 100644
--- a/mobile-attack/relationship/relationship--abf3b5c8-9ee5-42ff-ba94-2b3a15317783.json
+++ b/mobile-attack/relationship/relationship--abf3b5c8-9ee5-42ff-ba94-2b3a15317783.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--991aabe6-e33b-4154-a7d3-a79736987966",
+    "id": "bundle--becdc234-c602-4b16-b816-f2a9f5b440d9",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T15:57:46.908Z",
+            "modified": "2025-04-16T21:50:50.159Z",
             "description": "An Android user can view and manage which applications hold the `SYSTEM_ALERT_WINDOW` permission through the device settings in Apps & notifications -> Special app access -> Display over other apps (the exact menu location may vary between Android versions). ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ac31f650-4bd2-4bb6-b450-71e66db4888f.json b/mobile-attack/relationship/relationship--ac31f650-4bd2-4bb6-b450-71e66db4888f.json
index 23a35fb67a..ef865fc568 100644
--- a/mobile-attack/relationship/relationship--ac31f650-4bd2-4bb6-b450-71e66db4888f.json
+++ b/mobile-attack/relationship/relationship--ac31f650-4bd2-4bb6-b450-71e66db4888f.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--ba33324e-3fdf-4048-a737-cde244820f3a",
+    "id": "bundle--eec63c70-2850-40e4-9975-0a77956b12df",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--ac31f650-4bd2-4bb6-b450-71e66db4888f",
             "created": "2022-03-30T19:28:55.980Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:50.372Z",
             "description": "Security updates typically provide patches for vulnerabilities that could be abused by malicious applications.",
-            "modified": "2022-03-30T19:28:55.980Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ac415e32-e204-4382-b500-2370cec7a608.json b/mobile-attack/relationship/relationship--ac415e32-e204-4382-b500-2370cec7a608.json
index 8d96cc5c7f..06fdb7655c 100644
--- a/mobile-attack/relationship/relationship--ac415e32-e204-4382-b500-2370cec7a608.json
+++ b/mobile-attack/relationship/relationship--ac415e32-e204-4382-b500-2370cec7a608.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--10e0aa6d-d9bd-4571-8009-ebaa8e745187",
+    "id": "bundle--df15a373-1caa-47af-8af2-b199dabed6e7",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--ac415e32-e204-4382-b500-2370cec7a608",
             "created": "2023-08-16T16:45:58.547Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:45:58.547Z",
+            "modified": "2025-04-16T21:50:50.570Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can download new code at runtime.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa.json b/mobile-attack/relationship/relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa.json
index 21d93fd26c..3988e568ea 100644
--- a/mobile-attack/relationship/relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa.json
+++ b/mobile-attack/relationship/relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa.json
@@ -1,22 +1,22 @@
 {
     "type": "bundle",
-    "id": "bundle--5c3cbc74-24c6-481b-ac37-b3a59de65046",
+    "id": "bundle--ff12d393-209e-40f2-b7fb-fd13798a848c",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa",
+            "created": "2018-10-17T00:14:20.652Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--ac53e382-a140-4bbf-a59d-db3fe21acfaa",
-            "type": "relationship",
-            "created": "2018-10-17T00:14:20.652Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2018-10-17T00:14:20.652Z",
+            "modified": "2025-04-16T21:50:50.773Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--a9cab8f6-4c94-4c9b-9e7d-9d863ff53431",
             "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77.json b/mobile-attack/relationship/relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77.json
index eefc7be817..61bca262d6 100644
--- a/mobile-attack/relationship/relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77.json
+++ b/mobile-attack/relationship/relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77.json
@@ -1,35 +1,35 @@
 {
     "type": "bundle",
-    "id": "bundle--92aee283-11c4-4bde-890c-54c6c3e5aeab",
+    "id": "bundle--2add471d-e3f5-4cf8-9acd-66f391c0e579",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77",
             "type": "relationship",
+            "id": "relationship--ad0c873b-9e45-44e0-adaf-529921ee7a77",
             "created": "2020-06-26T15:32:25.035Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Threat Fabric Cerberus",
-                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
-                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
+                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
                 },
                 {
                     "source_name": "CheckPoint Cerberus",
-                    "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/",
-                    "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020."
+                    "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.",
+                    "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/"
                 }
             ],
-            "modified": "2020-06-26T15:32:25.035Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:50.963Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) can collect device information, such as the default SMS app and device locale.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c.json b/mobile-attack/relationship/relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c.json
index f333f675a0..aeee0b5615 100644
--- a/mobile-attack/relationship/relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c.json
+++ b/mobile-attack/relationship/relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c.json
@@ -1,30 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--5cf2f429-bd3e-499c-8438-2989d2aeb402",
+    "id": "bundle--c4ac9cee-acc0-44b6-b16f-6e3cbde0e9bf",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c",
             "type": "relationship",
+            "id": "relationship--ad2c8b49-bbfb-47dd-84bb-cd4dbc49a64c",
             "created": "2019-09-03T19:45:48.512Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
-            "modified": "2019-09-11T13:25:19.210Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:51.148Z",
             "description": "[Exodus](https://attack.mitre.org/software/S0405) Two attempts to connect to port 22011 to provide a remote reverse shell.(Citation: SWB Exodus March 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ad723fb0-7439-407e-9bf5-1cb3fd7df8aa.json b/mobile-attack/relationship/relationship--ad723fb0-7439-407e-9bf5-1cb3fd7df8aa.json
index 653edf7a8b..8f28291b5d 100644
--- a/mobile-attack/relationship/relationship--ad723fb0-7439-407e-9bf5-1cb3fd7df8aa.json
+++ b/mobile-attack/relationship/relationship--ad723fb0-7439-407e-9bf5-1cb3fd7df8aa.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--f2750f85-92e5-4cd7-8012-151058c278e0",
+    "id": "bundle--afb6852c-f6e0-4ea3-873d-441089b968fa",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--ad723fb0-7439-407e-9bf5-1cb3fd7df8aa",
             "created": "2023-02-06T19:05:28.288Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-06T19:05:28.288Z",
+            "modified": "2025-04-16T21:50:51.360Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can collect files from or inspect the device\u2019s filesystem.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ad76b0ad-fa76-4d56-8a6e-8818bbc6509e.json b/mobile-attack/relationship/relationship--ad76b0ad-fa76-4d56-8a6e-8818bbc6509e.json
index 205adb42b8..e5fa90539e 100644
--- a/mobile-attack/relationship/relationship--ad76b0ad-fa76-4d56-8a6e-8818bbc6509e.json
+++ b/mobile-attack/relationship/relationship--ad76b0ad-fa76-4d56-8a6e-8818bbc6509e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--ce96b262-7574-4348-9905-997c863caa1c",
+    "id": "bundle--8cfae4f3-36a4-4b78-99d9-1aabf114938d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--ad76b0ad-fa76-4d56-8a6e-8818bbc6509e",
             "created": "2022-03-30T18:07:07.306Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:51.557Z",
             "description": "On iOS, the `allowEnterpriseAppTrust` and `allowEnterpriseAppTrustModification` configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. ",
-            "modified": "2022-03-30T18:07:07.306Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--79cb02f4-ac4e-4335-8b51-425c9573cce1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ada67532-039d-4b4f-93ab-82ceba13ec56.json b/mobile-attack/relationship/relationship--ada67532-039d-4b4f-93ab-82ceba13ec56.json
index b944302882..23e982ee11 100644
--- a/mobile-attack/relationship/relationship--ada67532-039d-4b4f-93ab-82ceba13ec56.json
+++ b/mobile-attack/relationship/relationship--ada67532-039d-4b4f-93ab-82ceba13ec56.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--c47f7e81-e646-40f1-83b6-68ab2a39df9c",
+    "id": "bundle--eaad43be-c0f6-40ca-b0e7-dbb1c0071257",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--ada67532-039d-4b4f-93ab-82ceba13ec56",
             "created": "2023-07-21T19:53:12.605Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:53:12.605Z",
+            "modified": "2025-04-16T21:50:51.758Z",
             "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can access text message history.(Citation: kaspersky_fakecalls_0422)",
             "relationship_type": "uses",
             "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--adbacfe1-1d78-4652-b32c-4d31a0c33ef3.json b/mobile-attack/relationship/relationship--adbacfe1-1d78-4652-b32c-4d31a0c33ef3.json
new file mode 100644
index 0000000000..b94cd9c12e
--- /dev/null
+++ b/mobile-attack/relationship/relationship--adbacfe1-1d78-4652-b32c-4d31a0c33ef3.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--7ea4a936-ad34-47a5-b6ce-623cb91ff0a6",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--adbacfe1-1d78-4652-b32c-4d31a0c33ef3",
+            "created": "2025-03-27T22:47:47.614Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:51.962Z",
+            "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has obtained a list of running processes.(Citation: SecureList OpTriangulation 23Oct2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20",
+            "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--adc9957c-fa57-4e81-9231-b60f01b69859.json b/mobile-attack/relationship/relationship--adc9957c-fa57-4e81-9231-b60f01b69859.json
index 0af8163492..28187bbe00 100644
--- a/mobile-attack/relationship/relationship--adc9957c-fa57-4e81-9231-b60f01b69859.json
+++ b/mobile-attack/relationship/relationship--adc9957c-fa57-4e81-9231-b60f01b69859.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--359635bc-c166-4ec8-9e7d-8faa6d7b1a5b",
+    "id": "bundle--e6c7af8f-29eb-490a-ad73-2cc17b91009c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--adc9957c-fa57-4e81-9231-b60f01b69859",
             "type": "relationship",
+            "id": "relationship--adc9957c-fa57-4e81-9231-b60f01b69859",
             "created": "2020-12-24T22:04:28.010Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T22:04:28.010Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:52.165Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) can download new code to update itself.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ade5c0c5-8b53-4bc5-9d81-0284be2e5fee.json b/mobile-attack/relationship/relationship--ade5c0c5-8b53-4bc5-9d81-0284be2e5fee.json
index 176375a618..cc480dab79 100644
--- a/mobile-attack/relationship/relationship--ade5c0c5-8b53-4bc5-9d81-0284be2e5fee.json
+++ b/mobile-attack/relationship/relationship--ade5c0c5-8b53-4bc5-9d81-0284be2e5fee.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--5eb90ad5-e284-4fee-9ce0-769a80eb5bb9",
+    "id": "bundle--96d398b9-e383-4716-acb2-3a09bb0dbfce",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--ade5c0c5-8b53-4bc5-9d81-0284be2e5fee",
             "created": "2023-07-21T19:51:55.111Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:51:55.111Z",
+            "modified": "2025-04-16T21:50:52.376Z",
             "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can intercept and imitate phone conversations by breaking the connection and displaying a fake call screen. It can also make outgoing calls and spoof incoming calls.(Citation: kaspersky_fakecalls_0422)",
             "relationship_type": "uses",
             "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be",
             "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ae5c93a8-fee8-42dc-b3cb-c6864481f025.json b/mobile-attack/relationship/relationship--ae5c93a8-fee8-42dc-b3cb-c6864481f025.json
index 04d99a6eaf..463e353892 100644
--- a/mobile-attack/relationship/relationship--ae5c93a8-fee8-42dc-b3cb-c6864481f025.json
+++ b/mobile-attack/relationship/relationship--ae5c93a8-fee8-42dc-b3cb-c6864481f025.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b50613df-6cfd-4c7a-ab5a-f673ca5cb529",
+    "id": "bundle--d4fcf80b-2e01-43e8-b9ee-d20f8d160e3f",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--ae5c93a8-fee8-42dc-b3cb-c6864481f025",
             "created": "2024-03-29T15:07:01.237Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-29T15:07:01.237Z",
+            "modified": "2025-04-16T21:50:52.568Z",
             "description": "Application vetting services can detect certificate pinning by examining an application\u2019s `network_security_config.xml` file, although this behavior can be benign.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa",
             "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ae8619a9-9142-4f0f-8778-09756341b472.json b/mobile-attack/relationship/relationship--ae8619a9-9142-4f0f-8778-09756341b472.json
index e2c4971829..545e0d9079 100644
--- a/mobile-attack/relationship/relationship--ae8619a9-9142-4f0f-8778-09756341b472.json
+++ b/mobile-attack/relationship/relationship--ae8619a9-9142-4f0f-8778-09756341b472.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--8784dfa6-63d8-4460-823a-c70f00940ee1",
+    "id": "bundle--804296a8-7746-4a2a-98c3-99dd01293c3f",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--ae8619a9-9142-4f0f-8778-09756341b472",
             "created": "2024-03-29T15:07:58.597Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-29T15:07:58.597Z",
+            "modified": "2025-04-16T21:50:52.779Z",
             "description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s Android version has used certificate pinning for C2 communication.(Citation: Lookout eSurv)",
             "relationship_type": "uses",
             "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
             "target_ref": "attack-pattern--dfafc230-5465-4993-8dc5-f51fa9fec002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--aeb2d1a0-2180-4032-a395-7573dbd392f4.json b/mobile-attack/relationship/relationship--aeb2d1a0-2180-4032-a395-7573dbd392f4.json
index c3af8ea732..1d106dd634 100644
--- a/mobile-attack/relationship/relationship--aeb2d1a0-2180-4032-a395-7573dbd392f4.json
+++ b/mobile-attack/relationship/relationship--aeb2d1a0-2180-4032-a395-7573dbd392f4.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--01ff04ae-0336-48da-a496-7e91d1f68c76",
+    "id": "bundle--a36a8b31-12e2-4a81-82ef-16ee21f5bc0d",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--aeb2d1a0-2180-4032-a395-7573dbd392f4",
             "created": "2024-02-20T23:39:08.717Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:39:08.717Z",
+            "modified": "2025-04-16T21:50:52.976Z",
             "description": "",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--aeeadd6b-30d3-4b4f-ac61-fd0bc367b415.json b/mobile-attack/relationship/relationship--aeeadd6b-30d3-4b4f-ac61-fd0bc367b415.json
index d35b78d26a..c23e0d714d 100644
--- a/mobile-attack/relationship/relationship--aeeadd6b-30d3-4b4f-ac61-fd0bc367b415.json
+++ b/mobile-attack/relationship/relationship--aeeadd6b-30d3-4b4f-ac61-fd0bc367b415.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--afcc9d28-a68f-43ed-8c41-adb69f94809a",
+    "id": "bundle--e28dfaa5-bb42-4060-8fd2-7e6efc8192c6",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--aeeadd6b-30d3-4b4f-ac61-fd0bc367b415",
             "created": "2022-03-30T14:50:07.291Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:53.166Z",
             "description": "Device attestation could detect unauthorized operating system modifications.",
-            "modified": "2022-03-30T14:50:07.291Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
             "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--af06eaaa-161e-4913-8668-49bdd25b2eff.json b/mobile-attack/relationship/relationship--af06eaaa-161e-4913-8668-49bdd25b2eff.json
index 50bc28087a..e19a3a89f4 100644
--- a/mobile-attack/relationship/relationship--af06eaaa-161e-4913-8668-49bdd25b2eff.json
+++ b/mobile-attack/relationship/relationship--af06eaaa-161e-4913-8668-49bdd25b2eff.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--5f30c5be-5474-47ed-bb07-02750aeaae7e",
+    "id": "bundle--6dbd4611-faff-4f43-bbc9-165780d61de6",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--af06eaaa-161e-4913-8668-49bdd25b2eff",
             "created": "2024-02-21T20:47:45.488Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T20:47:45.488Z",
+            "modified": "2025-04-16T21:50:53.366Z",
             "description": "Application vetting services could look for usage of the `READ_PRIVILEGED_PHONE_STATE` Android permission. This could indicate that non-system apps are attempting to access information that they do not have access to.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f.json b/mobile-attack/relationship/relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f.json
index 47d461fc05..4dacf50047 100644
--- a/mobile-attack/relationship/relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f.json
+++ b/mobile-attack/relationship/relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--b45f3977-38ef-47ac-8f98-deef5545c780",
+    "id": "bundle--a33f2b62-5eaa-439d-a9e1-2ef5b0be0505",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f",
             "type": "relationship",
+            "id": "relationship--af55d12a-5f58-4135-90d0-f465a66f7a3f",
             "created": "2020-07-15T20:20:59.305Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "modified": "2020-07-15T20:20:59.305Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:53.565Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) abuses the accessibility service to prevent removing administrator permissions, accessibility permissions, and to set itself as the default SMS handler.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--afba6b19-7486-4e5a-8fda-e91852b0b354.json b/mobile-attack/relationship/relationship--afba6b19-7486-4e5a-8fda-e91852b0b354.json
index e10111c964..7e1e6773da 100644
--- a/mobile-attack/relationship/relationship--afba6b19-7486-4e5a-8fda-e91852b0b354.json
+++ b/mobile-attack/relationship/relationship--afba6b19-7486-4e5a-8fda-e91852b0b354.json
@@ -1,23 +1,23 @@
 {
     "type": "bundle",
-    "id": "bundle--9238cf9f-6e5a-44ed-b075-ec7fdfefd4b0",
+    "id": "bundle--7336fb8b-8272-4770-88b9-c5577c4146d1",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--afba6b19-7486-4e5a-8fda-e91852b0b354",
+            "created": "2021-09-20T13:42:21.104Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--afba6b19-7486-4e5a-8fda-e91852b0b354",
-            "type": "relationship",
-            "created": "2021-09-20T13:42:21.104Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2021-09-27T18:05:43.107Z",
+            "modified": "2025-04-16T21:50:53.782Z",
             "description": "Users should be encouraged to be very careful with what applications they grant phone call-based permissions to. Further, users should not change their default call handler to applications they do not recognize.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--afc0e8b2-2e85-4640-8517-fb2e16831082.json b/mobile-attack/relationship/relationship--afc0e8b2-2e85-4640-8517-fb2e16831082.json
index 33442a2291..2d2271d933 100644
--- a/mobile-attack/relationship/relationship--afc0e8b2-2e85-4640-8517-fb2e16831082.json
+++ b/mobile-attack/relationship/relationship--afc0e8b2-2e85-4640-8517-fb2e16831082.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6dc2f8de-901e-46f3-88a0-53e76819e2c3",
+    "id": "bundle--d12bcdde-92ec-4205-a5ce-5018e9546fd0",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:56:03.190Z",
+            "modified": "2025-04-16T21:50:53.980Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use a WebView with a fake log in site to capture banking credentials.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b.json b/mobile-attack/relationship/relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b.json
index ff0758cb64..b079e27c95 100644
--- a/mobile-attack/relationship/relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b.json
+++ b/mobile-attack/relationship/relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--03458b6d-d1fa-4311-ab03-959ab47a4399",
+    "id": "bundle--2f5a0b88-a688-4a73-be10-5b071aea443d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b",
             "type": "relationship",
+            "id": "relationship--afc0f502-39bb-41e3-b4fc-5b5bb1a1175b",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
                 }
             ],
-            "modified": "2019-10-10T15:27:22.110Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:54.184Z",
             "description": "[Tangelo](https://attack.mitre.org/software/S0329) contains functionality to record calls as well as the victim device's environment.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--afe9e326-01f7-4296-a11b-09cfffd80120.json b/mobile-attack/relationship/relationship--afe9e326-01f7-4296-a11b-09cfffd80120.json
index e760247ff2..df7714b626 100644
--- a/mobile-attack/relationship/relationship--afe9e326-01f7-4296-a11b-09cfffd80120.json
+++ b/mobile-attack/relationship/relationship--afe9e326-01f7-4296-a11b-09cfffd80120.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--2b0ee5a3-ddf2-4f7a-9fdf-a5ddfefc6dcb",
+    "id": "bundle--2147185c-9ddb-49fb-959a-952d32cac85f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--afe9e326-01f7-4296-a11b-09cfffd80120",
             "type": "relationship",
+            "id": "relationship--afe9e326-01f7-4296-a11b-09cfffd80120",
             "created": "2020-07-27T14:14:56.962Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Google Security Zen",
-                    "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
-                    "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
+                    "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.",
+                    "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"
                 }
             ],
-            "modified": "2020-08-10T22:18:20.747Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:54.380Z",
             "description": "[Zen](https://attack.mitre.org/software/S0494) can simulate user clicks on ads and system prompts to create new Google accounts.(Citation: Google Security Zen)",
             "relationship_type": "uses",
             "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
             "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b018fe06-740b-4864-b30a-f047598506b3.json b/mobile-attack/relationship/relationship--b018fe06-740b-4864-b30a-f047598506b3.json
index 4850948817..4ec04639eb 100644
--- a/mobile-attack/relationship/relationship--b018fe06-740b-4864-b30a-f047598506b3.json
+++ b/mobile-attack/relationship/relationship--b018fe06-740b-4864-b30a-f047598506b3.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--f15a4204-c49e-416c-b839-ab3228f43d26",
+    "id": "bundle--ecc43497-f901-4026-9fac-de7ca4991b00",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b018fe06-740b-4864-b30a-f047598506b3",
             "type": "relationship",
+            "id": "relationship--b018fe06-740b-4864-b30a-f047598506b3",
             "created": "2020-04-24T15:06:33.510Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "TrendMicro Coronavirus Updates",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
-                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
+                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"
                 }
             ],
-            "modified": "2020-04-24T15:06:33.510Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:54.570Z",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect various pieces of device information, including OS version, phone model, and manufacturer.(Citation: TrendMicro Coronavirus Updates) ",
             "relationship_type": "uses",
             "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b01f11f2-064b-4210-a8f2-f5c6360f64e4.json b/mobile-attack/relationship/relationship--b01f11f2-064b-4210-a8f2-f5c6360f64e4.json
index ac8de81ea7..da22bd14a1 100644
--- a/mobile-attack/relationship/relationship--b01f11f2-064b-4210-a8f2-f5c6360f64e4.json
+++ b/mobile-attack/relationship/relationship--b01f11f2-064b-4210-a8f2-f5c6360f64e4.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7e9b9057-476e-479f-aedf-ae2dbc57cb2e",
+    "id": "bundle--5a28d6f0-25a6-4805-ab66-ca94133e6b29",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T21:39:52.340Z",
+            "modified": "2025-04-16T21:50:54.776Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect the device\u2019s information, such as SIM serial number, SIM serial number, etc.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b05668b9-aa06-4191-a4fa-f7e5a7804694.json b/mobile-attack/relationship/relationship--b05668b9-aa06-4191-a4fa-f7e5a7804694.json
index 36a87077ac..b1ab182a2c 100644
--- a/mobile-attack/relationship/relationship--b05668b9-aa06-4191-a4fa-f7e5a7804694.json
+++ b/mobile-attack/relationship/relationship--b05668b9-aa06-4191-a4fa-f7e5a7804694.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--c8ecb8a7-9593-4b17-92a4-c7f114a9b8b7",
+    "id": "bundle--8e3843b6-a64e-4cdd-84d8-65cdb0e36695",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b05668b9-aa06-4191-a4fa-f7e5a7804694",
             "type": "relationship",
+            "id": "relationship--b05668b9-aa06-4191-a4fa-f7e5a7804694",
             "created": "2021-01-05T20:16:20.514Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Zscaler TikTok Spyware",
-                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware",
-                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."
+                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.",
+                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"
                 }
             ],
-            "modified": "2021-01-05T20:16:20.514Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:54.959Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can list all hidden files in the `/DCIM/.dat/` directory.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b0625604-e4c4-402b-b191-f43137d38d99.json b/mobile-attack/relationship/relationship--b0625604-e4c4-402b-b191-f43137d38d99.json
index 6c229a786f..433edc7163 100644
--- a/mobile-attack/relationship/relationship--b0625604-e4c4-402b-b191-f43137d38d99.json
+++ b/mobile-attack/relationship/relationship--b0625604-e4c4-402b-b191-f43137d38d99.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--552924a8-3983-4ddd-8938-8d19631d3675",
+    "id": "bundle--6de3d983-e53e-44b8-8ff6-b6d00004e9bf",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:29:50.160Z",
+            "modified": "2025-04-16T21:50:55.148Z",
             "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can collect sent and received SMS messages.(Citation: Symantec GoldenCup)",
             "relationship_type": "uses",
             "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b0bade50-bcca-4924-9746-c4ed0c3be76c.json b/mobile-attack/relationship/relationship--b0bade50-bcca-4924-9746-c4ed0c3be76c.json
index c3876a8075..b797dc6339 100644
--- a/mobile-attack/relationship/relationship--b0bade50-bcca-4924-9746-c4ed0c3be76c.json
+++ b/mobile-attack/relationship/relationship--b0bade50-bcca-4924-9746-c4ed0c3be76c.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--51d4f665-65ab-461d-817f-bdc3c8c6f3b8",
+    "id": "bundle--b8a30b2c-1b81-4646-8ea4-f5a58d132c4c",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--b0bade50-bcca-4924-9746-c4ed0c3be76c",
             "created": "2023-07-21T19:41:31.114Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:41:31.114Z",
+            "modified": "2025-04-16T21:50:55.373Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) has been installed using the package name `com.android.callservice`, pretending to be an Android system service.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b0d0541d-caeb-43c0-906c-2e1e2ec25f69.json b/mobile-attack/relationship/relationship--b0d0541d-caeb-43c0-906c-2e1e2ec25f69.json
index f1e4989981..76dd362480 100644
--- a/mobile-attack/relationship/relationship--b0d0541d-caeb-43c0-906c-2e1e2ec25f69.json
+++ b/mobile-attack/relationship/relationship--b0d0541d-caeb-43c0-906c-2e1e2ec25f69.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8ea111f8-30f5-43f9-a959-4b56c4def552",
+    "id": "bundle--1c8fa5e0-b00d-4434-a85c-a08a72448ff1",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:32:47.359Z",
+            "modified": "2025-04-16T21:50:55.566Z",
             "description": "[Gustuff](https://attack.mitre.org/software/S0406) hides its icon after installation.(Citation: Group IB Gustuff Mar 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b0f009b5-cf5e-4333-a969-03adbe4de3ee.json b/mobile-attack/relationship/relationship--b0f009b5-cf5e-4333-a969-03adbe4de3ee.json
new file mode 100644
index 0000000000..ced03c415a
--- /dev/null
+++ b/mobile-attack/relationship/relationship--b0f009b5-cf5e-4333-a969-03adbe4de3ee.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--a144fa2a-9de1-4c89-8aab-e24e8cd8f97a",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--b0f009b5-cf5e-4333-a969-03adbe4de3ee",
+            "created": "2025-03-28T15:10:18.297Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                },
+                {
+                    "source_name": "SecureList OpTriangulation Dec2023",
+                    "description": "Larin, B. (2023, December 27). Operation Triangulation: The last (hardware) mystery. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:55.802Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors use the Audio Queue API to record audio.(Citation: SecureList OpTriangulation 23Oct2023)(Citation: SecureList OpTriangulation Dec2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b0fe69e0-d08f-488d-b1cf-3f0dbb28accc.json b/mobile-attack/relationship/relationship--b0fe69e0-d08f-488d-b1cf-3f0dbb28accc.json
index f0a6028cad..a89768163d 100644
--- a/mobile-attack/relationship/relationship--b0fe69e0-d08f-488d-b1cf-3f0dbb28accc.json
+++ b/mobile-attack/relationship/relationship--b0fe69e0-d08f-488d-b1cf-3f0dbb28accc.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--39bd95d8-2b10-45b7-9e62-6c9aebda4d97",
+    "id": "bundle--3ead2379-6d67-4100-8a2f-eb03fcc1069a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-31T22:13:55.642Z",
+            "modified": "2025-04-16T21:50:56.003Z",
             "description": "[FluBot](https://attack.mitre.org/software/S1067) can use `locale.getLanguage()` to choose the language for notifications and avoid user detection.(Citation: proofpoint_flubot_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
             "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b110d919-acd4-4fe0-a46a-ac4819508667.json b/mobile-attack/relationship/relationship--b110d919-acd4-4fe0-a46a-ac4819508667.json
index 224e8d65a0..b0ff0d619c 100644
--- a/mobile-attack/relationship/relationship--b110d919-acd4-4fe0-a46a-ac4819508667.json
+++ b/mobile-attack/relationship/relationship--b110d919-acd4-4fe0-a46a-ac4819508667.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7b653550-78c4-4d19-8fa8-49002746c61a",
+    "id": "bundle--efbf99d8-ad31-4877-be94-578d8cadc3a0",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:21:35.992Z",
+            "modified": "2025-04-16T21:50:56.234Z",
             "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) has been installed via a malicious configuration profile.(Citation: TrendMicro-XLoader-FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f",
             "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b162dc6b-6b4e-4bba-928a-00a423b112b3.json b/mobile-attack/relationship/relationship--b162dc6b-6b4e-4bba-928a-00a423b112b3.json
index ffa292760d..b4b0698f18 100644
--- a/mobile-attack/relationship/relationship--b162dc6b-6b4e-4bba-928a-00a423b112b3.json
+++ b/mobile-attack/relationship/relationship--b162dc6b-6b4e-4bba-928a-00a423b112b3.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--34709f10-bd33-4fe6-99ac-f4dd394d0116",
+    "id": "bundle--faddfd14-43a5-421e-a242-c459415acfef",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--b162dc6b-6b4e-4bba-928a-00a423b112b3",
             "created": "2023-12-18T18:16:45.155Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:16:45.155Z",
+            "modified": "2025-04-16T21:50:56.429Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) has abused WhatsApp vulnerability CVE-2019-3568 to achieve initial access.(Citation: securelist_brata_0819)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b19082d2-c151-45dd-8844-82335fbe3ed9.json b/mobile-attack/relationship/relationship--b19082d2-c151-45dd-8844-82335fbe3ed9.json
index 9c002a01f3..d1aabdf08a 100644
--- a/mobile-attack/relationship/relationship--b19082d2-c151-45dd-8844-82335fbe3ed9.json
+++ b/mobile-attack/relationship/relationship--b19082d2-c151-45dd-8844-82335fbe3ed9.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--d160a916-8f4c-4e47-880f-5667e913044d",
+    "id": "bundle--8dbeccf4-4c21-4650-a589-d7c5451603ee",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--b19082d2-c151-45dd-8844-82335fbe3ed9",
             "created": "2023-02-28T21:43:54.880Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-28T21:43:54.880Z",
+            "modified": "2025-04-16T21:50:56.621Z",
             "description": "[TangleBot](https://attack.mitre.org/software/S1069) can send text messages.(Citation: cloudmark_tanglebot_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b1e5bd2f-01e4-402d-a9b6-255110510a83.json b/mobile-attack/relationship/relationship--b1e5bd2f-01e4-402d-a9b6-255110510a83.json
index 3d555db8f3..337b770227 100644
--- a/mobile-attack/relationship/relationship--b1e5bd2f-01e4-402d-a9b6-255110510a83.json
+++ b/mobile-attack/relationship/relationship--b1e5bd2f-01e4-402d-a9b6-255110510a83.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--42d1652e-befe-4ac1-a661-4f6bfa4384de",
+    "id": "bundle--81c5a87e-fda7-41cb-b704-4027a12ff679",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b1e5bd2f-01e4-402d-a9b6-255110510a83",
             "type": "relationship",
+            "id": "relationship--b1e5bd2f-01e4-402d-a9b6-255110510a83",
             "created": "2020-12-24T21:45:56.986Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T21:45:56.986Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:56.819Z",
             "description": "[SilkBean](https://attack.mitre.org/software/S0549) can install new applications which are obtained from the C2 server.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b2277deb-0ddb-45a7-9690-4a2168e1026b.json b/mobile-attack/relationship/relationship--b2277deb-0ddb-45a7-9690-4a2168e1026b.json
index b0ae1d35be..d5a29f572a 100644
--- a/mobile-attack/relationship/relationship--b2277deb-0ddb-45a7-9690-4a2168e1026b.json
+++ b/mobile-attack/relationship/relationship--b2277deb-0ddb-45a7-9690-4a2168e1026b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b165f580-e734-4912-9389-e5f8286aab28",
+    "id": "bundle--1d7bd599-c450-48f4-9260-7845d033116a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:59.058Z",
+            "modified": "2025-04-16T21:50:57.014Z",
             "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has masqueraded as fake updates to chat applications such as Facebook, WhatsApp, Messenger, LINE, and LoveChat, as well as apps targeting Middle Eastern demographics.(Citation: Lookout FrozenCell) ",
             "relationship_type": "uses",
             "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b22addc1-6a23-4657-8164-3705e12bb95b.json b/mobile-attack/relationship/relationship--b22addc1-6a23-4657-8164-3705e12bb95b.json
index 44bd22d617..461878012d 100644
--- a/mobile-attack/relationship/relationship--b22addc1-6a23-4657-8164-3705e12bb95b.json
+++ b/mobile-attack/relationship/relationship--b22addc1-6a23-4657-8164-3705e12bb95b.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--0ffda38d-ac1a-43c1-9dcb-e003fd005fe5",
+    "id": "bundle--2c5a537a-7cf1-424b-b246-dd8256c3d953",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--b22addc1-6a23-4657-8164-3705e12bb95b",
             "created": "2023-07-21T19:40:41.725Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:40:41.725Z",
+            "modified": "2025-04-16T21:50:57.232Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can use SMS to send C2 commands.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b23e1e5d-3acc-456a-b63e-31c0bd5fe4a5.json b/mobile-attack/relationship/relationship--b23e1e5d-3acc-456a-b63e-31c0bd5fe4a5.json
index aeb2289db4..7df1604f2d 100644
--- a/mobile-attack/relationship/relationship--b23e1e5d-3acc-456a-b63e-31c0bd5fe4a5.json
+++ b/mobile-attack/relationship/relationship--b23e1e5d-3acc-456a-b63e-31c0bd5fe4a5.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--114eaa33-a205-4bfb-88cd-82ebdc421650",
+    "id": "bundle--80a23d55-aa55-427d-a6c0-add0e96ffd7d",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--b23e1e5d-3acc-456a-b63e-31c0bd5fe4a5",
             "created": "2024-02-21T20:46:00.252Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T20:46:00.252Z",
+            "modified": "2025-04-16T21:50:57.432Z",
             "description": "Android 10 introduced changes that prevent normal applications from accessing sensitive device identifiers.(Citation: TelephonyManager) ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2.json b/mobile-attack/relationship/relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2.json
index 8318e22de4..ce8b95be29 100644
--- a/mobile-attack/relationship/relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2.json
+++ b/mobile-attack/relationship/relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--7d575303-62f5-4a63-b74e-56b4ada7c92a",
+    "id": "bundle--2a98c13d-6294-4be3-abb5-6d710871d664",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2",
             "type": "relationship",
+            "id": "relationship--b24553a7-01c7-49b2-b1e0-fb961e788de2",
             "created": "2020-06-26T15:32:25.062Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Threat Fabric Cerberus",
-                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
-                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
+                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
                 }
             ],
-            "modified": "2020-06-26T15:32:25.062Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:57.625Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) can obtain a list of installed applications.(Citation: Threat Fabric Cerberus)",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b247a4f6-3629-4123-84b0-c7c5b3e7e37e.json b/mobile-attack/relationship/relationship--b247a4f6-3629-4123-84b0-c7c5b3e7e37e.json
index f27dcd8b65..f794080aa0 100644
--- a/mobile-attack/relationship/relationship--b247a4f6-3629-4123-84b0-c7c5b3e7e37e.json
+++ b/mobile-attack/relationship/relationship--b247a4f6-3629-4123-84b0-c7c5b3e7e37e.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--566f1ce6-45bb-48a1-827a-d08c06f25edf",
+    "id": "bundle--af02ff86-0605-43a1-90c5-cfc0e0e7ab6e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--b247a4f6-3629-4123-84b0-c7c5b3e7e37e",
             "created": "2022-03-30T20:45:34.433Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Android Package Visibility",
-                    "url": "https://developer.android.com/training/package-visibility",
-                    "description": "Google. (n.d.). Package visibility filtering on Android. Retrieved April 11, 2022."
+                    "description": "Google. (n.d.). Package visibility filtering on Android. Retrieved April 11, 2022.",
+                    "url": "https://developer.android.com/training/package-visibility"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:57.824Z",
             "description": "Android 11 introduced privacy enhancements to package visibility, filtering results that are returned from the package manager. iOS 12 removed the private API that could previously be used to list installed applications on non-app store applications.(Citation: Android Package Visibility)",
-            "modified": "2022-04-11T19:19:52.562Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0.json b/mobile-attack/relationship/relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0.json
index 0f15a28442..3a838b2ae6 100644
--- a/mobile-attack/relationship/relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0.json
+++ b/mobile-attack/relationship/relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--a34fcc04-c930-405f-b790-4748ca24c0cd",
+    "id": "bundle--fc4c3f70-0d7a-468a-bd9c-3048b6d0c0c3",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--b263e4e9-972d-4ba7-8be8-e55eb6a483c0",
             "created": "2017-12-14T16:46:06.044Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "ArsTechnica-HummingWhale",
-                    "url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/",
-                    "description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017."
+                    "description": "Dan Goodin. (2017, January 23). Virulent Android malware returns, gets >2 million downloads on Google Play. Retrieved January 24, 2017.",
+                    "url": "http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:58.016Z",
             "description": "[HummingWhale](https://attack.mitre.org/software/S0321) generates revenue by displaying fraudulent ads and automatically installing apps. When victims try to close the ads, [HummingWhale](https://attack.mitre.org/software/S0321) runs in a virtual machine, creating a fake ID that allows the perpetrators to generate revenue.(Citation: ArsTechnica-HummingWhale)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--6447e3a1-ef4d-44b1-99d5-6b1c4888674f",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b2896068-4d54-41e1-b0f2-db9385615112.json b/mobile-attack/relationship/relationship--b2896068-4d54-41e1-b0f2-db9385615112.json
index cd12838fc8..aa1d8bcb09 100644
--- a/mobile-attack/relationship/relationship--b2896068-4d54-41e1-b0f2-db9385615112.json
+++ b/mobile-attack/relationship/relationship--b2896068-4d54-41e1-b0f2-db9385615112.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--89911eeb-4b36-425e-abbc-668a4f8d1cbc",
+    "id": "bundle--a08a7b1f-faaa-4421-b6b9-ebcaed3c0b13",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b2896068-4d54-41e1-b0f2-db9385615112",
             "type": "relationship",
+            "id": "relationship--b2896068-4d54-41e1-b0f2-db9385615112",
             "created": "2021-01-05T20:16:20.426Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Zscaler TikTok Spyware",
-                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware",
-                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."
+                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.",
+                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"
                 }
             ],
-            "modified": "2021-01-05T20:16:20.426Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:58.233Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) has shown a persistent notification to maintain access to device sensors.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b309c25a-6baf-4874-829d-63712a38652c.json b/mobile-attack/relationship/relationship--b309c25a-6baf-4874-829d-63712a38652c.json
index 56ac29866b..aea8729adf 100644
--- a/mobile-attack/relationship/relationship--b309c25a-6baf-4874-829d-63712a38652c.json
+++ b/mobile-attack/relationship/relationship--b309c25a-6baf-4874-829d-63712a38652c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--69197e4b-ae31-4821-b019-bd16c31b841b",
+    "id": "bundle--9adb83e5-e910-409a-a587-bf44bfc4b1ea",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:21:41.461Z",
+            "modified": "2025-04-16T21:50:58.427Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself camera permissions.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b30fa851-75cf-46ac-aa1b-cfa8b7f36545.json b/mobile-attack/relationship/relationship--b30fa851-75cf-46ac-aa1b-cfa8b7f36545.json
index 8d65c9b743..bbedc4f1b8 100644
--- a/mobile-attack/relationship/relationship--b30fa851-75cf-46ac-aa1b-cfa8b7f36545.json
+++ b/mobile-attack/relationship/relationship--b30fa851-75cf-46ac-aa1b-cfa8b7f36545.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8ddbde9e-c4f5-4ad0-aa2c-7398afcae1c5",
+    "id": "bundle--57d385b8-bee6-4356-b26c-5efd2e56a136",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T16:56:23.365Z",
+            "modified": "2025-04-16T21:50:58.665Z",
             "description": "[Rotexy](https://attack.mitre.org/software/S0411) processes incoming SMS messages by filtering based on phone numbers, keywords, and regular expressions, focusing primarily on banks, payment systems, and mobile network operators. [Rotexy](https://attack.mitre.org/software/S0411) can also send a list of all SMS messages on the device to the command and control server.(Citation: securelist rotexy 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b336b44d-1810-4672-8e51-a63e91681907.json b/mobile-attack/relationship/relationship--b336b44d-1810-4672-8e51-a63e91681907.json
new file mode 100644
index 0000000000..0d3f3c6d9c
--- /dev/null
+++ b/mobile-attack/relationship/relationship--b336b44d-1810-4672-8e51-a63e91681907.json
@@ -0,0 +1,42 @@
+{
+    "type": "bundle",
+    "id": "bundle--71c2b920-ce82-4fd6-91f8-96edfb1d2d00",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--b336b44d-1810-4672-8e51-a63e91681907",
+            "created": "2025-03-24T17:56:25.848Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "Shoshin_Kaspersky LightSpy 2020",
+                    "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.",
+                    "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:58.859Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) uses the `landevices` module to enumerate devices on the same WiFi network through active scanning.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Shoshin_Kaspersky LightSpy 2020) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--2de38279-043e-47e8-aaad-1b07af6d0790",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b356d405-f6b1-485b-bd35-236b9da766d2.json b/mobile-attack/relationship/relationship--b356d405-f6b1-485b-bd35-236b9da766d2.json
index 5a06c916ba..3400f7ad12 100644
--- a/mobile-attack/relationship/relationship--b356d405-f6b1-485b-bd35-236b9da766d2.json
+++ b/mobile-attack/relationship/relationship--b356d405-f6b1-485b-bd35-236b9da766d2.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--11bad42f-f9ea-4cf6-8cb1-ba49c940520e",
+    "id": "bundle--315f72d1-d209-495b-a3a7-2f9fd7c62add",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b356d405-f6b1-485b-bd35-236b9da766d2",
             "type": "relationship",
+            "id": "relationship--b356d405-f6b1-485b-bd35-236b9da766d2",
             "created": "2020-04-24T17:46:31.586Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecurityIntelligence TrickMo",
-                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
-                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
+                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.",
+                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"
                 }
             ],
-            "modified": "2020-04-27T15:27:26.539Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:50:59.057Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) can use the `MediaRecorder` class to record the screen when the targeted application is presented to the user, and can abuse accessibility features to record targeted applications to intercept transaction authorization numbers (TANs) and to scrape on-screen text.(Citation: SecurityIntelligence TrickMo)",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b360a1c8-8939-428e-bc6e-3f4755bd9ee0.json b/mobile-attack/relationship/relationship--b360a1c8-8939-428e-bc6e-3f4755bd9ee0.json
index 82c328637a..81faffc6d4 100644
--- a/mobile-attack/relationship/relationship--b360a1c8-8939-428e-bc6e-3f4755bd9ee0.json
+++ b/mobile-attack/relationship/relationship--b360a1c8-8939-428e-bc6e-3f4755bd9ee0.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ffe158f1-3fcf-41a3-8b1a-4c87b4f928fd",
+    "id": "bundle--bf9c20b6-aabf-4c18-933d-60320a3cc251",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:30:18.307Z",
+            "modified": "2025-04-16T21:50:59.282Z",
             "description": "[Exobot](https://attack.mitre.org/software/S0522) can intercept SMS messages.(Citation: Threat Fabric Exobot)",
             "relationship_type": "uses",
             "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b37ebb4e-0536-4de0-8e00-7b3d942a02b7.json b/mobile-attack/relationship/relationship--b37ebb4e-0536-4de0-8e00-7b3d942a02b7.json
index 8d333795c3..4543221762 100644
--- a/mobile-attack/relationship/relationship--b37ebb4e-0536-4de0-8e00-7b3d942a02b7.json
+++ b/mobile-attack/relationship/relationship--b37ebb4e-0536-4de0-8e00-7b3d942a02b7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2cb1b162-b77e-4ac5-aeef-e6b03fe8fd0b",
+    "id": "bundle--a32e6eea-2860-4f06-9223-7159ea54cfde",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T17:19:28.650Z",
+            "modified": "2025-04-16T21:50:59.476Z",
             "description": "System partition integrity checking mechanisms can detect unauthorized or malicious code contained in the system partition.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
             "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b3866c07-e143-4d0d-9176-c2845f85c5ab.json b/mobile-attack/relationship/relationship--b3866c07-e143-4d0d-9176-c2845f85c5ab.json
index f32dc4df07..596a891ed8 100644
--- a/mobile-attack/relationship/relationship--b3866c07-e143-4d0d-9176-c2845f85c5ab.json
+++ b/mobile-attack/relationship/relationship--b3866c07-e143-4d0d-9176-c2845f85c5ab.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--0e79690d-106e-4961-812e-5b6bf994b2dc",
+    "id": "bundle--325291a1-a9be-46bc-808a-7b58bb805847",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--b3866c07-e143-4d0d-9176-c2845f85c5ab",
             "created": "2023-01-18T19:58:21.223Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-01-18T19:58:21.223Z",
+            "modified": "2025-04-16T21:50:59.679Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) has used RSA to encrypt the symmetric encryption key used for C2 messages.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b3a14001-e0c0-4f13-ac03-04e56dc0e312.json b/mobile-attack/relationship/relationship--b3a14001-e0c0-4f13-ac03-04e56dc0e312.json
index eb40ba809e..29f51e4519 100644
--- a/mobile-attack/relationship/relationship--b3a14001-e0c0-4f13-ac03-04e56dc0e312.json
+++ b/mobile-attack/relationship/relationship--b3a14001-e0c0-4f13-ac03-04e56dc0e312.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2fecbfa7-1fa8-4fd7-8448-f0010c5ab62a",
+    "id": "bundle--c43f4f1b-447a-4d1e-9271-6de2ae28b6a1",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:59.311Z",
+            "modified": "2025-04-16T21:50:59.886Z",
             "description": "[SilkBean](https://attack.mitre.org/software/S0549) has been incorporated into trojanized applications, including Uyghur/Arabic focused keyboards, alphabets, and plugins, as well as official-looking Google applications.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b.json b/mobile-attack/relationship/relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b.json
index 96a6502368..f03edc50a9 100644
--- a/mobile-attack/relationship/relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b.json
+++ b/mobile-attack/relationship/relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--8f55f064-0f2b-44ae-a1cc-5baedc040433",
+    "id": "bundle--652cdd2a-1dba-4d21-a0e7-cba49221e755",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b",
             "type": "relationship",
+            "id": "relationship--b3bb33bf-9034-4d5c-8ea0-31d3bbd12b6b",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:00.093Z",
             "description": "[WireLurker](https://attack.mitre.org/software/S0312) obfuscates its payload through complex code structure, multiple component versions, file hiding, code obfuscation and customized encryption to thwart anti-reversing.(Citation: PaloAlto-WireLurker)",
             "relationship_type": "uses",
             "source_ref": "malware--326eaf7b-5784-4f08-8fc2-61fd5d5bc5fb",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b402664b-a5b4-45e4-832f-02638e6c67a7.json b/mobile-attack/relationship/relationship--b402664b-a5b4-45e4-832f-02638e6c67a7.json
index d76f3b6a5f..467cc6a70b 100644
--- a/mobile-attack/relationship/relationship--b402664b-a5b4-45e4-832f-02638e6c67a7.json
+++ b/mobile-attack/relationship/relationship--b402664b-a5b4-45e4-832f-02638e6c67a7.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--f30c449d-c852-4882-8efc-a7575a802eb4",
+    "id": "bundle--e38c6fd3-cce4-4a39-9c5b-2f0c6ca384cf",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--b402664b-a5b4-45e4-832f-02638e6c67a7",
             "created": "2022-04-01T14:59:17.991Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:00.299Z",
             "description": "Mobile security products can take appropriate action when jailbroken devices are detected, potentially limiting the adversary\u2019s access to password stores. ",
-            "modified": "2022-04-01T14:59:17.991Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
             "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b40e34ad-b699-4196-aa07-5bd71fe8f213.json b/mobile-attack/relationship/relationship--b40e34ad-b699-4196-aa07-5bd71fe8f213.json
index b6cfd56451..5a19cf2614 100644
--- a/mobile-attack/relationship/relationship--b40e34ad-b699-4196-aa07-5bd71fe8f213.json
+++ b/mobile-attack/relationship/relationship--b40e34ad-b699-4196-aa07-5bd71fe8f213.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--795e6c36-8304-4acb-8287-963812ae32ee",
+    "id": "bundle--0844d4d0-2ca8-4a10-9fbe-d1aa350eb518",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--b40e34ad-b699-4196-aa07-5bd71fe8f213",
             "created": "2022-04-20T17:31:58.697Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "TrendMicro Coronavirus Updates",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/",
-                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020."
+                    "description": "T. Bao, J. Lu. (2020, April 14).  Coronavirus Update App Leads to Project Spy Android and iOS Spyware. Retrieved April 24, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:00.493Z",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) has exfiltrated data using FTP.(Citation: TrendMicro Coronavirus Updates)",
-            "modified": "2022-04-20T17:31:58.697Z",
             "relationship_type": "uses",
             "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "target_ref": "attack-pattern--37047267-3e56-453c-833e-d92b68118120",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8.json b/mobile-attack/relationship/relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8.json
index a282bfb219..757e8916cf 100644
--- a/mobile-attack/relationship/relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8.json
+++ b/mobile-attack/relationship/relationship--b4180067-52b6-4109-91df-52fd9a7ed2e8.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--059cdf34-fcf6-4a18-b5e1-66a229423a8f",
+    "id": "bundle--8cc881ec-9cae-4c4f-908c-2a6b7b192926",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T16:17:55.260Z",
+            "modified": "2025-04-16T21:51:00.731Z",
             "description": "[AndroRAT](https://attack.mitre.org/software/S0292) gathers audio from the microphone.(Citation: Lookout-EnterpriseApps)(Citation: forcepoint_bitter) ",
             "relationship_type": "uses",
             "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b43c87a7-de40-4673-9808-57c7ffca7b98.json b/mobile-attack/relationship/relationship--b43c87a7-de40-4673-9808-57c7ffca7b98.json
index 8c1aaa5dd2..cc5407b084 100644
--- a/mobile-attack/relationship/relationship--b43c87a7-de40-4673-9808-57c7ffca7b98.json
+++ b/mobile-attack/relationship/relationship--b43c87a7-de40-4673-9808-57c7ffca7b98.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--d1b05bef-107a-45fc-8bb0-fb7fc1409c8d",
+    "id": "bundle--c03e7445-ef7f-4503-9c22-42e49e0ee583",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--b43c87a7-de40-4673-9808-57c7ffca7b98",
             "created": "2023-07-21T19:54:21.877Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:54:21.877Z",
+            "modified": "2025-04-16T21:51:00.936Z",
             "description": "[Fakecalls](https://attack.mitre.org/software/S1080) has masqueraded as popular Korean banking apps.(Citation: kaspersky_fakecalls_0422)",
             "relationship_type": "uses",
             "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b43f4cef-138e-4b5d-8e68-e8eeae3591be.json b/mobile-attack/relationship/relationship--b43f4cef-138e-4b5d-8e68-e8eeae3591be.json
index 25c766de2f..54c96df1b8 100644
--- a/mobile-attack/relationship/relationship--b43f4cef-138e-4b5d-8e68-e8eeae3591be.json
+++ b/mobile-attack/relationship/relationship--b43f4cef-138e-4b5d-8e68-e8eeae3591be.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--02ab7479-6ef1-42c3-98f7-3e561fdfc47a",
+    "id": "bundle--1b6736ac-b6e6-4188-b215-b9270664ced7",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:30:32.294Z",
+            "modified": "2025-04-16T21:51:01.128Z",
             "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has read SMS messages for exfiltration.(Citation: Lookout FrozenCell)",
             "relationship_type": "uses",
             "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b45cf5e0-7427-4d5c-be2c-22f5231493d1.json b/mobile-attack/relationship/relationship--b45cf5e0-7427-4d5c-be2c-22f5231493d1.json
index a6d0173927..37e0d0f70f 100644
--- a/mobile-attack/relationship/relationship--b45cf5e0-7427-4d5c-be2c-22f5231493d1.json
+++ b/mobile-attack/relationship/relationship--b45cf5e0-7427-4d5c-be2c-22f5231493d1.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4421c660-5446-406e-99cf-6866ad20828b",
+    "id": "bundle--95998d36-161b-429b-86d6-4e7a6392be66",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b45cf5e0-7427-4d5c-be2c-22f5231493d1",
             "type": "relationship",
+            "id": "relationship--b45cf5e0-7427-4d5c-be2c-22f5231493d1",
             "created": "2021-10-01T14:42:49.184Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList BusyGasper",
-                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/",
-                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021."
+                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.",
+                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"
                 }
             ],
-            "modified": "2021-10-01T14:42:49.184Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:01.354Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect the device\u2019s location information based on cellular network or GPS coordinates.(Citation: SecureList BusyGasper)",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b4735277-516a-4cd2-9607-a3e415945d93.json b/mobile-attack/relationship/relationship--b4735277-516a-4cd2-9607-a3e415945d93.json
index 527ad7de4e..2c282527b6 100644
--- a/mobile-attack/relationship/relationship--b4735277-516a-4cd2-9607-a3e415945d93.json
+++ b/mobile-attack/relationship/relationship--b4735277-516a-4cd2-9607-a3e415945d93.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--bbf62d4e-5c88-48d6-8344-f865978ae173",
+    "id": "bundle--53453725-a179-427b-b8a7-1d9c9c8e54ab",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b4735277-516a-4cd2-9607-a3e415945d93",
             "type": "relationship",
+            "id": "relationship--b4735277-516a-4cd2-9607-a3e415945d93",
             "created": "2020-11-10T17:08:35.800Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2021-09-20T13:54:20.494Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:01.547Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can remotely capture device audio.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b477afcb-7449-4fae-b4aa-c512c22d7500.json b/mobile-attack/relationship/relationship--b477afcb-7449-4fae-b4aa-c512c22d7500.json
index 3eab73a329..196a6be90b 100644
--- a/mobile-attack/relationship/relationship--b477afcb-7449-4fae-b4aa-c512c22d7500.json
+++ b/mobile-attack/relationship/relationship--b477afcb-7449-4fae-b4aa-c512c22d7500.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--3a5e0fd3-9eb7-4cec-8e00-3e4b1431e371",
+    "id": "bundle--e8687fb2-c4f2-4bce-8487-f92c3d27a76c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b477afcb-7449-4fae-b4aa-c512c22d7500",
             "type": "relationship",
+            "id": "relationship--b477afcb-7449-4fae-b4aa-c512c22d7500",
             "created": "2020-09-15T15:18:12.394Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Cybereason FakeSpy",
-                    "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world",
-                    "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020."
+                    "description": "O. Almkias. (2020, July 1). FakeSpy Masquerades as Postal Service Apps Around the World. Retrieved September 15, 2020.",
+                    "url": "https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world"
                 }
             ],
-            "modified": "2020-09-15T15:18:12.394Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:01.753Z",
             "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can send SMS messages.(Citation: Cybereason FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b49ecb71-92b3-4813-be4d-9f8c2aa67ccd.json b/mobile-attack/relationship/relationship--b49ecb71-92b3-4813-be4d-9f8c2aa67ccd.json
index 0a1660b067..eeeaee0220 100644
--- a/mobile-attack/relationship/relationship--b49ecb71-92b3-4813-be4d-9f8c2aa67ccd.json
+++ b/mobile-attack/relationship/relationship--b49ecb71-92b3-4813-be4d-9f8c2aa67ccd.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--72a5eb66-5682-43fc-97cb-320c71d4e4d9",
+    "id": "bundle--3ee1bd10-89d8-408f-8e7f-6b92091a98e3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:05:01.189Z",
+            "modified": "2025-04-16T21:51:01.953Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has installed malicious MDM profiles on iOS devices as part of Operation ROCK.(Citation: BlackBerry Bahamut)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b4ef35e9-3dba-49c7-8842-a7dff403241f.json b/mobile-attack/relationship/relationship--b4ef35e9-3dba-49c7-8842-a7dff403241f.json
index d56bf242df..a1caa91a0a 100644
--- a/mobile-attack/relationship/relationship--b4ef35e9-3dba-49c7-8842-a7dff403241f.json
+++ b/mobile-attack/relationship/relationship--b4ef35e9-3dba-49c7-8842-a7dff403241f.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--b124f259-fdc3-4b47-b993-d163133eccd1",
+    "id": "bundle--81a42245-1107-472c-8723-13e7ff5b76f7",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b4ef35e9-3dba-49c7-8842-a7dff403241f",
             "type": "relationship",
+            "id": "relationship--b4ef35e9-3dba-49c7-8842-a7dff403241f",
             "created": "2020-12-17T20:15:22.445Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Palo Alto HenBox",
-                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/",
-                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."
+                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.",
+                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
                 }
             ],
-            "modified": "2020-12-17T20:15:22.445Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:02.160Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) can access the device\u2019s camera.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b536f233-8c43-4671-b8e8-d72a4806946d.json b/mobile-attack/relationship/relationship--b536f233-8c43-4671-b8e8-d72a4806946d.json
index bcc82ae949..0ff9ee3b9a 100644
--- a/mobile-attack/relationship/relationship--b536f233-8c43-4671-b8e8-d72a4806946d.json
+++ b/mobile-attack/relationship/relationship--b536f233-8c43-4671-b8e8-d72a4806946d.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--3e8d9307-9943-4ff1-81ce-bda003d728ec",
+    "id": "bundle--608ab9d2-5590-4ee5-a12f-4efc58699411",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--b536f233-8c43-4671-b8e8-d72a4806946d",
             "created": "2022-04-05T17:14:23.789Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:02.375Z",
             "description": "",
-            "modified": "2022-04-05T17:14:23.789Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
             "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b53d1c92-b71f-434e-aa4f-08b8db765248.json b/mobile-attack/relationship/relationship--b53d1c92-b71f-434e-aa4f-08b8db765248.json
index f2f5034cdc..5874a3ee69 100644
--- a/mobile-attack/relationship/relationship--b53d1c92-b71f-434e-aa4f-08b8db765248.json
+++ b/mobile-attack/relationship/relationship--b53d1c92-b71f-434e-aa4f-08b8db765248.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--31df6912-2b6b-4748-ae0a-d950202577cd",
+    "id": "bundle--cc1a583d-17db-4e96-9788-f6026f17aca7",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b53d1c92-b71f-434e-aa4f-08b8db765248",
             "type": "relationship",
+            "id": "relationship--b53d1c92-b71f-434e-aa4f-08b8db765248",
             "created": "2019-07-10T15:25:57.604Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
                 }
             ],
-            "modified": "2019-08-12T17:30:07.572Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:02.568Z",
             "description": "[FinFisher](https://attack.mitre.org/software/S0182) tracks the latitude and longitude coordinates of the infected device.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b5590b50-0aaa-4f43-9b29-f17ee717b551.json b/mobile-attack/relationship/relationship--b5590b50-0aaa-4f43-9b29-f17ee717b551.json
index 0775b0d653..75f9743a50 100644
--- a/mobile-attack/relationship/relationship--b5590b50-0aaa-4f43-9b29-f17ee717b551.json
+++ b/mobile-attack/relationship/relationship--b5590b50-0aaa-4f43-9b29-f17ee717b551.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--33c3e683-f33f-4684-a9f4-8a9b011869e7",
+    "id": "bundle--f431dd4e-843e-4d06-8404-ffbcb8b9a25b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b5590b50-0aaa-4f43-9b29-f17ee717b551",
             "type": "relationship",
+            "id": "relationship--b5590b50-0aaa-4f43-9b29-f17ee717b551",
             "created": "2021-02-08T16:36:20.698Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "BlackBerry Bahamut",
-                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf",
-                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."
+                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.",
+                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"
                 }
             ],
-            "modified": "2021-05-24T13:16:56.412Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:02.772Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included location tracking capabilities in the malicious apps deployed as part of Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b5e8cef4-e8a1-484f-baae-cf12b26e6070.json b/mobile-attack/relationship/relationship--b5e8cef4-e8a1-484f-baae-cf12b26e6070.json
index 03206c3de8..51787a9865 100644
--- a/mobile-attack/relationship/relationship--b5e8cef4-e8a1-484f-baae-cf12b26e6070.json
+++ b/mobile-attack/relationship/relationship--b5e8cef4-e8a1-484f-baae-cf12b26e6070.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--2c32ed78-e1dc-41fd-adb8-c9463de2aff6",
+    "id": "bundle--76cbb7c9-6ef7-4802-a211-fa059d1449e1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--b5e8cef4-e8a1-484f-baae-cf12b26e6070",
             "created": "2020-12-18T20:14:47.302Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "WhiteOps TERRACOTTA",
-                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study",
-                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."
+                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.",
+                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:02.974Z",
             "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has used Firebase for C2 communication.(Citation: WhiteOps TERRACOTTA)",
-            "modified": "2022-04-18T19:18:56.475Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
             "target_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b5f3b110-fc66-4369-89f3-621c945d655f.json b/mobile-attack/relationship/relationship--b5f3b110-fc66-4369-89f3-621c945d655f.json
index 6291381f01..8f92271492 100644
--- a/mobile-attack/relationship/relationship--b5f3b110-fc66-4369-89f3-621c945d655f.json
+++ b/mobile-attack/relationship/relationship--b5f3b110-fc66-4369-89f3-621c945d655f.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--425fa167-035a-42b5-a95b-39f209d8c86e",
+    "id": "bundle--6980d37a-bfbd-42c2-a779-fcd257df4f28",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b5f3b110-fc66-4369-89f3-621c945d655f",
             "type": "relationship",
+            "id": "relationship--b5f3b110-fc66-4369-89f3-621c945d655f",
             "created": "2020-04-27T16:52:49.444Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Google Triada June 2019",
-                    "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
-                    "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."
+                    "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.",
+                    "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"
                 }
             ],
-            "modified": "2020-04-27T16:52:49.444Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:03.170Z",
             "description": "[Triada](https://attack.mitre.org/software/S0424) encrypts data prior to exfiltration.(Citation: Google Triada June 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
             "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b610c587-576a-40cc-9f76-6362455c8ff4.json b/mobile-attack/relationship/relationship--b610c587-576a-40cc-9f76-6362455c8ff4.json
index 49ba266f51..30640f3044 100644
--- a/mobile-attack/relationship/relationship--b610c587-576a-40cc-9f76-6362455c8ff4.json
+++ b/mobile-attack/relationship/relationship--b610c587-576a-40cc-9f76-6362455c8ff4.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5997d52a-b07b-4854-88d3-47501829a2d4",
+    "id": "bundle--017943a1-4431-419b-a4b6-fef6a0d64f1a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:49:09.975Z",
+            "modified": "2025-04-16T21:51:03.373Z",
             "description": "Application vetting services can detect and closely scrutinize applications that utilize Device Administrator access.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b6323cf4-8141-4910-8743-e42cd15b49e9.json b/mobile-attack/relationship/relationship--b6323cf4-8141-4910-8743-e42cd15b49e9.json
index 123acca816..8332c4509e 100644
--- a/mobile-attack/relationship/relationship--b6323cf4-8141-4910-8743-e42cd15b49e9.json
+++ b/mobile-attack/relationship/relationship--b6323cf4-8141-4910-8743-e42cd15b49e9.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--5a6acc46-17fc-48d1-a33a-ca8ff45e2ede",
+    "id": "bundle--8480204e-fc36-4be1-a9db-f5f14c4a65d8",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--b6323cf4-8141-4910-8743-e42cd15b49e9",
             "created": "2023-07-21T19:53:59.148Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:53:59.148Z",
+            "modified": "2025-04-16T21:51:03.569Z",
             "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can send exfiltrated data back to the C2 server.(Citation: kaspersky_fakecalls_0422)",
             "relationship_type": "uses",
             "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b641e5b8-5981-452a-99f0-3598c783e5ee.json b/mobile-attack/relationship/relationship--b641e5b8-5981-452a-99f0-3598c783e5ee.json
index 4353858e22..cd6e1b91c6 100644
--- a/mobile-attack/relationship/relationship--b641e5b8-5981-452a-99f0-3598c783e5ee.json
+++ b/mobile-attack/relationship/relationship--b641e5b8-5981-452a-99f0-3598c783e5ee.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--39c22e39-f44e-4557-a3fb-e355e343182f",
+    "id": "bundle--12fbcaaa-c082-4c25-a0b0-b1196ecd6803",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:30:47.506Z",
+            "modified": "2025-04-16T21:51:03.786Z",
             "description": "[Riltok](https://attack.mitre.org/software/S0403) can intercept incoming SMS messages.(Citation: Kaspersky Riltok June 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b6726136-3c20-4921-a0cb-75a66f59107c.json b/mobile-attack/relationship/relationship--b6726136-3c20-4921-a0cb-75a66f59107c.json
index fbd464aa3d..c47ce26b08 100644
--- a/mobile-attack/relationship/relationship--b6726136-3c20-4921-a0cb-75a66f59107c.json
+++ b/mobile-attack/relationship/relationship--b6726136-3c20-4921-a0cb-75a66f59107c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--aff741f3-26af-4ef3-a532-b2fe696846ad",
+    "id": "bundle--00802086-7a1f-4ebf-a4d7-83be501671f0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b6726136-3c20-4921-a0cb-75a66f59107c",
             "type": "relationship",
+            "id": "relationship--b6726136-3c20-4921-a0cb-75a66f59107c",
             "created": "2020-09-11T16:22:03.296Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout ViperRAT",
-                    "url": "https://blog.lookout.com/viperrat-mobile-apt",
-                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
+                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/viperrat-mobile-apt"
                 }
             ],
-            "modified": "2020-09-11T16:22:03.296Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:03.983Z",
             "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect network configuration data from the device, including phone number, SIM operator, and network operator.(Citation: Lookout ViperRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab.json b/mobile-attack/relationship/relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab.json
index 77099e4972..d5440a2755 100644
--- a/mobile-attack/relationship/relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab.json
+++ b/mobile-attack/relationship/relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--7cd3d345-bc1b-4ee1-9792-c374a24c05bd",
+    "id": "bundle--712db8e3-01d0-4d34-a83b-6b2ebf93c48d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab",
             "type": "relationship",
+            "id": "relationship--b67f04d9-1cbd-49b4-9ec3-a33a41ac42ab",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:04.181Z",
             "description": "[OBAD](https://attack.mitre.org/software/S0286) contains encrypted code along with an obfuscated decryption routine to make it difficult to analyze.(Citation: TrendMicro-Obad)",
             "relationship_type": "uses",
             "source_ref": "malware--ca4f63b9-a358-4214-bb26-8c912318cfde",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b697a198-8949-43e0-b2b8-23498373c920.json b/mobile-attack/relationship/relationship--b697a198-8949-43e0-b2b8-23498373c920.json
index 63c55a13ef..ab5001f864 100644
--- a/mobile-attack/relationship/relationship--b697a198-8949-43e0-b2b8-23498373c920.json
+++ b/mobile-attack/relationship/relationship--b697a198-8949-43e0-b2b8-23498373c920.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3b245799-ef9e-46d9-90a7-e56e25a6b81d",
+    "id": "bundle--040fb800-c612-4292-8ba6-8a2c9ba5643e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:28:09.643Z",
+            "modified": "2025-04-16T21:51:04.385Z",
             "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
             "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b6feb018-65e3-46ff-b872-e4385b6f3b34.json b/mobile-attack/relationship/relationship--b6feb018-65e3-46ff-b872-e4385b6f3b34.json
index ec81c77916..abfe56c9f6 100644
--- a/mobile-attack/relationship/relationship--b6feb018-65e3-46ff-b872-e4385b6f3b34.json
+++ b/mobile-attack/relationship/relationship--b6feb018-65e3-46ff-b872-e4385b6f3b34.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3784acc9-4b3b-4f44-aaba-136e035bc117",
+    "id": "bundle--2cdf7c4b-2c46-47ae-a3a3-58317f986159",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-23T22:50:11.248Z",
+            "modified": "2025-04-16T21:51:04.576Z",
             "description": "[Gustuff](https://attack.mitre.org/software/S0406) may prevent application removal by abusing Android\u2019s ` performGlobalAction(int)` API call. ",
             "relationship_type": "uses",
             "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
             "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e.json b/mobile-attack/relationship/relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e.json
index fc0421d172..5e215b7baf 100644
--- a/mobile-attack/relationship/relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e.json
+++ b/mobile-attack/relationship/relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--45e43249-5597-4160-a812-0248b6d11310",
+    "id": "bundle--7be1d14f-524f-4089-9c73-c8b42da4c756",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e",
             "type": "relationship",
+            "id": "relationship--b7282bf9-63f8-49ad-8ee0-f2ad523a367e",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:04.777Z",
             "description": "[DualToy](https://attack.mitre.org/software/S0315) side loads malicious or risky apps to both Android and iOS devices via a USB connection.(Citation: PaloAlto-DualToy)",
             "relationship_type": "uses",
             "source_ref": "malware--507fe748-5e4a-4b45-9e9f-8b1115f4e878",
             "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725.json b/mobile-attack/relationship/relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725.json
index 2a59df24ee..078b909307 100644
--- a/mobile-attack/relationship/relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725.json
+++ b/mobile-attack/relationship/relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--3afb8b59-4e0f-4386-972f-7445886ff24d",
+    "id": "bundle--4c60b021-b238-4d85-95e6-de47985c3cb3",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725",
             "type": "relationship",
+            "id": "relationship--b7652f27-1cf6-4310-bf6b-5fb99c4fd725",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:04.975Z",
             "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) has the ability to record audio.(Citation: Lookout-Pegasus)",
             "relationship_type": "uses",
             "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b7a31a11-6c84-4c28-a548-4751e4d71134.json b/mobile-attack/relationship/relationship--b7a31a11-6c84-4c28-a548-4751e4d71134.json
index f59884c2c4..df6100e7b8 100644
--- a/mobile-attack/relationship/relationship--b7a31a11-6c84-4c28-a548-4751e4d71134.json
+++ b/mobile-attack/relationship/relationship--b7a31a11-6c84-4c28-a548-4751e4d71134.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--9ddc166e-400d-4c46-a7ec-e38727e8bebc",
+    "id": "bundle--360be81a-6772-486f-8c2b-598c94c9d71a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--b7a31a11-6c84-4c28-a548-4751e4d71134",
             "created": "2020-05-04T14:04:56.158Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Google Bread",
-                    "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
-                    "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
+                    "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.",
+                    "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:05.165Z",
             "description": "[Bread](https://attack.mitre.org/software/S0432) can perform SMS fraud on older versions of the malware, and toll fraud on newer versions.(Citation: Google Bread)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b7c8abf7-d4e4-40a4-aa2a-ee995a6f4f10.json b/mobile-attack/relationship/relationship--b7c8abf7-d4e4-40a4-aa2a-ee995a6f4f10.json
index 2def382de0..f77e796603 100644
--- a/mobile-attack/relationship/relationship--b7c8abf7-d4e4-40a4-aa2a-ee995a6f4f10.json
+++ b/mobile-attack/relationship/relationship--b7c8abf7-d4e4-40a4-aa2a-ee995a6f4f10.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--e6aa44cf-0168-422a-bc4c-61e697216c9e",
+    "id": "bundle--b4fea70c-5598-4783-9d3f-9ef1eeb54ea1",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--b7c8abf7-d4e4-40a4-aa2a-ee995a6f4f10",
             "created": "2023-03-03T15:36:15.840Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-03T15:36:15.840Z",
+            "modified": "2025-04-16T21:51:05.382Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can access device call logs.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b7cf1c31-8722-4eeb-ae59-66936c15fa87.json b/mobile-attack/relationship/relationship--b7cf1c31-8722-4eeb-ae59-66936c15fa87.json
index 39e93e3db8..16306bd5de 100644
--- a/mobile-attack/relationship/relationship--b7cf1c31-8722-4eeb-ae59-66936c15fa87.json
+++ b/mobile-attack/relationship/relationship--b7cf1c31-8722-4eeb-ae59-66936c15fa87.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e42f13af-dbcb-4dbf-a5b5-960c5139b593",
+    "id": "bundle--67f27086-172c-4dba-9706-c1f3367d6e60",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b7cf1c31-8722-4eeb-ae59-66936c15fa87",
             "type": "relationship",
+            "id": "relationship--b7cf1c31-8722-4eeb-ae59-66936c15fa87",
             "created": "2021-01-05T20:16:20.495Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Zscaler TikTok Spyware",
-                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware",
-                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."
+                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.",
+                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"
                 }
             ],
-            "modified": "2021-01-05T20:16:20.495Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:05.577Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect device photos and credentials from other applications.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b81a284d-34ec-4e61-a073-bf6cd85e4c3f.json b/mobile-attack/relationship/relationship--b81a284d-34ec-4e61-a073-bf6cd85e4c3f.json
index 3010f78af6..f68775bb69 100644
--- a/mobile-attack/relationship/relationship--b81a284d-34ec-4e61-a073-bf6cd85e4c3f.json
+++ b/mobile-attack/relationship/relationship--b81a284d-34ec-4e61-a073-bf6cd85e4c3f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f5897c44-d718-4c9d-b6ce-c61d8903af1d",
+    "id": "bundle--dd54f857-4afa-4313-8da8-65958db2fa26",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:54:05.374Z",
+            "modified": "2025-04-16T21:51:05.786Z",
             "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) can prevent the user from interacting with the UI by using a carefully crafted \"call\" notification screen. This is coupled with overriding the `onUserLeaveHint()` callback method to spawn a new notification instance when the current one is dismissed. (Citation: Microsoft MalLockerB)",
             "relationship_type": "uses",
             "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce",
             "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea.json b/mobile-attack/relationship/relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea.json
index f9c190fa15..65aeb5bff3 100644
--- a/mobile-attack/relationship/relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea.json
+++ b/mobile-attack/relationship/relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--45a3a772-59c5-414d-b6ca-8be7160a176e",
+    "id": "bundle--cd880cb3-ed64-4e42-a36b-e11f0cf001f4",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--b81ba10a-73c2-4616-a8bc-eeb422e1c5ea",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "HackerNews-Allwinner",
-                    "url": "https://thehackernews.com/2016/05/android-kernal-exploit.html",
-                    "description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018."
+                    "description": "Mohit Kumar. (2016, May 11). Kernel Backdoor found in Gadgets Powered by Popular Chinese ARM Maker. Retrieved September 18, 2018.",
+                    "url": "https://thehackernews.com/2016/05/android-kernal-exploit.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:05.987Z",
             "description": "A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) reportedly contained an simple backdoor that could be used to obtain root access. It was believed to have been left in the kernel by mistake by the authors.(Citation: HackerNews-Allwinner)",
-            "modified": "2022-04-15T15:16:35.892Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--08784a9d-09e9-4dce-a839-9612398214e8",
             "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b81f9698-b9d1-4a6a-b836-f7e29232693a.json b/mobile-attack/relationship/relationship--b81f9698-b9d1-4a6a-b836-f7e29232693a.json
index b879833511..9d0d3a26da 100644
--- a/mobile-attack/relationship/relationship--b81f9698-b9d1-4a6a-b836-f7e29232693a.json
+++ b/mobile-attack/relationship/relationship--b81f9698-b9d1-4a6a-b836-f7e29232693a.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--5d6a56b5-3ffc-414d-abb2-cc91a796f4e5",
+    "id": "bundle--b722dbc1-26cd-4b48-9ba3-b76d6268c34b",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--b81f9698-b9d1-4a6a-b836-f7e29232693a",
             "created": "2023-09-28T17:26:10.893Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:26:10.893Z",
+            "modified": "2025-04-16T21:51:06.180Z",
             "description": "[Fakecalls](https://attack.mitre.org/software/S1080) can manipulate a device\u2019s call log, including deleting incoming calls.(Citation: kaspersky_fakecalls_0422)",
             "relationship_type": "uses",
             "source_ref": "malware--429e1526-6293-495b-8808-af7f9a66c4be",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b8606318-8c12-4381-ba33-5b2321772ea0.json b/mobile-attack/relationship/relationship--b8606318-8c12-4381-ba33-5b2321772ea0.json
index b1248dafa7..d5181725c9 100644
--- a/mobile-attack/relationship/relationship--b8606318-8c12-4381-ba33-5b2321772ea0.json
+++ b/mobile-attack/relationship/relationship--b8606318-8c12-4381-ba33-5b2321772ea0.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--6432c820-54a0-4713-9e0e-256ecb43dae2",
+    "id": "bundle--5bdb7048-f4be-4004-af90-3c01e6090637",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--b8606318-8c12-4381-ba33-5b2321772ea0",
             "created": "2022-03-30T20:31:57.183Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:06.393Z",
             "description": "Users should be advised to be extra scrutinous of applications that request location or sensitive phone information permissions, and to deny any permissions requests for applications they do not recognize.",
-            "modified": "2022-03-30T20:31:57.183Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b8879a8a-84ff-4625-b487-7922d8a1b6a6.json b/mobile-attack/relationship/relationship--b8879a8a-84ff-4625-b487-7922d8a1b6a6.json
new file mode 100644
index 0000000000..5566fab53c
--- /dev/null
+++ b/mobile-attack/relationship/relationship--b8879a8a-84ff-4625-b487-7922d8a1b6a6.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--c948688f-d62e-49fb-96e8-85bf44184345",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--b8879a8a-84ff-4625-b487-7922d8a1b6a6",
+            "created": "2025-03-28T15:12:41.595Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:06.578Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors have collected and exfiltrated data from WhatsApp and Telegram.(Citation: SecureList OpTriangulation 23Oct2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b8afc5b9-3ffc-4b3c-b2d8-ee2888a7b6ad.json b/mobile-attack/relationship/relationship--b8afc5b9-3ffc-4b3c-b2d8-ee2888a7b6ad.json
new file mode 100644
index 0000000000..7cbcce0d31
--- /dev/null
+++ b/mobile-attack/relationship/relationship--b8afc5b9-3ffc-4b3c-b2d8-ee2888a7b6ad.json
@@ -0,0 +1,25 @@
+{
+    "type": "bundle",
+    "id": "bundle--3d7ff0f7-149d-455e-aad5-781f72bef876",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--b8afc5b9-3ffc-4b3c-b2d8-ee2888a7b6ad",
+            "created": "2021-09-24T13:59:11.505Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:06.780Z",
+            "description": "The user should become familiar with social engineering tactics that ask for Personally Identifiable Information (PII). Additionally, the user should include the use of hardware tokens, biometrics, and other non-SMS based authentication mechanisms where possible. Finally, the user should enable SIM swapping protections offered by the mobile carrier, such as setting up a PIN or password to authorize any changes to the account.  ",
+            "relationship_type": "mitigates",
+            "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
+            "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b96e8699-4bd2-4793-8f9c-88d6e4c50e98.json b/mobile-attack/relationship/relationship--b96e8699-4bd2-4793-8f9c-88d6e4c50e98.json
index 726c5c8292..e537699d9d 100644
--- a/mobile-attack/relationship/relationship--b96e8699-4bd2-4793-8f9c-88d6e4c50e98.json
+++ b/mobile-attack/relationship/relationship--b96e8699-4bd2-4793-8f9c-88d6e4c50e98.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--03651f6e-1a11-47ea-bfa4-e218939b451b",
+    "id": "bundle--7a70c358-aa54-4872-b87b-07121ee41e53",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--b96e8699-4bd2-4793-8f9c-88d6e4c50e98",
             "created": "2023-09-28T17:39:35.622Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:39:35.622Z",
+            "modified": "2025-04-16T21:51:06.992Z",
             "description": "[FlyTrap](https://attack.mitre.org/software/S1093) has used infected applications with Facebook login prompts to steal credentials.(Citation: Trend Micro FlyTrap)",
             "relationship_type": "uses",
             "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b98fa6ef-a5f2-4867-8108-8daf8534cc3c.json b/mobile-attack/relationship/relationship--b98fa6ef-a5f2-4867-8108-8daf8534cc3c.json
index 7268521d93..11c8b8b45d 100644
--- a/mobile-attack/relationship/relationship--b98fa6ef-a5f2-4867-8108-8daf8534cc3c.json
+++ b/mobile-attack/relationship/relationship--b98fa6ef-a5f2-4867-8108-8daf8534cc3c.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--e3ecd03e-d300-4d51-b740-def75324594d",
+    "id": "bundle--2f124e44-c672-47b2-afad-d8feb1e6f281",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--b98fa6ef-a5f2-4867-8108-8daf8534cc3c",
             "created": "2022-04-01T16:51:20.688Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:07.185Z",
             "description": "Users should scrutinize every device administration permission request. If the request is not expected or the user does not recognize the application, the application should be uninstalled immediately.",
-            "modified": "2022-04-01T16:51:20.688Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc.json b/mobile-attack/relationship/relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc.json
index 8becc4dd31..3b130f8333 100644
--- a/mobile-attack/relationship/relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc.json
+++ b/mobile-attack/relationship/relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--97d52864-df62-4a2d-8432-f0e5fd284bf8",
+    "id": "bundle--52559406-ec30-4462-b9b6-e4266ac3c4c5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc",
             "type": "relationship",
+            "id": "relationship--b9af8369-a6b2-4081-9f07-2ee15d56bffc",
             "created": "2020-06-02T14:32:31.871Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Google Project Zero Insomnia",
-                    "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html",
-                    "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020."
+                    "description": "I. Beer. (2019, August 29). Implant Teardown. Retrieved June 2, 2020.",
+                    "url": "https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html"
                 }
             ],
-            "modified": "2020-06-24T18:24:35.795Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:07.389Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can collect application database files, including Gmail, Hangouts, device photos, and container directories of third-party apps.(Citation: Google Project Zero Insomnia)",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--b9b9ce86-89f6-41ea-8ba1-9520985acb49.json b/mobile-attack/relationship/relationship--b9b9ce86-89f6-41ea-8ba1-9520985acb49.json
index 22cf31840f..a63b55dcf4 100644
--- a/mobile-attack/relationship/relationship--b9b9ce86-89f6-41ea-8ba1-9520985acb49.json
+++ b/mobile-attack/relationship/relationship--b9b9ce86-89f6-41ea-8ba1-9520985acb49.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e7e9022e-9d6d-4775-8ec8-67a9796ba0c9",
+    "id": "bundle--ee6b9527-3ae6-486a-ae9b-a6c0f081e6e1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--b9b9ce86-89f6-41ea-8ba1-9520985acb49",
             "type": "relationship",
+            "id": "relationship--b9b9ce86-89f6-41ea-8ba1-9520985acb49",
             "created": "2020-12-24T22:04:28.004Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T22:04:28.004Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:07.590Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has checked for system root.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ba02a1dc-d5b9-41cb-9adf-883119e1aa51.json b/mobile-attack/relationship/relationship--ba02a1dc-d5b9-41cb-9adf-883119e1aa51.json
index b5de206dd7..e5981f6314 100644
--- a/mobile-attack/relationship/relationship--ba02a1dc-d5b9-41cb-9adf-883119e1aa51.json
+++ b/mobile-attack/relationship/relationship--ba02a1dc-d5b9-41cb-9adf-883119e1aa51.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6d5bd3eb-c37f-4adb-8566-a42a155a020d",
+    "id": "bundle--906af714-b2c0-4e8b-88d5-c16a4136cc2e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:12:27.624Z",
+            "modified": "2025-04-16T21:51:07.816Z",
             "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has communicated with the C2 using HTTP.(Citation: Sophos Red Alert 2.0)",
             "relationship_type": "uses",
             "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ba116807-ef1c-4621-84c8-9921fa7b735e.json b/mobile-attack/relationship/relationship--ba116807-ef1c-4621-84c8-9921fa7b735e.json
index f5bf687b19..0169f43dad 100644
--- a/mobile-attack/relationship/relationship--ba116807-ef1c-4621-84c8-9921fa7b735e.json
+++ b/mobile-attack/relationship/relationship--ba116807-ef1c-4621-84c8-9921fa7b735e.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--74abd7c4-4c47-49fd-8978-925090071bdb",
+    "id": "bundle--10379b62-b402-40e4-a344-512c41b3a8db",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--ba116807-ef1c-4621-84c8-9921fa7b735e",
             "created": "2023-09-28T17:19:21.499Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:19:21.499Z",
+            "modified": "2025-04-16T21:51:08.004Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can request the `GET_ACCOUNTS` permission to get the list of accounts on the device, and can collect media files.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6.json b/mobile-attack/relationship/relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6.json
index b29faa3ae1..9b79b49cd3 100644
--- a/mobile-attack/relationship/relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6.json
+++ b/mobile-attack/relationship/relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--31817785-6b1b-4c4b-a6ab-8baa1225c343",
+    "id": "bundle--08899202-c288-494e-a638-9d47eee4cbea",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6",
             "type": "relationship",
+            "id": "relationship--ba5fc090-d420-4006-9dc0-57b75260b5f6",
             "created": "2020-07-15T20:20:59.296Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "modified": "2020-07-15T20:20:59.296Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:08.223Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can collect the device\u2019s location.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae.json b/mobile-attack/relationship/relationship--ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae.json
index 3dc32b8acb..b21fc879f2 100644
--- a/mobile-attack/relationship/relationship--ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae.json
+++ b/mobile-attack/relationship/relationship--ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--b0bc2b93-3beb-4e76-b113-f09fda777bb6",
+    "id": "bundle--ff24c104-6ffd-4e2f-af7e-423bd190b73a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae",
             "type": "relationship",
+            "id": "relationship--ba8735ad-b9c6-4b35-9fac-d4747ab0b2ae",
             "created": "2020-11-10T17:08:35.746Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-01T19:48:44.878Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:08.425Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has searched device storage for various files, including .amr files (audio recordings) and superuser binaries.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d.json b/mobile-attack/relationship/relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d.json
index a1cdc76ddd..7d8cbbf2fa 100644
--- a/mobile-attack/relationship/relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d.json
+++ b/mobile-attack/relationship/relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4e1c7360-2149-49af-961c-23948cdd2c9a",
+    "id": "bundle--7fe083f8-3608-4ced-9e2f-13a0f8b81261",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d",
             "type": "relationship",
+            "id": "relationship--baa82c0a-b51c-4d4a-ae1d-6d6fd637f78d",
             "created": "2020-07-15T20:20:59.294Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "modified": "2020-07-15T20:20:59.294Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:08.626Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can obtain a list of installed applications.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--baad8ab8-f05f-4e31-9671-44c009ae3ecf.json b/mobile-attack/relationship/relationship--baad8ab8-f05f-4e31-9671-44c009ae3ecf.json
index 5aee854414..7bf9cb03ae 100644
--- a/mobile-attack/relationship/relationship--baad8ab8-f05f-4e31-9671-44c009ae3ecf.json
+++ b/mobile-attack/relationship/relationship--baad8ab8-f05f-4e31-9671-44c009ae3ecf.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--9220c6b7-a291-47aa-8497-8188575a5fb9",
+    "id": "bundle--5caa7c8c-bfb0-4fab-89df-2efc3a0d55b7",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--baad8ab8-f05f-4e31-9671-44c009ae3ecf",
             "created": "2023-08-09T14:38:34.721Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T14:38:34.721Z",
+            "modified": "2025-04-16T21:51:08.819Z",
             "description": "Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bb006be2-7d2c-4bb3-ab48-7c95e0ab8106.json b/mobile-attack/relationship/relationship--bb006be2-7d2c-4bb3-ab48-7c95e0ab8106.json
index 411424a76e..266e0c4448 100644
--- a/mobile-attack/relationship/relationship--bb006be2-7d2c-4bb3-ab48-7c95e0ab8106.json
+++ b/mobile-attack/relationship/relationship--bb006be2-7d2c-4bb3-ab48-7c95e0ab8106.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--169b3261-c6ca-489b-8be5-fc45fbc1b917",
+    "id": "bundle--04060803-2729-4842-9da1-aadea9012299",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--bb006be2-7d2c-4bb3-ab48-7c95e0ab8106",
             "type": "relationship",
+            "id": "relationship--bb006be2-7d2c-4bb3-ab48-7c95e0ab8106",
             "created": "2020-12-14T14:52:03.255Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Sophos Red Alert 2.0",
-                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/",
-                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."
+                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.",
+                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"
                 }
             ],
-            "modified": "2020-12-14T14:52:03.255Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:09.012Z",
             "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) has stored data embedded in the strings.xml resource file.(Citation: Sophos Red Alert 2.0)",
             "relationship_type": "uses",
             "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bb11b7d1-e661-49af-9746-9fa4c56324bf.json b/mobile-attack/relationship/relationship--bb11b7d1-e661-49af-9746-9fa4c56324bf.json
index e40291b05a..3a435817fb 100644
--- a/mobile-attack/relationship/relationship--bb11b7d1-e661-49af-9746-9fa4c56324bf.json
+++ b/mobile-attack/relationship/relationship--bb11b7d1-e661-49af-9746-9fa4c56324bf.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c606de41-3955-4926-a771-21d4d5be1735",
+    "id": "bundle--e9d6e7e8-8f83-43fc-97c6-5653a059eca3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T16:31:10.270Z",
+            "modified": "2025-04-16T21:51:09.234Z",
             "description": "Application vetting services can detect unnecessary and potentially abused API calls.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630.json b/mobile-attack/relationship/relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630.json
index d704621dbf..503fd1675f 100644
--- a/mobile-attack/relationship/relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630.json
+++ b/mobile-attack/relationship/relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--5a12e6db-81c3-4eff-8a31-ce17e0f5f285",
+    "id": "bundle--45bb291f-9595-42cc-a24e-e84c05264136",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--bb34aff0-9af9-463b-a1aa-7f5ec7b84630",
             "created": "2020-07-15T20:20:59.300Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:09.436Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can manipulate visual components to trick the user into granting dangerous permissions, and can use phishing overlays and JavaScript injection to capture credentials.(Citation: Bitdefender Mandrake)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bb3bd38c-0b82-4c58-8e25-2fbab235a551.json b/mobile-attack/relationship/relationship--bb3bd38c-0b82-4c58-8e25-2fbab235a551.json
new file mode 100644
index 0000000000..6935f47120
--- /dev/null
+++ b/mobile-attack/relationship/relationship--bb3bd38c-0b82-4c58-8e25-2fbab235a551.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--c6e9f3b6-7711-4544-802b-751f49565ec4",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--bb3bd38c-0b82-4c58-8e25-2fbab235a551",
+            "created": "2025-03-28T14:50:49.769Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:09.664Z",
+            "description": "(Citation: SecureList OpTriangulation 23Oct2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451.json b/mobile-attack/relationship/relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451.json
index c47308cc04..42bab6f171 100644
--- a/mobile-attack/relationship/relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451.json
+++ b/mobile-attack/relationship/relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--e1c9c4bf-9c1d-41a9-8b71-948968693494",
+    "id": "bundle--22993eaa-b19e-42e9-a8e1-c22fe9751e95",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451",
             "type": "relationship",
+            "id": "relationship--bb3be217-08e2-4bb0-9f1a-d8e538010451",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:09.872Z",
             "description": "[RuMMS](https://attack.mitre.org/software/S0313) gathers device model and operating system version information and transmits it to a command and control server.(Citation: FireEye-RuMMS)",
             "relationship_type": "uses",
             "source_ref": "malware--936be60d-90eb-4c36-9247-4b31128432c4",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bb77cfbe-ac95-4cc2-acbc-8cefa15b9387.json b/mobile-attack/relationship/relationship--bb77cfbe-ac95-4cc2-acbc-8cefa15b9387.json
index 2b0fb77554..8299d24455 100644
--- a/mobile-attack/relationship/relationship--bb77cfbe-ac95-4cc2-acbc-8cefa15b9387.json
+++ b/mobile-attack/relationship/relationship--bb77cfbe-ac95-4cc2-acbc-8cefa15b9387.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--04fd2454-0c8a-452c-b68c-873e152906f8",
+    "id": "bundle--53a56d23-dc14-43af-9050-3bdcd5f88274",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T19:15:08.695Z",
+            "modified": "2025-04-16T21:51:10.067Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can gather device call logs.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bb83ee25-8875-4806-9f69-ac39bf7cb402.json b/mobile-attack/relationship/relationship--bb83ee25-8875-4806-9f69-ac39bf7cb402.json
index cd8749ae08..ddc4a7888b 100644
--- a/mobile-attack/relationship/relationship--bb83ee25-8875-4806-9f69-ac39bf7cb402.json
+++ b/mobile-attack/relationship/relationship--bb83ee25-8875-4806-9f69-ac39bf7cb402.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--88d95b4a-26a2-45ea-8f7d-8bfe32bc6863",
+    "id": "bundle--e31682f7-a97d-4bd6-b2e7-a2bcaf292bbe",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:25:39.509Z",
+            "modified": "2025-04-16T21:51:10.271Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect SMS messages.(Citation: SecureList BusyGasper)",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bba8b056-acbe-4fed-b890-965a446d7a3c.json b/mobile-attack/relationship/relationship--bba8b056-acbe-4fed-b890-965a446d7a3c.json
index 26267d687e..6a20a14fb1 100644
--- a/mobile-attack/relationship/relationship--bba8b056-acbe-4fed-b890-965a446d7a3c.json
+++ b/mobile-attack/relationship/relationship--bba8b056-acbe-4fed-b890-965a446d7a3c.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--58a5f5fa-f0bb-47a7-9109-f9b211c0fe08",
+    "id": "bundle--34e91806-b7e0-4f8d-9165-72fd7d860ca8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--bba8b056-acbe-4fed-b890-965a446d7a3c",
             "created": "2022-04-01T18:45:00.923Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:10.474Z",
             "description": "Users should be warned against granting access to accessibility features and device administration services, and to carefully scrutinize applications that request these dangerous permissions. Users should be taught how to boot into safe mode to uninstall malicious applications that may be interfering with the uninstallation process.",
-            "modified": "2022-04-01T18:45:00.923Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bbc6308e-f7f6-40c7-80cb-f760d623c8af.json b/mobile-attack/relationship/relationship--bbc6308e-f7f6-40c7-80cb-f760d623c8af.json
index 5a7bcf4027..bdfca0d877 100644
--- a/mobile-attack/relationship/relationship--bbc6308e-f7f6-40c7-80cb-f760d623c8af.json
+++ b/mobile-attack/relationship/relationship--bbc6308e-f7f6-40c7-80cb-f760d623c8af.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d6c5e3e0-7319-480b-9b8d-5390aa36713d",
+    "id": "bundle--caef25d7-5896-468d-831a-561cf508da80",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:56:41.614Z",
+            "modified": "2025-04-16T21:51:10.680Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use HTTP to send C2 messages to infected devices.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bbd619c8-bd9a-4107-a60f-7a3a9f953735.json b/mobile-attack/relationship/relationship--bbd619c8-bd9a-4107-a60f-7a3a9f953735.json
index 7169a44b65..3d260b90d5 100644
--- a/mobile-attack/relationship/relationship--bbd619c8-bd9a-4107-a60f-7a3a9f953735.json
+++ b/mobile-attack/relationship/relationship--bbd619c8-bd9a-4107-a60f-7a3a9f953735.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4437822f-5638-4b78-b7f2-bc46346c68b2",
+    "id": "bundle--510c10ce-8675-43de-9517-ac37e5491eca",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T21:40:02.581Z",
+            "modified": "2025-04-16T21:51:10.879Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to exfiltrate to the C2 server using HTTPS.(Citation: welivesec_strongpity)(Citation: trendmicro_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bbe1af69-7303-4205-82d8-5b03c43e39c1.json b/mobile-attack/relationship/relationship--bbe1af69-7303-4205-82d8-5b03c43e39c1.json
index 68bd21e0cc..71312bf8a2 100644
--- a/mobile-attack/relationship/relationship--bbe1af69-7303-4205-82d8-5b03c43e39c1.json
+++ b/mobile-attack/relationship/relationship--bbe1af69-7303-4205-82d8-5b03c43e39c1.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--fcb9d20e-7a53-4c51-9569-a73e439b565f",
+    "id": "bundle--f493e917-cb46-45ef-a802-4f45e4607680",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--bbe1af69-7303-4205-82d8-5b03c43e39c1",
             "type": "relationship",
+            "id": "relationship--bbe1af69-7303-4205-82d8-5b03c43e39c1",
             "created": "2020-11-24T17:55:12.887Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos GPlayed",
-                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html",
-                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."
+                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.",
+                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"
                 }
             ],
-            "modified": "2020-11-24T17:55:12.887Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:11.089Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect the device\u2019s model, country, and Android version.(Citation: Talos GPlayed)",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005.json b/mobile-attack/relationship/relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005.json
index 884811792b..a96f0ba74f 100644
--- a/mobile-attack/relationship/relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005.json
+++ b/mobile-attack/relationship/relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--9f0fd3b6-0b4b-4d3a-85b9-8a75e1bf9bef",
+    "id": "bundle--b0ef3d5d-a7b7-4ce9-b94f-c43971bcaf28",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--bc0d2cbb-30fa-40e6-a250-bf6e5d8f9005",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Kaspersky-Skygofree",
-                    "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/",
-                    "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018."
+                    "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
+                    "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:11.287Z",
             "description": "[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via binary SMS.(Citation: Kaspersky-Skygofree)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bc0d86de-0642-4cbf-a785-7ff70507a9a2.json b/mobile-attack/relationship/relationship--bc0d86de-0642-4cbf-a785-7ff70507a9a2.json
index 9032d378d2..ef255a2638 100644
--- a/mobile-attack/relationship/relationship--bc0d86de-0642-4cbf-a785-7ff70507a9a2.json
+++ b/mobile-attack/relationship/relationship--bc0d86de-0642-4cbf-a785-7ff70507a9a2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3ac76e5c-b3f6-478f-ac8b-772b00455502",
+    "id": "bundle--f7a769be-9853-489f-bb75-fdbdb3c09633",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T17:08:11.867Z",
+            "modified": "2025-04-16T21:51:11.511Z",
             "description": "The user can examine the list of all installed applications, including those with a suppressed icon, in the device settings. If the user is redirected to the device settings when tapping an application\u2019s icon, they should inspect the application to ensure it is genuine.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f.json b/mobile-attack/relationship/relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f.json
index c3c870010e..a201922ff1 100644
--- a/mobile-attack/relationship/relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f.json
+++ b/mobile-attack/relationship/relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--dd69392b-a4e6-4185-a0b0-4906d22fea19",
+    "id": "bundle--47d63583-3155-4d76-90af-2ccd8a429160",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f",
             "type": "relationship",
+            "id": "relationship--bc4e848a-adb7-40a2-94a1-d5ab9854ff0f",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
                 }
             ],
-            "modified": "2019-10-10T15:24:09.378Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:11.718Z",
             "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can copy files from the device to the C2 server.(Citation: Zscaler-SpyNote)",
             "relationship_type": "uses",
             "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bc59883f-672e-4dc8-a7de-f713a26f88e1.json b/mobile-attack/relationship/relationship--bc59883f-672e-4dc8-a7de-f713a26f88e1.json
index 8d1a79df3a..48b3dc2a95 100644
--- a/mobile-attack/relationship/relationship--bc59883f-672e-4dc8-a7de-f713a26f88e1.json
+++ b/mobile-attack/relationship/relationship--bc59883f-672e-4dc8-a7de-f713a26f88e1.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--15249e94-b679-4f74-8532-cac17ae5b4a0",
+    "id": "bundle--4465f37b-f128-4abe-ad69-8294b4781ac2",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--bc59883f-672e-4dc8-a7de-f713a26f88e1",
             "created": "2023-08-14T16:31:37.179Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:31:37.179Z",
+            "modified": "2025-04-16T21:51:11.920Z",
             "description": "Many properly configured firewalls may naturally block command and control traffic.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
             "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bc79a212-139f-4dce-be72-e90585f38f03.json b/mobile-attack/relationship/relationship--bc79a212-139f-4dce-be72-e90585f38f03.json
index 8d9bd5d953..6d9046c500 100644
--- a/mobile-attack/relationship/relationship--bc79a212-139f-4dce-be72-e90585f38f03.json
+++ b/mobile-attack/relationship/relationship--bc79a212-139f-4dce-be72-e90585f38f03.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--cc92acde-d323-4d11-8b5a-08f05509e508",
+    "id": "bundle--4eeb2234-aa01-4d01-ae4d-65605dac497b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T21:11:17.731Z",
+            "modified": "2025-04-16T21:51:12.115Z",
             "description": "The user can view their default phone app in device settings.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bc79d59b-1828-4133-9f8f-df8cad9543a8.json b/mobile-attack/relationship/relationship--bc79d59b-1828-4133-9f8f-df8cad9543a8.json
index f73c0128f3..6b23b69a25 100644
--- a/mobile-attack/relationship/relationship--bc79d59b-1828-4133-9f8f-df8cad9543a8.json
+++ b/mobile-attack/relationship/relationship--bc79d59b-1828-4133-9f8f-df8cad9543a8.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8a119cc9-0ce5-40bc-bda9-ad9a87cf57f5",
+    "id": "bundle--1b1d14a5-504d-4b0a-b8dd-2d8d87322d0f",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:37:19.124Z",
+            "modified": "2025-04-16T21:51:12.331Z",
             "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can delete arbitrary files from the device.(Citation: SecureList - ViceLeaker 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bc870a55-5499-4146-91ef-ea74647c3e10.json b/mobile-attack/relationship/relationship--bc870a55-5499-4146-91ef-ea74647c3e10.json
index 55c376cd82..62b9d0e038 100644
--- a/mobile-attack/relationship/relationship--bc870a55-5499-4146-91ef-ea74647c3e10.json
+++ b/mobile-attack/relationship/relationship--bc870a55-5499-4146-91ef-ea74647c3e10.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--cf9a6455-e9f4-4f3e-808f-4922cbfff9c1",
+    "id": "bundle--dcc3c433-7f24-4a74-8813-e47a1e7f01cc",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--bc870a55-5499-4146-91ef-ea74647c3e10",
             "created": "2023-07-12T20:50:03.159Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-12T20:50:03.159Z",
+            "modified": "2025-04-16T21:51:12.520Z",
             "description": "Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bcc8eb7a-d2a8-41d2-832e-f435e51c685a.json b/mobile-attack/relationship/relationship--bcc8eb7a-d2a8-41d2-832e-f435e51c685a.json
index d7251b3274..08ef82f42e 100644
--- a/mobile-attack/relationship/relationship--bcc8eb7a-d2a8-41d2-832e-f435e51c685a.json
+++ b/mobile-attack/relationship/relationship--bcc8eb7a-d2a8-41d2-832e-f435e51c685a.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--da98e5a9-2d7d-4dd5-ba2e-8d71759bd429",
+    "id": "bundle--e092c2bc-1c7e-4006-af21-bc1e490661f1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--bcc8eb7a-d2a8-41d2-832e-f435e51c685a",
             "created": "2022-03-30T19:54:43.835Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:12.725Z",
             "description": "Security updates frequently contain fixes for vulnerabilities that could be leveraged to modify protected operating system files. ",
-            "modified": "2022-03-30T19:54:43.835Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bce64ec2-43d5-4501-a0aa-0abe65551a19.json b/mobile-attack/relationship/relationship--bce64ec2-43d5-4501-a0aa-0abe65551a19.json
index 3a094ba035..f525d019b9 100644
--- a/mobile-attack/relationship/relationship--bce64ec2-43d5-4501-a0aa-0abe65551a19.json
+++ b/mobile-attack/relationship/relationship--bce64ec2-43d5-4501-a0aa-0abe65551a19.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--6d55e1e9-5c0c-4f25-b99f-87c4473744fc",
+    "id": "bundle--79c3de5f-02fc-4133-87dd-8543c315d3ac",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--bce64ec2-43d5-4501-a0aa-0abe65551a19",
             "type": "relationship",
+            "id": "relationship--bce64ec2-43d5-4501-a0aa-0abe65551a19",
             "created": "2021-02-17T20:43:52.381Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout FrozenCell",
-                    "url": "https://blog.lookout.com/frozencell-mobile-threat",
-                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."
+                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.",
+                    "url": "https://blog.lookout.com/frozencell-mobile-threat"
                 }
             ],
-            "modified": "2021-02-17T20:43:52.381Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:12.921Z",
             "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has retrieved account information for other applications.(Citation: Lookout FrozenCell)",
             "relationship_type": "uses",
             "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bd1e016a-1ebb-4f30-9342-998f656dd8b8.json b/mobile-attack/relationship/relationship--bd1e016a-1ebb-4f30-9342-998f656dd8b8.json
index 805e3384b7..830c761d2e 100644
--- a/mobile-attack/relationship/relationship--bd1e016a-1ebb-4f30-9342-998f656dd8b8.json
+++ b/mobile-attack/relationship/relationship--bd1e016a-1ebb-4f30-9342-998f656dd8b8.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e3785b92-8eeb-4b23-819c-f729bc157014",
+    "id": "bundle--2eba04fa-6466-41ea-a4db-c2facfb6b653",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:21:49.009Z",
+            "modified": "2025-04-16T21:51:13.123Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can enable app installation from unknown sources.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bd29ce15-1771-470c-a74b-5ea90832ce23.json b/mobile-attack/relationship/relationship--bd29ce15-1771-470c-a74b-5ea90832ce23.json
index 501459cf4d..ef81247001 100644
--- a/mobile-attack/relationship/relationship--bd29ce15-1771-470c-a74b-5ea90832ce23.json
+++ b/mobile-attack/relationship/relationship--bd29ce15-1771-470c-a74b-5ea90832ce23.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--710db9b7-955b-461d-909d-0f93dda1c686",
+    "id": "bundle--40966082-9e04-41c9-863d-063badb6f105",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:31:11.269Z",
+            "modified": "2025-04-16T21:51:13.331Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected SMS messages.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bd351b17-e995-4528-bbea-e1138c51476a.json b/mobile-attack/relationship/relationship--bd351b17-e995-4528-bbea-e1138c51476a.json
index 7234b06b63..abdf99f404 100644
--- a/mobile-attack/relationship/relationship--bd351b17-e995-4528-bbea-e1138c51476a.json
+++ b/mobile-attack/relationship/relationship--bd351b17-e995-4528-bbea-e1138c51476a.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--73761dc9-0706-49da-8b55-f10368492e16",
+    "id": "bundle--c100d601-deb7-4a56-928f-f63efd93ce11",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--bd351b17-e995-4528-bbea-e1138c51476a",
             "type": "relationship",
+            "id": "relationship--bd351b17-e995-4528-bbea-e1138c51476a",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
+                    "source_name": "PaloAlto-SpyDealer",
                     "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
-                    "source_name": "PaloAlto-SpyDealer"
+                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
                 }
             ],
-            "modified": "2019-08-09T17:56:05.683Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:13.563Z",
             "description": "[SpyDealer](https://attack.mitre.org/software/S0324) exfiltrates data from over 40 apps such as WeChat, Facebook, WhatsApp, Skype, and others.(Citation: PaloAlto-SpyDealer)",
             "relationship_type": "uses",
             "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bd6829ee-dc51-477b-9739-1cd1cd304b6c.json b/mobile-attack/relationship/relationship--bd6829ee-dc51-477b-9739-1cd1cd304b6c.json
index 3a56273af8..bd33e6b412 100644
--- a/mobile-attack/relationship/relationship--bd6829ee-dc51-477b-9739-1cd1cd304b6c.json
+++ b/mobile-attack/relationship/relationship--bd6829ee-dc51-477b-9739-1cd1cd304b6c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--bbbeda2e-0182-47a7-8040-c7cb2446210d",
+    "id": "bundle--fd9b8325-fea1-4d49-acbf-e60f35f32d58",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:45:14.199Z",
+            "modified": "2025-04-16T21:51:13.775Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can hide its icon.(Citation: Lookout Desert Scorpion)",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bd889077-d4bd-4475-8e1f-6f507a7bedb9.json b/mobile-attack/relationship/relationship--bd889077-d4bd-4475-8e1f-6f507a7bedb9.json
index 68b2f27e29..8432d474d8 100644
--- a/mobile-attack/relationship/relationship--bd889077-d4bd-4475-8e1f-6f507a7bedb9.json
+++ b/mobile-attack/relationship/relationship--bd889077-d4bd-4475-8e1f-6f507a7bedb9.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--3a8200ae-f10f-4dd6-bdc6-28b9b562c313",
+    "id": "bundle--7f5d5a9c-b465-45aa-adb3-a4cc95e814d9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--bd889077-d4bd-4475-8e1f-6f507a7bedb9",
             "created": "2022-04-01T13:19:41.207Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:13.962Z",
             "description": "",
-            "modified": "2022-04-01T13:19:41.207Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--4e6620ac-c30c-4f6d-918e-fa20cae7c1ce",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bd952153-4902-4fc4-8e2e-b7c7b8bad7f1.json b/mobile-attack/relationship/relationship--bd952153-4902-4fc4-8e2e-b7c7b8bad7f1.json
index bd37c7eed0..89b9bdd0fb 100644
--- a/mobile-attack/relationship/relationship--bd952153-4902-4fc4-8e2e-b7c7b8bad7f1.json
+++ b/mobile-attack/relationship/relationship--bd952153-4902-4fc4-8e2e-b7c7b8bad7f1.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e671cd9a-d18f-41fa-ba9d-0ec0584bc937",
+    "id": "bundle--b99f6615-d8ff-4bce-8109-62a138c92097",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "cyble_drinik_1022",
-                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.",
-                    "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:11:24.686Z",
+            "modified": "2025-04-16T21:51:14.166Z",
             "description": "[Drinik](https://attack.mitre.org/software/S1054) has code to use Firebase Cloud Messaging for receiving C2 instructions.(Citation: cyble_drinik_1022)",
             "relationship_type": "uses",
             "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe",
             "target_ref": "attack-pattern--6a3f6490-9c44-40de-b059-e5940f246673",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f.json b/mobile-attack/relationship/relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f.json
index 0b98b93050..e4eb2076c9 100644
--- a/mobile-attack/relationship/relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f.json
+++ b/mobile-attack/relationship/relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--35b10228-9055-4c01-9fa0-5f205d48d7ea",
+    "id": "bundle--efc62c1f-02df-4d0a-9dd0-8e4ae4ffb500",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f",
             "type": "relationship",
+            "id": "relationship--bd99b570-5966-4337-8ab4-2d6f4afd0f7f",
             "created": "2019-09-04T15:38:56.799Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "CyberMerchants-FlexiSpy",
-                    "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html",
-                    "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."
+                    "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.",
+                    "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"
                 }
             ],
-            "modified": "2019-09-10T14:59:26.138Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:14.364Z",
             "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can record video.(Citation: CyberMerchants-FlexiSpy)",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bdb29822-63c5-4dd0-961b-cdf3f2482adf.json b/mobile-attack/relationship/relationship--bdb29822-63c5-4dd0-961b-cdf3f2482adf.json
index 1698a5c546..238a83880f 100644
--- a/mobile-attack/relationship/relationship--bdb29822-63c5-4dd0-961b-cdf3f2482adf.json
+++ b/mobile-attack/relationship/relationship--bdb29822-63c5-4dd0-961b-cdf3f2482adf.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8628eb1d-dbb8-4fe5-a09e-27b14b2babda",
+    "id": "bundle--ad100a79-a514-4e7e-a3c7-dbfd507c78ab",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T22:11:45.377Z",
+            "modified": "2025-04-16T21:51:14.552Z",
             "description": "On both Android and iOS, the user can manage which applications have permission to access calendar information through the device settings screen, revoke the permission if necessary. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bdc59dcf-0e0a-4d47-b289-0c298115215f.json b/mobile-attack/relationship/relationship--bdc59dcf-0e0a-4d47-b289-0c298115215f.json
index f7eaefee05..13160af14a 100644
--- a/mobile-attack/relationship/relationship--bdc59dcf-0e0a-4d47-b289-0c298115215f.json
+++ b/mobile-attack/relationship/relationship--bdc59dcf-0e0a-4d47-b289-0c298115215f.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--a2a22d0b-a60a-4e92-b8c5-59b417ac28f1",
+    "id": "bundle--4fe25d32-655e-48ec-bc3e-c80fb81d7a0b",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--bdc59dcf-0e0a-4d47-b289-0c298115215f",
             "created": "2023-08-23T22:17:13.986Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-23T22:17:13.986Z",
+            "modified": "2025-04-16T21:51:14.751Z",
             "description": "Security updates frequently contain patches to vulnerabilities. ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--be07d829-9a12-4d90-ad8c-9e56782af120.json b/mobile-attack/relationship/relationship--be07d829-9a12-4d90-ad8c-9e56782af120.json
index db4827c142..3901962013 100644
--- a/mobile-attack/relationship/relationship--be07d829-9a12-4d90-ad8c-9e56782af120.json
+++ b/mobile-attack/relationship/relationship--be07d829-9a12-4d90-ad8c-9e56782af120.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--f3e2dfbc-789e-4f45-9254-f04fadc865fc",
+    "id": "bundle--056f9d52-f8f6-40b2-ae35-2f7f7cbb33db",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--be07d829-9a12-4d90-ad8c-9e56782af120",
             "created": "2023-12-18T19:05:57.050Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T19:05:57.050Z",
+            "modified": "2025-04-16T21:51:14.942Z",
             "description": "[AhRat](https://attack.mitre.org/software/S1095) can record audio using a device\u2019s microphone.(Citation: welivesecurity_ahrat_0523)",
             "relationship_type": "uses",
             "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--be136fd1-6949-4de6-be37-6d76f8def41a.json b/mobile-attack/relationship/relationship--be136fd1-6949-4de6-be37-6d76f8def41a.json
index 299a530d54..ae59bcf3ab 100644
--- a/mobile-attack/relationship/relationship--be136fd1-6949-4de6-be37-6d76f8def41a.json
+++ b/mobile-attack/relationship/relationship--be136fd1-6949-4de6-be37-6d76f8def41a.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4a2e5ffa-d9e1-4bbb-a4e8-71b2f6be169c",
+    "id": "bundle--1bbaaf52-d882-4de0-81e2-b1cd785d1899",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--be136fd1-6949-4de6-be37-6d76f8def41a",
             "type": "relationship",
+            "id": "relationship--be136fd1-6949-4de6-be37-6d76f8def41a",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
+                    "source_name": "PaloAlto-SpyDealer",
                     "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
-                    "source_name": "PaloAlto-SpyDealer"
+                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
                 }
             ],
-            "modified": "2019-10-15T19:37:21.366Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:15.138Z",
             "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests location data from victims.(Citation: PaloAlto-SpyDealer)",
             "relationship_type": "uses",
             "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--be17dc63-5b0a-491a-be5f-132058444c3a.json b/mobile-attack/relationship/relationship--be17dc63-5b0a-491a-be5f-132058444c3a.json
index 293a9dab54..d7d82e0114 100644
--- a/mobile-attack/relationship/relationship--be17dc63-5b0a-491a-be5f-132058444c3a.json
+++ b/mobile-attack/relationship/relationship--be17dc63-5b0a-491a-be5f-132058444c3a.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--f9353b68-2adf-418f-ab52-57e39d0b2d26",
+    "id": "bundle--11030a67-015f-4901-a0d7-d730ed438a3a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--be17dc63-5b0a-491a-be5f-132058444c3a",
             "type": "relationship",
+            "id": "relationship--be17dc63-5b0a-491a-be5f-132058444c3a",
             "created": "2019-08-09T17:52:13.352Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
                 }
             ],
-            "modified": "2019-08-09T17:52:31.877Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:15.374Z",
             "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) has the ability to take pictures using the device camera.(Citation: Lookout-PegasusAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce.json b/mobile-attack/relationship/relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce.json
index 0d40e18803..e738415e82 100644
--- a/mobile-attack/relationship/relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce.json
+++ b/mobile-attack/relationship/relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--d53c7049-8680-4642-9a28-b783e8b1d5c0",
+    "id": "bundle--f4a4d548-36b3-40b9-8d0d-5417a3623d58",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce",
             "type": "relationship",
+            "id": "relationship--be256f8a-8bae-4a00-8682-22797ba7e0ce",
             "created": "2019-09-04T14:28:15.975Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Lookout-Monokle",
                     "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
-                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
-                    "source_name": "Lookout-Monokle"
+                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
                 }
             ],
-            "modified": "2019-10-14T17:51:38.054Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:15.576Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) queries the device for metadata such as make, model, and power levels.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--be27a303-5748-4b72-ba69-a328e2f6cc08.json b/mobile-attack/relationship/relationship--be27a303-5748-4b72-ba69-a328e2f6cc08.json
index d7e4003de5..172d10781f 100644
--- a/mobile-attack/relationship/relationship--be27a303-5748-4b72-ba69-a328e2f6cc08.json
+++ b/mobile-attack/relationship/relationship--be27a303-5748-4b72-ba69-a328e2f6cc08.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ba789af8-235c-408c-98e0-1af1aeed4078",
+    "id": "bundle--5bb6eb35-30b7-4fc7-baa4-1961875fb1d5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--be27a303-5748-4b72-ba69-a328e2f6cc08",
             "type": "relationship",
+            "id": "relationship--be27a303-5748-4b72-ba69-a328e2f6cc08",
             "created": "2020-12-31T18:25:05.177Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "CYBERWARCON CHEMISTGAMES",
-                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w",
-                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."
+                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.",
+                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"
                 }
             ],
-            "modified": "2020-12-31T18:25:05.177Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:15.773Z",
             "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) can download new modules while running.(Citation: CYBERWARCON CHEMISTGAMES)",
             "relationship_type": "uses",
             "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--be39c012-7201-4757-8cd6-c855bc945a9e.json b/mobile-attack/relationship/relationship--be39c012-7201-4757-8cd6-c855bc945a9e.json
index 9968ed90db..7c6071138c 100644
--- a/mobile-attack/relationship/relationship--be39c012-7201-4757-8cd6-c855bc945a9e.json
+++ b/mobile-attack/relationship/relationship--be39c012-7201-4757-8cd6-c855bc945a9e.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--72973282-fde6-4aa5-8d12-59f541facfa6",
+    "id": "bundle--67939b16-94f0-44e8-8688-4c3d0edae689",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--be39c012-7201-4757-8cd6-c855bc945a9e",
             "type": "relationship",
+            "id": "relationship--be39c012-7201-4757-8cd6-c855bc945a9e",
             "created": "2019-07-10T15:25:57.623Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
                 }
             ],
-            "modified": "2019-08-12T17:30:07.568Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:15.972Z",
             "description": "[FinFisher](https://attack.mitre.org/software/S0182) comes packaged with ExynosAbuse, an Android exploit that can gain root privileges.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--be526f3a-480f-4ede-b772-2b29b8a3ca2b.json b/mobile-attack/relationship/relationship--be526f3a-480f-4ede-b772-2b29b8a3ca2b.json
index 98c1c3a712..ef4407d6c6 100644
--- a/mobile-attack/relationship/relationship--be526f3a-480f-4ede-b772-2b29b8a3ca2b.json
+++ b/mobile-attack/relationship/relationship--be526f3a-480f-4ede-b772-2b29b8a3ca2b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6022266d-f820-4830-897f-d67605494898",
+    "id": "bundle--739b7f88-6b78-48a2-86bb-28fc52fd2bbb",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T21:40:12.349Z",
+            "modified": "2025-04-16T21:51:16.169Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to exfiltrate encrypted data to the C2 server.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--be7c3f83-b164-4d53-bfac-65f7437dabec.json b/mobile-attack/relationship/relationship--be7c3f83-b164-4d53-bfac-65f7437dabec.json
index e3fed988f4..26c7d59584 100644
--- a/mobile-attack/relationship/relationship--be7c3f83-b164-4d53-bfac-65f7437dabec.json
+++ b/mobile-attack/relationship/relationship--be7c3f83-b164-4d53-bfac-65f7437dabec.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--88344268-041c-4b6a-8c84-2a4e362e15f7",
+    "id": "bundle--6c923ff7-a1ee-4dba-b40c-524a4dad774a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T17:13:28.972Z",
+            "modified": "2025-04-16T21:51:16.372Z",
             "description": "The user can view a list of device administrators and applications that have registered accessibility services in device settings. The user can typically visually see when an action happens that they did not initiate and can subsequently review installed applications for any out of place or unknown ones. Applications that register an accessibility service or request device administrator permissions should be scrutinized further for malicious behavior.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--be8d0cd6-be77-456e-bcfb-6325cb8ba137.json b/mobile-attack/relationship/relationship--be8d0cd6-be77-456e-bcfb-6325cb8ba137.json
index 88e5431ca4..adef43cb2a 100644
--- a/mobile-attack/relationship/relationship--be8d0cd6-be77-456e-bcfb-6325cb8ba137.json
+++ b/mobile-attack/relationship/relationship--be8d0cd6-be77-456e-bcfb-6325cb8ba137.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--9d1fff64-f829-4b3f-97cd-59e51b8b3fae",
+    "id": "bundle--412c2a26-68b5-4e70-8e13-81ba35958d95",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--be8d0cd6-be77-456e-bcfb-6325cb8ba137",
             "created": "2023-09-28T17:20:15.010Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:20:15.010Z",
+            "modified": "2025-04-16T21:51:16.576Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can access external storage.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c.json b/mobile-attack/relationship/relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c.json
index 71f86745e6..6c8c6da92c 100644
--- a/mobile-attack/relationship/relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c.json
+++ b/mobile-attack/relationship/relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--2bcba6d6-4264-4868-912c-481ee77d8f4d",
+    "id": "bundle--fc3273a5-b8cb-447f-a1ec-8ab5b31ea99d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c",
             "type": "relationship",
+            "id": "relationship--bed52256-e5d2-4f15-8c4c-27f709e10c6c",
             "created": "2020-06-26T14:55:13.380Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Cybereason EventBot",
-                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
-                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
+                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.",
+                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"
                 }
             ],
-            "modified": "2020-06-26T14:55:13.380Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:16.780Z",
             "description": "[EventBot](https://attack.mitre.org/software/S0478) dynamically loads its malicious functionality at runtime from an RC4-encrypted TTF file. [EventBot](https://attack.mitre.org/software/S0478) also utilizes ProGuard to obfuscate the generated APK file.(Citation: Cybereason EventBot)",
             "relationship_type": "uses",
             "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421.json b/mobile-attack/relationship/relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421.json
index 48cb119de5..719b558d44 100644
--- a/mobile-attack/relationship/relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421.json
+++ b/mobile-attack/relationship/relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--94e78f3c-5292-4d39-b810-eb70532187af",
+    "id": "bundle--196fdcd9-8fdd-4a9f-a64b-bfca41bc8d98",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421",
             "type": "relationship",
+            "id": "relationship--bee6407a-1f05-4f91-b6e7-a8f8b58fa421",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "http://blog.checkpoint.com/2017/01/24/charger-malware/"
                 }
             ],
-            "modified": "2019-10-09T14:51:42.827Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:16.977Z",
             "description": "[Charger](https://attack.mitre.org/software/S0323) encodes strings into binary arrays to make it difficult to inspect them. It also loads code from encrypted resources dynamically and includes meaningless commands that mask the actual commands passing through.(Citation: CheckPoint-Charger)",
             "relationship_type": "uses",
             "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bee919a6-c488-49a0-9848-fff19aa2c276.json b/mobile-attack/relationship/relationship--bee919a6-c488-49a0-9848-fff19aa2c276.json
index b6e1f4f8c8..7591c673f9 100644
--- a/mobile-attack/relationship/relationship--bee919a6-c488-49a0-9848-fff19aa2c276.json
+++ b/mobile-attack/relationship/relationship--bee919a6-c488-49a0-9848-fff19aa2c276.json
@@ -1,23 +1,23 @@
 {
     "type": "bundle",
-    "id": "bundle--6be7fb39-7b71-4c7e-973a-17e6c667a87e",
+    "id": "bundle--dfebdf80-8317-4146-af43-01390306c5df",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--bee919a6-c488-49a0-9848-fff19aa2c276",
+            "created": "2021-09-24T14:47:34.449Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--bee919a6-c488-49a0-9848-fff19aa2c276",
-            "type": "relationship",
-            "created": "2021-09-24T14:47:34.449Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2021-10-04T20:08:48.556Z",
+            "modified": "2025-04-16T21:51:17.175Z",
             "description": "Mobile security products can often detect rooted devices.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
             "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bef936d5-736e-491a-9c30-37b8362a5d96.json b/mobile-attack/relationship/relationship--bef936d5-736e-491a-9c30-37b8362a5d96.json
index 32a96b9991..d359bc9ee0 100644
--- a/mobile-attack/relationship/relationship--bef936d5-736e-491a-9c30-37b8362a5d96.json
+++ b/mobile-attack/relationship/relationship--bef936d5-736e-491a-9c30-37b8362a5d96.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--98559e87-a131-417d-a381-8c15fddd022a",
+    "id": "bundle--ad2f02fb-fd6f-4fa5-893b-f080257d0f56",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--bef936d5-736e-491a-9c30-37b8362a5d96",
             "created": "2023-07-21T19:33:48.439Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:33:48.439Z",
+            "modified": "2025-04-16T21:51:17.382Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can access device call logs.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--befa3b5a-e4f4-4ed3-ada1-860a034284d2.json b/mobile-attack/relationship/relationship--befa3b5a-e4f4-4ed3-ada1-860a034284d2.json
index 250fb4de02..220d46898a 100644
--- a/mobile-attack/relationship/relationship--befa3b5a-e4f4-4ed3-ada1-860a034284d2.json
+++ b/mobile-attack/relationship/relationship--befa3b5a-e4f4-4ed3-ada1-860a034284d2.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--162f9fd0-2b04-4705-a6c3-94e75d01f0ff",
+    "id": "bundle--e237ab14-d8c5-4bc5-b2c5-4aafcd94a569",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--befa3b5a-e4f4-4ed3-ada1-860a034284d2",
             "created": "2023-09-28T17:19:51.110Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:19:51.110Z",
+            "modified": "2025-04-16T21:51:17.578Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can access the device\u2019s call log.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bf02dea9-17cb-41f8-b362-c3081da81199.json b/mobile-attack/relationship/relationship--bf02dea9-17cb-41f8-b362-c3081da81199.json
new file mode 100644
index 0000000000..9403ac8b5a
--- /dev/null
+++ b/mobile-attack/relationship/relationship--bf02dea9-17cb-41f8-b362-c3081da81199.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--6e3086c3-8ca0-49e7-aed5-02c4fac034f5",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--bf02dea9-17cb-41f8-b362-c3081da81199",
+            "created": "2025-03-28T14:58:01.536Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 01Jun2023",
+                    "description": "Kuznetsov, I., et al. (2023, June 1). Operation Triangulation: iOS devices targeted with previously unknown malware. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/operation-triangulation/109842/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:17.780Z",
+            "description": "During [Operation Triangulation](https://attack.mitre.org/campaigns/C0054), the threat actors collected device and user information.(Citation: SecureList OpTriangulation 01Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bf19207a-ac71-436d-8ef4-4ab059b533c8.json b/mobile-attack/relationship/relationship--bf19207a-ac71-436d-8ef4-4ab059b533c8.json
index fd6edd5f1f..008dcc6641 100644
--- a/mobile-attack/relationship/relationship--bf19207a-ac71-436d-8ef4-4ab059b533c8.json
+++ b/mobile-attack/relationship/relationship--bf19207a-ac71-436d-8ef4-4ab059b533c8.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2615fe97-2636-46ad-8b41-b78357046a68",
+    "id": "bundle--b1d0d72a-5cc3-497b-820d-df17f2602cfa",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:48:43.225Z",
+            "modified": "2025-04-16T21:51:17.976Z",
             "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) uses root access to establish reboot hooks to re-install the application from `/data/misc/adn`.(Citation: FortiGuard-FlexiSpy) At boot, [FlexiSpy](https://attack.mitre.org/software/S0408) spawns daemons for process monitoring, call monitoring, call managing, and system.(Citation: FortiGuard-FlexiSpy)",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1.json b/mobile-attack/relationship/relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1.json
index 0b385279a7..ccef81aa0b 100644
--- a/mobile-attack/relationship/relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1.json
+++ b/mobile-attack/relationship/relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--521d7792-aa9f-4138-abe8-229115bdd64a",
+    "id": "bundle--5a92cbaa-0f2e-4fe6-97d3-d2e9d86034de",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1",
             "type": "relationship",
+            "id": "relationship--bf2ea132-c8f3-4ea0-8c4c-bdc95923c3b1",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app"
                 }
             ],
-            "modified": "2019-10-10T15:24:09.355Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:18.172Z",
             "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can activate the victim's microphone.(Citation: Zscaler-SpyNote)",
             "relationship_type": "uses",
             "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bf33711d-a4d2-4957-9b1f-49c5b83958db.json b/mobile-attack/relationship/relationship--bf33711d-a4d2-4957-9b1f-49c5b83958db.json
index 0c72ec0ba1..dcf966c69c 100644
--- a/mobile-attack/relationship/relationship--bf33711d-a4d2-4957-9b1f-49c5b83958db.json
+++ b/mobile-attack/relationship/relationship--bf33711d-a4d2-4957-9b1f-49c5b83958db.json
@@ -1,26 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--ae3a079c-6947-4552-a1f1-d8ca7ba4aeb1",
+    "id": "bundle--db78d642-b811-4d76-83aa-29dac1c9041a",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--bf33711d-a4d2-4957-9b1f-49c5b83958db",
             "created": "2023-09-21T22:51:40.666Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Scott-Railton_TheCitizenLab Pegasus Apr2022",
+                    "description": "Scott-Railton, J., et al. (2022, April 18). Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru. Retrieved April 18, 2024.",
+                    "url": "https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/"
+                }
+            ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-21T22:51:40.666Z",
-            "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) can compromise iPhones running iOS 16.6 without any user interaction.",
+            "modified": "2025-04-16T21:51:18.376Z",
+            "description": "[Pegasus for iOS](https://attack.mitre.org/software/S0289) can compromise iPhones running iOS 16.6 without any user interaction.(Citation: Scott-Railton_TheCitizenLab Pegasus Apr2022)",
             "relationship_type": "uses",
             "source_ref": "malware--33d9d91d-aad9-49d5-a516-220ce101ac8a",
             "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bf901bab-3caa-4d05-a859-d9fb4d838304.json b/mobile-attack/relationship/relationship--bf901bab-3caa-4d05-a859-d9fb4d838304.json
index dabe6afdaf..f7f37d16dd 100644
--- a/mobile-attack/relationship/relationship--bf901bab-3caa-4d05-a859-d9fb4d838304.json
+++ b/mobile-attack/relationship/relationship--bf901bab-3caa-4d05-a859-d9fb4d838304.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--0ad16456-f134-406a-80c6-3b6494ef1018",
+    "id": "bundle--5a7cce40-534c-47b4-ac0d-0c8350e2a5c3",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--bf901bab-3caa-4d05-a859-d9fb4d838304",
             "type": "relationship",
+            "id": "relationship--bf901bab-3caa-4d05-a859-d9fb4d838304",
             "created": "2019-10-10T15:27:22.091Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
+                    "source_name": "Lookout-StealthMango",
                     "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
-                    "source_name": "Lookout-StealthMango"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
                 }
             ],
-            "modified": "2019-10-10T15:27:22.091Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:18.570Z",
             "description": "[Tangelo](https://attack.mitre.org/software/S0329) accesses browser history, pictures, and videos.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--35aae10a-97c5-471a-9c67-02c231a7a31a",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bfad064a-0a49-44e3-b283-94653edc12af.json b/mobile-attack/relationship/relationship--bfad064a-0a49-44e3-b283-94653edc12af.json
index f885044071..f4163fc889 100644
--- a/mobile-attack/relationship/relationship--bfad064a-0a49-44e3-b283-94653edc12af.json
+++ b/mobile-attack/relationship/relationship--bfad064a-0a49-44e3-b283-94653edc12af.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--dc8d622b-0a71-441f-823b-46cecf78677b",
+    "id": "bundle--6e4a28bb-b9a3-4081-90d3-db16591dae9a",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--bfad064a-0a49-44e3-b283-94653edc12af",
             "created": "2023-08-07T17:13:04.270Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T17:13:04.270Z",
+            "modified": "2025-04-16T21:51:18.776Z",
             "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
             "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bfd0d9cb-27e2-42a2-9207-764bb1491962.json b/mobile-attack/relationship/relationship--bfd0d9cb-27e2-42a2-9207-764bb1491962.json
index e26edc8fc0..b5e14a936c 100644
--- a/mobile-attack/relationship/relationship--bfd0d9cb-27e2-42a2-9207-764bb1491962.json
+++ b/mobile-attack/relationship/relationship--bfd0d9cb-27e2-42a2-9207-764bb1491962.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--226fbe84-4d68-4832-b973-115c47765dbe",
+    "id": "bundle--85bd0699-e12f-432e-a535-7b3ef5d81b5c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--bfd0d9cb-27e2-42a2-9207-764bb1491962",
             "created": "2022-03-30T19:54:07.548Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:18.981Z",
             "description": "Device attestation could detect devices with unauthorized or unsafe modifications. ",
-            "modified": "2022-03-30T19:54:07.548Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
             "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--bff3f22c-660d-4ceb-b1bb-dbd064d363c0.json b/mobile-attack/relationship/relationship--bff3f22c-660d-4ceb-b1bb-dbd064d363c0.json
index 83d8fcb0dc..b995166199 100644
--- a/mobile-attack/relationship/relationship--bff3f22c-660d-4ceb-b1bb-dbd064d363c0.json
+++ b/mobile-attack/relationship/relationship--bff3f22c-660d-4ceb-b1bb-dbd064d363c0.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f711cc6d-efb6-4c72-b054-59a91e834dde",
+    "id": "bundle--e6c26c52-326f-4b3a-854c-1be3ca2d5a7e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T21:00:59.182Z",
+            "modified": "2025-04-16T21:51:19.170Z",
             "description": "Application vetting services should look for applications that request VPN access. These applications should be heavily scrutinized since VPN functionality is not very common. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
             "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c00031dd-0466-4fd2-9724-ab1c04232bad.json b/mobile-attack/relationship/relationship--c00031dd-0466-4fd2-9724-ab1c04232bad.json
index cde54f6440..2b1cbe1bbb 100644
--- a/mobile-attack/relationship/relationship--c00031dd-0466-4fd2-9724-ab1c04232bad.json
+++ b/mobile-attack/relationship/relationship--c00031dd-0466-4fd2-9724-ab1c04232bad.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a8cdb07b-5623-453c-8020-074f411c7dd5",
+    "id": "bundle--1b6447d4-5fa4-4d1f-a22a-9bdfe157cb88",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T16:28:27.010Z",
+            "modified": "2025-04-16T21:51:19.380Z",
             "description": "Application vetting services can detect unnecessary and potentially abused API calls.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95.json b/mobile-attack/relationship/relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95.json
index 86ae427243..259af0827c 100644
--- a/mobile-attack/relationship/relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95.json
+++ b/mobile-attack/relationship/relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95.json
@@ -1,23 +1,23 @@
 {
     "type": "bundle",
-    "id": "bundle--a58c5114-97e1-424e-a6c6-f86bda1da1b3",
+    "id": "bundle--04cc2840-31f7-40e7-ae20-50b068811e20",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95",
+            "created": "2019-10-18T15:51:48.525Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--c021d9b9-3850-425d-b3d2-6b7bd7e62b95",
-            "type": "relationship",
-            "created": "2019-10-18T15:51:48.525Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2019-10-18T15:51:48.525Z",
+            "modified": "2025-04-16T21:51:19.570Z",
             "description": "Users should be advised not to use public charging stations or computers to charge their devices. Instead, users should be issued a charger acquired from a trustworthy source. Users should be advised not to click on device prompts to trust attached computers unless absolutely necessary.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c052da1e-4a1e-48bb-9b8d-b68839d4347e.json b/mobile-attack/relationship/relationship--c052da1e-4a1e-48bb-9b8d-b68839d4347e.json
new file mode 100644
index 0000000000..6376166ff2
--- /dev/null
+++ b/mobile-attack/relationship/relationship--c052da1e-4a1e-48bb-9b8d-b68839d4347e.json
@@ -0,0 +1,47 @@
+{
+    "type": "bundle",
+    "id": "bundle--7e3cd04a-d2d6-46d1-989b-1e24acb250d0",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--c052da1e-4a1e-48bb-9b8d-b68839d4347e",
+            "created": "2025-03-24T20:10:08.651Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Shoshin_Kaspersky LightSpy 2020",
+                    "description": "Shoshin, P. (2020, March 27). LightSpy spyware targets iPhone users in Hong Kong. Retrieved February 12, 2025.",
+                    "url": "https://usa.kaspersky.com/blog/lightspy-watering-hole-attack/21301/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:19.775Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed the device\u2019s GPS location.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Shoshin_Kaspersky LightSpy 2020)(Citation: LinkedIn Dmitry LightSpy 2025)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c056b1d4-c70b-403e-b396-18840865ca7d.json b/mobile-attack/relationship/relationship--c056b1d4-c70b-403e-b396-18840865ca7d.json
index bd8df4d46d..517bc39b82 100644
--- a/mobile-attack/relationship/relationship--c056b1d4-c70b-403e-b396-18840865ca7d.json
+++ b/mobile-attack/relationship/relationship--c056b1d4-c70b-403e-b396-18840865ca7d.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--90201f20-a59f-48c5-937c-d5b46f7b84f8",
+    "id": "bundle--09147b19-1d28-43a0-9384-949cd863e1ec",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--c056b1d4-c70b-403e-b396-18840865ca7d",
             "created": "2024-02-20T23:50:47.088Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:50:47.088Z",
+            "modified": "2025-04-16T21:51:19.978Z",
             "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain the device\u2019s IMEI, phone number, and IP address.(Citation: Threat Fabric Exobot) ",
             "relationship_type": "uses",
             "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c0f03d23-03d6-4457-b783-792d1b8f2994.json b/mobile-attack/relationship/relationship--c0f03d23-03d6-4457-b783-792d1b8f2994.json
index 950d71701c..1e1b4c3180 100644
--- a/mobile-attack/relationship/relationship--c0f03d23-03d6-4457-b783-792d1b8f2994.json
+++ b/mobile-attack/relationship/relationship--c0f03d23-03d6-4457-b783-792d1b8f2994.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--24f1030f-f234-4c35-ac15-4605b4c14b9b",
+    "id": "bundle--9d9b230d-5f1c-4a3a-865b-b049c3972d6c",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--c0f03d23-03d6-4457-b783-792d1b8f2994",
             "created": "2024-08-20T19:09:27.377Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-08-20T19:09:27.377Z",
+            "modified": "2025-04-16T21:51:20.172Z",
             "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) can collect encrypted Telegram and Signal communications.(Citation: mandiant_apt44_unearthing_sandworm)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c1453cd9-44bb-4dd2-bdbd-eb06a239d38c.json b/mobile-attack/relationship/relationship--c1453cd9-44bb-4dd2-bdbd-eb06a239d38c.json
index d044c34a97..f6e1bb0d8d 100644
--- a/mobile-attack/relationship/relationship--c1453cd9-44bb-4dd2-bdbd-eb06a239d38c.json
+++ b/mobile-attack/relationship/relationship--c1453cd9-44bb-4dd2-bdbd-eb06a239d38c.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--a573ab13-c91e-41cd-9431-ac132c75a2f7",
+    "id": "bundle--65a7d444-7253-427a-b353-6eb40f790260",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--c1453cd9-44bb-4dd2-bdbd-eb06a239d38c",
             "created": "2022-04-06T15:52:07.805Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:20.380Z",
             "description": "",
-            "modified": "2022-04-06T15:52:07.805Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e",
             "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c14efc74-8a5c-4a2d-b9ba-a231738c90dd.json b/mobile-attack/relationship/relationship--c14efc74-8a5c-4a2d-b9ba-a231738c90dd.json
index 3281631a3a..6c93db0f6f 100644
--- a/mobile-attack/relationship/relationship--c14efc74-8a5c-4a2d-b9ba-a231738c90dd.json
+++ b/mobile-attack/relationship/relationship--c14efc74-8a5c-4a2d-b9ba-a231738c90dd.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--2aa2cb81-031c-460f-b444-bd12287a5ac5",
+    "id": "bundle--8fb1f47f-6a20-49db-9862-75a61830cbef",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--c14efc74-8a5c-4a2d-b9ba-a231738c90dd",
             "created": "2020-12-24T21:41:37.047Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:20.582Z",
             "description": "[SilkBean](https://attack.mitre.org/software/S0549) has used HTTPS for C2 communication.(Citation: Lookout Uyghur Campaign)",
-            "modified": "2022-04-18T16:04:02.127Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
             "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c1512591-7440-4a69-93b9-fe439a4c197e.json b/mobile-attack/relationship/relationship--c1512591-7440-4a69-93b9-fe439a4c197e.json
index abc5f8fa84..08e1bf369c 100644
--- a/mobile-attack/relationship/relationship--c1512591-7440-4a69-93b9-fe439a4c197e.json
+++ b/mobile-attack/relationship/relationship--c1512591-7440-4a69-93b9-fe439a4c197e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--c7c3a7ee-c585-4429-a99a-067476db8064",
+    "id": "bundle--af63cca9-0412-4450-a6ad-63b32fa9678a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--c1512591-7440-4a69-93b9-fe439a4c197e",
             "created": "2022-03-28T19:40:40.860Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:20.781Z",
             "description": "",
-            "modified": "2022-03-28T19:40:40.860Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
             "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c16c7904-3c85-49de-a0f4-872f4227d775.json b/mobile-attack/relationship/relationship--c16c7904-3c85-49de-a0f4-872f4227d775.json
index fd6347ea68..a736db3fd4 100644
--- a/mobile-attack/relationship/relationship--c16c7904-3c85-49de-a0f4-872f4227d775.json
+++ b/mobile-attack/relationship/relationship--c16c7904-3c85-49de-a0f4-872f4227d775.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e4153b47-9874-449b-b2c4-ccc0286cd726",
+    "id": "bundle--d6d9417f-0b54-4924-9e1b-f3c9814be473",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:59.143Z",
+            "modified": "2025-04-16T21:51:20.976Z",
             "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) was embedded into legitimate applications using Smali injection.(Citation: SecureList - ViceLeaker 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c186864b-0af9-42eb-92ba-b8a6952e89b6.json b/mobile-attack/relationship/relationship--c186864b-0af9-42eb-92ba-b8a6952e89b6.json
index 9038cb0fbd..9e04552bf2 100644
--- a/mobile-attack/relationship/relationship--c186864b-0af9-42eb-92ba-b8a6952e89b6.json
+++ b/mobile-attack/relationship/relationship--c186864b-0af9-42eb-92ba-b8a6952e89b6.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--8e0c08db-e07b-4189-9173-c3d14328527a",
+    "id": "bundle--a36acb47-6323-49cc-9c93-48ee8dac9ad0",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--c186864b-0af9-42eb-92ba-b8a6952e89b6",
             "created": "2023-07-21T19:36:09.214Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:36:09.214Z",
+            "modified": "2025-04-16T21:51:21.171Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can take photos using the device cameras.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c1abb6fd-04b4-4b0e-89f4-fd3f160ea3a6.json b/mobile-attack/relationship/relationship--c1abb6fd-04b4-4b0e-89f4-fd3f160ea3a6.json
index fa919fbe96..931555f462 100644
--- a/mobile-attack/relationship/relationship--c1abb6fd-04b4-4b0e-89f4-fd3f160ea3a6.json
+++ b/mobile-attack/relationship/relationship--c1abb6fd-04b4-4b0e-89f4-fd3f160ea3a6.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--09af2fff-3d93-4509-ab6e-9c05e4b5b94f",
+    "id": "bundle--ed22e5ba-b820-482a-92c3-a425c6f4885d",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--c1abb6fd-04b4-4b0e-89f4-fd3f160ea3a6",
             "created": "2024-03-01T18:54:39.815Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-01T18:54:39.815Z",
+            "modified": "2025-04-16T21:51:21.383Z",
             "description": "[Sandworm Team](https://attack.mitre.org/groups/G0034) used SMS-based phishing to target victims with malicious links.(Citation: Leonard TAG 2023)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
             "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c1cafa91-9891-4e65-b75d-d83ef6838653.json b/mobile-attack/relationship/relationship--c1cafa91-9891-4e65-b75d-d83ef6838653.json
index 216411cf09..acbc5eb298 100644
--- a/mobile-attack/relationship/relationship--c1cafa91-9891-4e65-b75d-d83ef6838653.json
+++ b/mobile-attack/relationship/relationship--c1cafa91-9891-4e65-b75d-d83ef6838653.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--cfb2db0c-20f6-49de-a5ba-0d594d2c548b",
+    "id": "bundle--c6f8a980-b899-495c-b015-818d07851caf",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--c1cafa91-9891-4e65-b75d-d83ef6838653",
             "created": "2023-12-18T18:13:02.691Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:13:02.691Z",
+            "modified": "2025-04-16T21:51:21.578Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) can use tailored overlay pages to steal PINs for banking applications.(Citation: cleafy_brata_0122)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c1d78c3d-9ed6-4e3f-9cad-b98b5dfb8ebd.json b/mobile-attack/relationship/relationship--c1d78c3d-9ed6-4e3f-9cad-b98b5dfb8ebd.json
index 735062bc35..16df6906ce 100644
--- a/mobile-attack/relationship/relationship--c1d78c3d-9ed6-4e3f-9cad-b98b5dfb8ebd.json
+++ b/mobile-attack/relationship/relationship--c1d78c3d-9ed6-4e3f-9cad-b98b5dfb8ebd.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8f797df1-c54c-49f7-a304-683e028737b6",
+    "id": "bundle--3d96b8e6-2fdb-4ad1-bfac-b314da8ab633",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T22:13:31.468Z",
+            "modified": "2025-04-16T21:51:21.785Z",
             "description": "On both Android and iOS, the user can manage which applications have permission to access the contact list through the device settings screen, revoking the permission if necessary. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c23d9eff-1d4e-479f-a114-acc535540a23.json b/mobile-attack/relationship/relationship--c23d9eff-1d4e-479f-a114-acc535540a23.json
index add53ed23b..7acca192e3 100644
--- a/mobile-attack/relationship/relationship--c23d9eff-1d4e-479f-a114-acc535540a23.json
+++ b/mobile-attack/relationship/relationship--c23d9eff-1d4e-479f-a114-acc535540a23.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4e7ded8c-149e-4f4e-ba2a-b578f471e4cc",
+    "id": "bundle--2ffefacd-0355-4d04-8b1a-c3223a60fb2c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T16:29:07.329Z",
+            "modified": "2025-04-16T21:51:21.973Z",
             "description": "Application vetting services can detect unnecessary and potentially abused permissions.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c2536a3c-bb84-42b7-8ac6-05f26205a4ad.json b/mobile-attack/relationship/relationship--c2536a3c-bb84-42b7-8ac6-05f26205a4ad.json
index 2c1cb8ea1c..86e9a414a8 100644
--- a/mobile-attack/relationship/relationship--c2536a3c-bb84-42b7-8ac6-05f26205a4ad.json
+++ b/mobile-attack/relationship/relationship--c2536a3c-bb84-42b7-8ac6-05f26205a4ad.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--6f1d9206-2581-4ca1-b900-761e7f0a42a6",
+    "id": "bundle--03d42c17-dfb1-4a40-aa0f-d409c4646dd2",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--c2536a3c-bb84-42b7-8ac6-05f26205a4ad",
             "created": "2021-10-01T14:42:49.159Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SecureList BusyGasper",
-                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/",
-                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021."
+                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.",
+                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:22.158Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can utilize the device\u2019s sensors to determine when the device is in use and subsequently hide malicious activity. When active, it attempts to hide its malicious activity by turning the screen\u2019s brightness as low as possible and muting the device.(Citation: SecureList BusyGasper)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--24a77e53-0751-46fc-b207-99378fb35c08",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c264d954-8b5f-4be1-acf0-6387b7f04fae.json b/mobile-attack/relationship/relationship--c264d954-8b5f-4be1-acf0-6387b7f04fae.json
index baa50d4bd9..ca3e66ca84 100644
--- a/mobile-attack/relationship/relationship--c264d954-8b5f-4be1-acf0-6387b7f04fae.json
+++ b/mobile-attack/relationship/relationship--c264d954-8b5f-4be1-acf0-6387b7f04fae.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--5620ab91-0a35-4028-a59b-6d10c122113c",
+    "id": "bundle--2f9d69f2-935e-47ee-924a-2c19f6e54559",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--c264d954-8b5f-4be1-acf0-6387b7f04fae",
             "type": "relationship",
+            "id": "relationship--c264d954-8b5f-4be1-acf0-6387b7f04fae",
             "created": "2021-02-17T20:43:52.407Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout FrozenCell",
-                    "url": "https://blog.lookout.com/frozencell-mobile-threat",
-                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."
+                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.",
+                    "url": "https://blog.lookout.com/frozencell-mobile-threat"
                 }
             ],
-            "modified": "2021-02-17T20:43:52.407Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:22.382Z",
             "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has gathered the device manufacturer, model, and serial number.(Citation: Lookout FrozenCell)",
             "relationship_type": "uses",
             "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c32cbb0c-b5d7-44ad-94aa-43e2fbade91d.json b/mobile-attack/relationship/relationship--c32cbb0c-b5d7-44ad-94aa-43e2fbade91d.json
index 5882fd235a..5e4fb9168f 100644
--- a/mobile-attack/relationship/relationship--c32cbb0c-b5d7-44ad-94aa-43e2fbade91d.json
+++ b/mobile-attack/relationship/relationship--c32cbb0c-b5d7-44ad-94aa-43e2fbade91d.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--024a6718-789c-48ec-92e3-3845392e5907",
+    "id": "bundle--e59e16e0-9474-4e30-a8d6-646a9762f84a",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--c32cbb0c-b5d7-44ad-94aa-43e2fbade91d",
             "created": "2023-12-18T19:05:04.764Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T19:05:04.764Z",
+            "modified": "2025-04-16T21:51:22.570Z",
             "description": "[AhRat](https://attack.mitre.org/software/S1095) can obtain device info such as manufacturer, device ID, OS version, and country.(Citation: welivesecurity_ahrat_0523)",
             "relationship_type": "uses",
             "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c33b7dfb-82ad-4a7c-a84c-6e7e9849253b.json b/mobile-attack/relationship/relationship--c33b7dfb-82ad-4a7c-a84c-6e7e9849253b.json
index 165ee43e38..33bf70f17d 100644
--- a/mobile-attack/relationship/relationship--c33b7dfb-82ad-4a7c-a84c-6e7e9849253b.json
+++ b/mobile-attack/relationship/relationship--c33b7dfb-82ad-4a7c-a84c-6e7e9849253b.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--a051df5d-28f3-401b-beab-277b9f6ad047",
+    "id": "bundle--cdfd6df4-7097-40b2-a3e3-0d64089d65d6",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--c33b7dfb-82ad-4a7c-a84c-6e7e9849253b",
             "created": "2023-08-14T16:35:55.610Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:35:55.610Z",
+            "modified": "2025-04-16T21:51:22.781Z",
             "description": "Many properly configured firewalls may naturally block one-way command and control traffic.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
             "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c340b30d-0ad5-4e90-94ce-b6a6b229a7c4.json b/mobile-attack/relationship/relationship--c340b30d-0ad5-4e90-94ce-b6a6b229a7c4.json
index 5edf2846cc..27ca239106 100644
--- a/mobile-attack/relationship/relationship--c340b30d-0ad5-4e90-94ce-b6a6b229a7c4.json
+++ b/mobile-attack/relationship/relationship--c340b30d-0ad5-4e90-94ce-b6a6b229a7c4.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e4ad50c6-8edb-43d2-801c-6d5c2b7dd4e9",
+    "id": "bundle--c16b2c00-58e3-4949-848a-2d711828e4d2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:31:30.741Z",
+            "modified": "2025-04-16T21:51:22.981Z",
             "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect SMS messages.(Citation: Cybereason FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c3439bdd-a0db-401b-97fd-5e2ec135a396.json b/mobile-attack/relationship/relationship--c3439bdd-a0db-401b-97fd-5e2ec135a396.json
index 4d9fd8400c..ed43e6299c 100644
--- a/mobile-attack/relationship/relationship--c3439bdd-a0db-401b-97fd-5e2ec135a396.json
+++ b/mobile-attack/relationship/relationship--c3439bdd-a0db-401b-97fd-5e2ec135a396.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c6cf94de-e2ac-4d5f-9e28-90af90e20775",
+    "id": "bundle--1dc5495e-f915-44d6-bd0c-a64bcdf756a1",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T17:15:46.818Z",
+            "modified": "2025-04-16T21:51:23.178Z",
             "description": "The user can view a list of active device administrators in the device settings.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6.json b/mobile-attack/relationship/relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6.json
index 3032740599..d09273fa01 100644
--- a/mobile-attack/relationship/relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6.json
+++ b/mobile-attack/relationship/relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--d567b2d5-3e00-44c1-b6d7-313aacf3f434",
+    "id": "bundle--e282ea43-b58c-4208-b358-b817e5c6314e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6",
             "type": "relationship",
+            "id": "relationship--c368c932-7d5a-40e3-a18b-f30e82b9e4e6",
             "created": "2020-10-29T17:48:27.332Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Threat Fabric Exobot",
-                    "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html",
-                    "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020."
+                    "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"
                 }
             ],
-            "modified": "2020-10-29T17:48:27.332Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:23.391Z",
             "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain the device\u2019s IMEI, phone number, and IP address.(Citation: Threat Fabric Exobot) ",
             "relationship_type": "uses",
             "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c374c9ce-ff30-4daa-bdec-8015a507746a.json b/mobile-attack/relationship/relationship--c374c9ce-ff30-4daa-bdec-8015a507746a.json
index a5ac4550b5..5b2b1cd5ec 100644
--- a/mobile-attack/relationship/relationship--c374c9ce-ff30-4daa-bdec-8015a507746a.json
+++ b/mobile-attack/relationship/relationship--c374c9ce-ff30-4daa-bdec-8015a507746a.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ce6c4a21-5732-4482-87e0-dac348230c70",
+    "id": "bundle--37be8deb-1234-4eb0-8cbe-38fa1fb646a3",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--c374c9ce-ff30-4daa-bdec-8015a507746a",
             "type": "relationship",
+            "id": "relationship--c374c9ce-ff30-4daa-bdec-8015a507746a",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/",
+                    "source_name": "Kaspersky-Skygofree",
                     "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
-                    "source_name": "Kaspersky-Skygofree"
+                    "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
                 }
             ],
-            "modified": "2019-08-09T18:08:07.145Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:23.585Z",
             "description": "[Skygofree](https://attack.mitre.org/software/S0327) has a capability to obtain files from other installed applications.(Citation: Kaspersky-Skygofree)",
             "relationship_type": "uses",
             "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c393fe8f-5708-40eb-ada9-6ca0d9b16c7d.json b/mobile-attack/relationship/relationship--c393fe8f-5708-40eb-ada9-6ca0d9b16c7d.json
index efc811aa46..ee946e9b66 100644
--- a/mobile-attack/relationship/relationship--c393fe8f-5708-40eb-ada9-6ca0d9b16c7d.json
+++ b/mobile-attack/relationship/relationship--c393fe8f-5708-40eb-ada9-6ca0d9b16c7d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--67730a41-7854-43f1-945f-fb1c3c6f3cd2",
+    "id": "bundle--1b1627ec-1e52-4904-b9fc-95c8d2cb9b85",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:43:05.577Z",
+            "modified": "2025-04-16T21:51:23.783Z",
             "description": "Application vetting services could closely scrutinize applications that request Device Administrator permissions.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--e2c2249a-eb82-4614-8dd4-9c514dde65e2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c3c0ff44-71bb-4774-a850-7b7c9dccb619.json b/mobile-attack/relationship/relationship--c3c0ff44-71bb-4774-a850-7b7c9dccb619.json
index 5bbc5c5bf2..1d0dc5e13f 100644
--- a/mobile-attack/relationship/relationship--c3c0ff44-71bb-4774-a850-7b7c9dccb619.json
+++ b/mobile-attack/relationship/relationship--c3c0ff44-71bb-4774-a850-7b7c9dccb619.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f394be07-7de1-4d8d-9a7e-e293ea707cea",
+    "id": "bundle--58265872-4587-4d5f-897c-2e7cc29394f6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T15:59:29.793Z",
+            "modified": "2025-04-16T21:51:23.978Z",
             "description": "On Android, users may be presented with a popup to select the appropriate application to open the URI in. If the user sees an application they do not recognize, they can remove it.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
             "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee.json b/mobile-attack/relationship/relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee.json
index b727dbafe9..04b9eed534 100644
--- a/mobile-attack/relationship/relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee.json
+++ b/mobile-attack/relationship/relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--d61b094d-2e04-491c-bc7c-96672f2038eb",
+    "id": "bundle--36acad78-ce42-4e20-97ed-de074dcd6129",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--c3c2bf20-fa33-4af4-92ec-d60679e1d4ee",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "",
-            "modified": "2022-04-06T15:41:16.871Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:24.171Z",
+            "description": "",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--1f96d624-8409-4472-ad8a-30618ee6b2e2",
             "target_ref": "attack-pattern--53263a67-075e-48fa-974b-91c5b5445db7",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c40cba48-7714-4d03-b748-cadd03360e7a.json b/mobile-attack/relationship/relationship--c40cba48-7714-4d03-b748-cadd03360e7a.json
index 4d8cc106c6..28f0107959 100644
--- a/mobile-attack/relationship/relationship--c40cba48-7714-4d03-b748-cadd03360e7a.json
+++ b/mobile-attack/relationship/relationship--c40cba48-7714-4d03-b748-cadd03360e7a.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--adfcc847-3aee-4fe7-9c06-426b923475ef",
+    "id": "bundle--59fed179-962f-4878-b2dc-c77d38c127d4",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--c40cba48-7714-4d03-b748-cadd03360e7a",
             "created": "2024-02-20T23:55:33.981Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:55:33.981Z",
+            "modified": "2025-04-16T21:51:24.377Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c41d817e-913e-4574-b8d4-370de9f0034b.json b/mobile-attack/relationship/relationship--c41d817e-913e-4574-b8d4-370de9f0034b.json
index 37adcff952..e80ba43be8 100644
--- a/mobile-attack/relationship/relationship--c41d817e-913e-4574-b8d4-370de9f0034b.json
+++ b/mobile-attack/relationship/relationship--c41d817e-913e-4574-b8d4-370de9f0034b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--823b794e-b18a-4208-8fe9-41e645dc84d3",
+    "id": "bundle--a5641c58-be47-476f-8e46-9a58dd64e496",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:19:16.331Z",
+            "modified": "2025-04-16T21:51:24.599Z",
             "description": "[Triada](https://attack.mitre.org/software/S0424) injects code into the Zygote process to effectively include itself in all forked processes. Additionally, code is injected into the Android Play Store App, web browser applications, and the system UI application.(Citation: Google Triada June 2019)(Citation: Kaspersky Triada March 2016)",
             "relationship_type": "uses",
             "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
             "target_ref": "attack-pattern--1ff89c1b-7615-4fe8-b9cb-63aaf52e6dee",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c43341e3-6fb9-46f1-8ea3-8daede1a4c77.json b/mobile-attack/relationship/relationship--c43341e3-6fb9-46f1-8ea3-8daede1a4c77.json
index 7490e1f181..cf94b0ca1a 100644
--- a/mobile-attack/relationship/relationship--c43341e3-6fb9-46f1-8ea3-8daede1a4c77.json
+++ b/mobile-attack/relationship/relationship--c43341e3-6fb9-46f1-8ea3-8daede1a4c77.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--8624e75e-5ba9-4b7f-8e8e-4b7b768c858b",
+    "id": "bundle--a0ebff34-df43-46cf-bf1e-c34bd152cf7c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--c43341e3-6fb9-46f1-8ea3-8daede1a4c77",
             "created": "2022-04-06T15:52:41.579Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:24.804Z",
             "description": "",
-            "modified": "2022-04-06T15:52:41.579Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--a5de0540-73e7-4c67-96da-4143afedc7ed",
             "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c438b973-c2f3-43fc-8312-2a5bbde4facb.json b/mobile-attack/relationship/relationship--c438b973-c2f3-43fc-8312-2a5bbde4facb.json
index 1c05c3109e..489b2fe452 100644
--- a/mobile-attack/relationship/relationship--c438b973-c2f3-43fc-8312-2a5bbde4facb.json
+++ b/mobile-attack/relationship/relationship--c438b973-c2f3-43fc-8312-2a5bbde4facb.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7b2ff225-cefe-4dc3-a018-f914bc04ca84",
+    "id": "bundle--5fc554d9-2a79-4e27-8de3-bac6a1b877a0",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T21:11:29.381Z",
+            "modified": "2025-04-16T21:51:24.999Z",
             "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could look for use of APIs that could indicate the application is trying to hide activity.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c49bae52-63b4-4e5e-adfd-65a0e852ed76.json b/mobile-attack/relationship/relationship--c49bae52-63b4-4e5e-adfd-65a0e852ed76.json
index 2ef604d3be..f4841967db 100644
--- a/mobile-attack/relationship/relationship--c49bae52-63b4-4e5e-adfd-65a0e852ed76.json
+++ b/mobile-attack/relationship/relationship--c49bae52-63b4-4e5e-adfd-65a0e852ed76.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7c7ec5ca-011c-48eb-8106-8ffe89d111d4",
+    "id": "bundle--7844e049-b325-43d5-a525-2a9e671252f5",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T21:12:52.481Z",
+            "modified": "2025-04-16T21:51:25.234Z",
             "description": "The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. The user can see a list of applications that can use accessibility services in the device settings. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd.json b/mobile-attack/relationship/relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd.json
index 0c900fab2c..4a2092a40a 100644
--- a/mobile-attack/relationship/relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd.json
+++ b/mobile-attack/relationship/relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e9086d59-3ccb-4f64-9213-24aa4bed65ba",
+    "id": "bundle--870739b6-d8bd-4abf-9af9-2f6b48014eaf",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd",
             "type": "relationship",
+            "id": "relationship--c49cdcb7-3cb8-40ed-a745-0cebad20b1fd",
             "created": "2020-05-04T14:04:56.214Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Google Bread",
-                    "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html",
-                    "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020."
+                    "description": "A. Guertin, V. Kotov, Android Security & Privacy Team. (2020, January 9). PHA Family Highlights: Bread (and Friends) . Retrieved April 27, 2020.",
+                    "url": "https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html"
                 }
             ],
-            "modified": "2020-05-04T15:40:21.076Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:25.432Z",
             "description": "[Bread](https://attack.mitre.org/software/S0432) has used native code in an attempt to disguise malicious functionality.(Citation: Google Bread)",
             "relationship_type": "uses",
             "source_ref": "malware--108b2817-bc01-404e-8e1b-8cdeec846326",
             "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c4d71eb8-2099-44b9-be45-758f9e6a771a.json b/mobile-attack/relationship/relationship--c4d71eb8-2099-44b9-be45-758f9e6a771a.json
index 3503039043..095a124b73 100644
--- a/mobile-attack/relationship/relationship--c4d71eb8-2099-44b9-be45-758f9e6a771a.json
+++ b/mobile-attack/relationship/relationship--c4d71eb8-2099-44b9-be45-758f9e6a771a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8df19391-1159-4679-890f-5bfb020f63cf",
+    "id": "bundle--ad128458-4a46-4e4e-851a-a209121e6d7e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:57.823Z",
+            "modified": "2025-04-16T21:51:25.634Z",
             "description": "[Asacub](https://attack.mitre.org/software/S0540) has masqueraded as a client of popular free ads services.(Citation: Securelist Asacub)",
             "relationship_type": "uses",
             "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4.json b/mobile-attack/relationship/relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4.json
index c3458c822f..d87c645e1a 100644
--- a/mobile-attack/relationship/relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4.json
+++ b/mobile-attack/relationship/relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--3bd8bdfb-bb4f-40db-a305-4afc2dff8e82",
+    "id": "bundle--5110fe22-5ff5-41af-9213-9e3331ca7e8f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4",
             "type": "relationship",
+            "id": "relationship--c4e73a6c-d523-4f3c-bcb6-200f63867fb4",
             "created": "2020-09-11T15:57:37.770Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecurityIntelligence TrickMo",
-                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
-                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
+                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.",
+                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"
                 }
             ],
-            "modified": "2020-09-11T15:57:37.770Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:25.825Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) can delete SMS messages.(Citation: SecurityIntelligence TrickMo)",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c50b4da7-f0e1-4f6d-969c-dbc739d49d7c.json b/mobile-attack/relationship/relationship--c50b4da7-f0e1-4f6d-969c-dbc739d49d7c.json
index afcd83aa9c..1996d75de6 100644
--- a/mobile-attack/relationship/relationship--c50b4da7-f0e1-4f6d-969c-dbc739d49d7c.json
+++ b/mobile-attack/relationship/relationship--c50b4da7-f0e1-4f6d-969c-dbc739d49d7c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e57a26dc-2990-4446-b14a-b03d7a15c3c3",
+    "id": "bundle--ef5262fd-6813-4478-98e7-0925c3bfdbb3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:40:43.898Z",
+            "modified": "2025-04-16T21:51:26.022Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can collect the device\u2019s call logs.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c53170a0-ca7f-4827-9c3c-1803ecd131f9.json b/mobile-attack/relationship/relationship--c53170a0-ca7f-4827-9c3c-1803ecd131f9.json
index a8ab5a3122..417ec73ff1 100644
--- a/mobile-attack/relationship/relationship--c53170a0-ca7f-4827-9c3c-1803ecd131f9.json
+++ b/mobile-attack/relationship/relationship--c53170a0-ca7f-4827-9c3c-1803ecd131f9.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--d0b6fc9a-1d4c-4189-933e-5d7e99fb432c",
+    "id": "bundle--2e8a46ae-7ce7-4c22-9ae5-2a49d0e5080f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--c53170a0-ca7f-4827-9c3c-1803ecd131f9",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "",
-            "modified": "2022-04-06T15:41:33.832Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:26.240Z",
+            "description": "",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--831e3269-da49-48ac-94dc-948008e8fd16",
             "target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c546dd04-2060-44bf-ba1e-d1c1edc54687.json b/mobile-attack/relationship/relationship--c546dd04-2060-44bf-ba1e-d1c1edc54687.json
index 04d0224326..ab465167c6 100644
--- a/mobile-attack/relationship/relationship--c546dd04-2060-44bf-ba1e-d1c1edc54687.json
+++ b/mobile-attack/relationship/relationship--c546dd04-2060-44bf-ba1e-d1c1edc54687.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f52f2f14-3a9f-4e38-85b4-18af0e04237a",
+    "id": "bundle--2f6420b0-161b-4640-9619-de0b5ac2b78a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:58.973Z",
+            "modified": "2025-04-16T21:51:26.466Z",
             "description": "[SimBad](https://attack.mitre.org/software/S0419) was embedded into legitimate applications.(Citation: CheckPoint SimBad 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c574251b-93ad-4f55-8b84-2700dfab4622.json b/mobile-attack/relationship/relationship--c574251b-93ad-4f55-8b84-2700dfab4622.json
index 2a14cf23c5..fda0fb7066 100644
--- a/mobile-attack/relationship/relationship--c574251b-93ad-4f55-8b84-2700dfab4622.json
+++ b/mobile-attack/relationship/relationship--c574251b-93ad-4f55-8b84-2700dfab4622.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--73c1aa0e-5456-4229-9e6d-e2929d83b5ee",
+    "id": "bundle--49f9c796-8a80-4ba7-a758-7775313c7059",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:45:27.443Z",
+            "modified": "2025-04-16T21:51:26.681Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can hide its icon on older Android versions.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c.json b/mobile-attack/relationship/relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c.json
index 8175eec324..93117aa3c0 100644
--- a/mobile-attack/relationship/relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c.json
+++ b/mobile-attack/relationship/relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--9cc2ffd0-54de-45a5-bc97-2e97b8f11adf",
+    "id": "bundle--7120306b-b876-4c3e-9fc8-11e29b459ded",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c",
             "type": "relationship",
+            "id": "relationship--c58a26af-cc4c-41a2-b884-9a4fa8a2ad5c",
             "created": "2019-09-04T15:38:56.946Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "FlexiSpy-Features",
-                    "url": "https://www.flexispy.com/en/features-overview.htm",
-                    "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019."
+                    "description": "FlexiSpy. (n.d.). FlexiSpy Monitoring Features. Retrieved September 4, 2019.",
+                    "url": "https://www.flexispy.com/en/features-overview.htm"
                 }
             ],
-            "modified": "2019-09-10T14:59:26.136Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:26.873Z",
             "description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can retrieve a list of installed applications.(Citation: FlexiSpy-Features) ",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c5cb9fb4-2593-412f-82f8-a04a125bd429.json b/mobile-attack/relationship/relationship--c5cb9fb4-2593-412f-82f8-a04a125bd429.json
index ac56d7ecf6..df1351a6a1 100644
--- a/mobile-attack/relationship/relationship--c5cb9fb4-2593-412f-82f8-a04a125bd429.json
+++ b/mobile-attack/relationship/relationship--c5cb9fb4-2593-412f-82f8-a04a125bd429.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--59b1be17-34bb-4f93-af48-730eb9c29718",
+    "id": "bundle--e4a53492-4c2a-4c40-adfc-9a00d5c6c591",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--c5cb9fb4-2593-412f-82f8-a04a125bd429",
             "created": "2022-04-01T18:51:28.859Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:27.079Z",
             "description": "Security updates frequently contain patches to vulnerabilities that can be exploited for root access.",
-            "modified": "2022-04-01T18:51:28.859Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2.json b/mobile-attack/relationship/relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2.json
index 8c45a4adb0..dbbba0f1cb 100644
--- a/mobile-attack/relationship/relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2.json
+++ b/mobile-attack/relationship/relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--02e68796-0421-4544-b811-19f2f9bb9f1f",
+    "id": "bundle--d0ef638b-8119-4d35-870f-0791c4464a47",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2",
             "type": "relationship",
+            "id": "relationship--c5db5bb5-9877-43cd-8851-5aa62405dcb2",
             "created": "2019-11-21T16:42:48.497Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList - ViceLeaker 2019",
-                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
-                    "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019."
+                    "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.",
+                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"
                 }
             ],
-            "modified": "2019-11-21T16:42:48.497Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:27.280Z",
             "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can take photos from both the front and back cameras.(Citation: SecureList - ViceLeaker 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c61c16a9-8d1a-4329-b784-ba71f8421b33.json b/mobile-attack/relationship/relationship--c61c16a9-8d1a-4329-b784-ba71f8421b33.json
index de769c16c8..490ddcd2f6 100644
--- a/mobile-attack/relationship/relationship--c61c16a9-8d1a-4329-b784-ba71f8421b33.json
+++ b/mobile-attack/relationship/relationship--c61c16a9-8d1a-4329-b784-ba71f8421b33.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--211d17d6-2617-4a7c-be29-457cacf8c9f1",
+    "id": "bundle--09f15a59-d91c-4c65-866e-effb2e22181a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T17:11:30.820Z",
+            "modified": "2025-04-16T21:51:27.482Z",
             "description": "Mobile security products integrated with Samsung Knox for Mobile Threat Defense can monitor processes to see if security tools are killed or stop running.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
             "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081.json b/mobile-attack/relationship/relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081.json
index 3fba4eb5a8..8873461dca 100644
--- a/mobile-attack/relationship/relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081.json
+++ b/mobile-attack/relationship/relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--b45f9808-7078-428e-a0ac-769b5c387f19",
+    "id": "bundle--acdf3598-4b05-42b9-9c32-a1ccb15f5dad",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081",
             "type": "relationship",
+            "id": "relationship--c6241ba3-e0f9-48a7-9ed7-a5544a090081",
             "created": "2019-09-04T14:28:16.000Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Lookout-Monokle",
                     "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
-                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
-                    "source_name": "Lookout-Monokle"
+                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
                 }
             ],
-            "modified": "2019-09-04T14:32:12.856Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:27.682Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can track the device's location.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c6464a84-e23b-412f-b435-5b23853d3643.json b/mobile-attack/relationship/relationship--c6464a84-e23b-412f-b435-5b23853d3643.json
index cc151273d2..566329d684 100644
--- a/mobile-attack/relationship/relationship--c6464a84-e23b-412f-b435-5b23853d3643.json
+++ b/mobile-attack/relationship/relationship--c6464a84-e23b-412f-b435-5b23853d3643.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--a44eac8d-c5ea-428a-8341-b5eb6f10b2e4",
+    "id": "bundle--0bafc674-1d17-4151-a0c9-1619f161b117",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--c6464a84-e23b-412f-b435-5b23853d3643",
             "created": "2020-09-14T13:35:45.909Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "ESET-Twitoor",
-                    "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/",
-                    "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016."
+                    "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.",
+                    "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:27.879Z",
             "description": "[Twitoor](https://attack.mitre.org/software/S0302) encrypts its C2 communication.(Citation: ESET-Twitoor)",
-            "modified": "2022-04-20T12:58:23.550Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
             "target_ref": "attack-pattern--ed2c05a1-4f81-4d97-9e1b-aff01c34ae84",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28.json b/mobile-attack/relationship/relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28.json
index 4a67ef1cb5..05af14f0f5 100644
--- a/mobile-attack/relationship/relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28.json
+++ b/mobile-attack/relationship/relationship--c65661a6-6047-4901-ac2c-3ca4b1bbbb28.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--dde1fe8b-9bbf-4cd1-bf67-4e44bee11071",
+    "id": "bundle--993cf6be-7968-4f7a-b606-1db71bae36cb",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:24:32.173Z",
+            "modified": "2025-04-16T21:51:28.078Z",
             "description": "[DroidJack](https://attack.mitre.org/software/S0320) captures call data.(Citation: Zscaler-SuperMarioRun)",
             "relationship_type": "uses",
             "source_ref": "malware--05c4f87c-be8f-46ea-8d9a-2a0aad8f52c1",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695.json b/mobile-attack/relationship/relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695.json
index e6b0e5a324..4513f86cd0 100644
--- a/mobile-attack/relationship/relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695.json
+++ b/mobile-attack/relationship/relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--660c14ac-f0e6-4d3e-8468-d8bd0aad418e",
+    "id": "bundle--1490713d-45a4-40ae-a951-1f6ef2785555",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695",
             "type": "relationship",
+            "id": "relationship--c659256c-82e3-4f4c-ac70-3d2400cf6695",
             "created": "2020-09-11T16:23:16.363Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Desert Scorpion",
-                    "url": "https://blog.lookout.com/desert-scorpion-google-play",
-                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020."
+                    "description": "A. Blaich, M. Flossman. (2018, April 16). Lookout finds new surveillanceware in Google Play with ties to known threat actor targeting the Middle East. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/desert-scorpion-google-play"
                 }
             ],
-            "modified": "2020-09-11T16:23:16.363Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:28.296Z",
             "description": "[Desert Scorpion](https://attack.mitre.org/software/S0505) can send SMS messages.(Citation: Lookout Desert Scorpion)",
             "relationship_type": "uses",
             "source_ref": "malware--3271c107-92c4-442e-9506-e76d62230ee8",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c6759fbe-ae7c-438e-9b30-dff3cc0b8e6c.json b/mobile-attack/relationship/relationship--c6759fbe-ae7c-438e-9b30-dff3cc0b8e6c.json
new file mode 100644
index 0000000000..04b5448eaa
--- /dev/null
+++ b/mobile-attack/relationship/relationship--c6759fbe-ae7c-438e-9b30-dff3cc0b8e6c.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--310e2e5f-abf8-4c5f-bfdc-047f79e35bc8",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--c6759fbe-ae7c-438e-9b30-dff3cc0b8e6c",
+            "created": "2025-03-24T14:57:15.065Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "McAfee MoqHao 2019",
+                    "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.",
+                    "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:28.497Z",
+            "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) can execute an automated phone call.(Citation: McAfee MoqHao 2019) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42",
+            "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c6770405-985b-4e24-8b09-01bce16426da.json b/mobile-attack/relationship/relationship--c6770405-985b-4e24-8b09-01bce16426da.json
index 01e05fdb4d..583dc1018a 100644
--- a/mobile-attack/relationship/relationship--c6770405-985b-4e24-8b09-01bce16426da.json
+++ b/mobile-attack/relationship/relationship--c6770405-985b-4e24-8b09-01bce16426da.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--32b4a431-ed88-453e-aa1e-8e02cd656fe6",
+    "id": "bundle--aa455d38-359d-4f48-84fd-e185514aac2e",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--c6770405-985b-4e24-8b09-01bce16426da",
             "created": "2024-03-26T16:17:26.152Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T16:17:26.152Z",
+            "modified": "2025-04-16T21:51:28.709Z",
             "description": "[AndroRAT](https://attack.mitre.org/software/S0292) collects the device\u2019s location through GPS or through network settings.(Citation: forcepoint_bitter) ",
             "relationship_type": "uses",
             "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c6a32f64-3105-4a94-8172-28ac0e10dd93.json b/mobile-attack/relationship/relationship--c6a32f64-3105-4a94-8172-28ac0e10dd93.json
index 2ac99ef3b3..a19aa8eda8 100644
--- a/mobile-attack/relationship/relationship--c6a32f64-3105-4a94-8172-28ac0e10dd93.json
+++ b/mobile-attack/relationship/relationship--c6a32f64-3105-4a94-8172-28ac0e10dd93.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--bd9eb2d8-94c8-4bc7-a564-413b8a911236",
+    "id": "bundle--f710d9ed-1e10-4469-98ff-c3213ef7bb8e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T16:24:44.982Z",
+            "modified": "2025-04-16T21:51:28.899Z",
             "description": "Mobile security products may provide URL inspection services that could determine if a domain being visited is malicious.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c6adc765-20b4-48ef-ad5a-27fbd26c63c8.json b/mobile-attack/relationship/relationship--c6adc765-20b4-48ef-ad5a-27fbd26c63c8.json
index 4f691de131..f6635595d0 100644
--- a/mobile-attack/relationship/relationship--c6adc765-20b4-48ef-ad5a-27fbd26c63c8.json
+++ b/mobile-attack/relationship/relationship--c6adc765-20b4-48ef-ad5a-27fbd26c63c8.json
@@ -1,38 +1,37 @@
 {
     "type": "bundle",
-    "id": "bundle--2f57533d-4307-49b8-b85a-7b876449282f",
+    "id": "bundle--90a95389-1b08-4365-9b2b-453db1dccc06",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--c6adc765-20b4-48ef-ad5a-27fbd26c63c8",
             "created": "2024-03-26T18:42:43.070Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
                     "source_name": "checkpoint_hamas_android_malware",
-                    "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20240226125457/https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"
+                    "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"
                 },
                 {
                     "source_name": "sophos_android_apt_spyware",
-                    "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20231208015605/https://news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"
+                    "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T18:42:43.070Z",
+            "modified": "2025-04-16T21:51:29.098Z",
             "description": "[APT-C-23](https://attack.mitre.org/groups/G1028) sends malicious links to victims to download the masqueraded application.(Citation: sophos_android_apt_spyware)(Citation: checkpoint_hamas_android_malware) ",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--8332952e-b86b-486b-acc3-1c2a85d39394",
             "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c720fd30-5694-42b7-bf77-d948f7ba2b6f.json b/mobile-attack/relationship/relationship--c720fd30-5694-42b7-bf77-d948f7ba2b6f.json
index 0419391b9b..b3c6cf1706 100644
--- a/mobile-attack/relationship/relationship--c720fd30-5694-42b7-bf77-d948f7ba2b6f.json
+++ b/mobile-attack/relationship/relationship--c720fd30-5694-42b7-bf77-d948f7ba2b6f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--77568531-91e4-4e57-9f31-30f0e1916c06",
+    "id": "bundle--5e4b3a97-5596-44ae-8c83-ab8243735f60",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:30:27.616Z",
+            "modified": "2025-04-16T21:51:29.338Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) can extract the device\u2019s keychain.(Citation: Google Project Zero Insomnia)",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c75f3a08-b58f-4681-8ef0-75fa634503b9.json b/mobile-attack/relationship/relationship--c75f3a08-b58f-4681-8ef0-75fa634503b9.json
index 47e154712b..b96afa58fc 100644
--- a/mobile-attack/relationship/relationship--c75f3a08-b58f-4681-8ef0-75fa634503b9.json
+++ b/mobile-attack/relationship/relationship--c75f3a08-b58f-4681-8ef0-75fa634503b9.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--e490db5e-8f2a-4374-8aff-862fd6ed68f8",
+    "id": "bundle--d7924a78-0b13-4108-b3ab-57037fb23193",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--c75f3a08-b58f-4681-8ef0-75fa634503b9",
             "created": "2023-12-18T19:04:11.534Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T19:04:11.534Z",
+            "modified": "2025-04-16T21:51:29.540Z",
             "description": "[AhRat](https://attack.mitre.org/software/S1095) can register with the `CONNECTIVITY_CHANGE` and `WIFI_STATE_CHANGED` broadcast events to trigger further functionality.(Citation: welivesecurity_ahrat_0523)",
             "relationship_type": "uses",
             "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c773998e-a140-4498-827a-573df96e4331.json b/mobile-attack/relationship/relationship--c773998e-a140-4498-827a-573df96e4331.json
new file mode 100644
index 0000000000..64db9c8d22
--- /dev/null
+++ b/mobile-attack/relationship/relationship--c773998e-a140-4498-827a-573df96e4331.json
@@ -0,0 +1,57 @@
+{
+    "type": "bundle",
+    "id": "bundle--3816481f-d592-46fb-ac62-bc7bc9641a31",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--c773998e-a140-4498-827a-573df96e4331",
+            "created": "2024-03-26T19:29:40.690Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "checkpoint_hamas_android_malware",
+                    "description": "CheckPoint Research. (2020, February 16). Hamas Android Malware On IDF Soldiers-This is How it Happened. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20240226125457/https:/research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/"
+                },
+                {
+                    "source_name": "Cyware APT-C-23 2020",
+                    "description": "Cyware. (2020, October 2). APT\u2011C\u201123 is Still Active and Enhancing its Mobile Spying Capabilities. Retrieved December 2, 2024.",
+                    "url": "https://social.cyware.com/news/aptc23-is-still-active-and-enhancing-its-mobile-spying-capabilities-82e0cea4"
+                },
+                {
+                    "source_name": "SentinelLabs AridViper 2023",
+                    "description": "Delamotte, A. (2023, November 6). Arid Viper | APT\u2019s Nest of SpyC23 Malware Continues to Target Android Devices. Retrieved December 2, 2024.",
+                    "url": "https://www.sentinelone.com/labs/arid-viper-apts-nest-of-spyc23-malware-continues-to-target-android-devices/"
+                },
+                {
+                    "source_name": "sophos_android_apt_spyware",
+                    "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"
+                },
+                {
+                    "source_name": "threatpost AndroidSpyware 2020",
+                    "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.",
+                    "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/"
+                },
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:29.761Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) has masqueraded as legitimate messaging applications.(Citation: welivesecurity_apt-c-23)(Citation: checkpoint_hamas_android_malware)(Citation: sophos_android_apt_spyware)(Citation: SentinelLabs AridViper 2023)(Citation: Cyware APT-C-23 2020)(Citation: threatpost AndroidSpyware 2020)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c778593c-1583-48cc-a99d-0ac1b5b537e2.json b/mobile-attack/relationship/relationship--c778593c-1583-48cc-a99d-0ac1b5b537e2.json
index f4a25bbeea..6ba07c6e2e 100644
--- a/mobile-attack/relationship/relationship--c778593c-1583-48cc-a99d-0ac1b5b537e2.json
+++ b/mobile-attack/relationship/relationship--c778593c-1583-48cc-a99d-0ac1b5b537e2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--fbc1f3ab-f3b7-499f-b86a-eb6002e35bee",
+    "id": "bundle--ca284d5b-1c1e-4a76-a8b6-55d1029c8c3d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T15:56:56.738Z",
+            "modified": "2025-04-16T21:51:29.959Z",
             "description": "On Android, the user can view and manage which applications have third-party keyboard access through the device settings in System -> Languages & input -> Virtual keyboard. On iOS, the user can view and manage which applications have third-party keyboard access through the device settings in General -> Keyboard. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c78a3e66-b7aa-4feb-bc18-b8af77f27a47.json b/mobile-attack/relationship/relationship--c78a3e66-b7aa-4feb-bc18-b8af77f27a47.json
index 6c2414e4b9..76b9857f57 100644
--- a/mobile-attack/relationship/relationship--c78a3e66-b7aa-4feb-bc18-b8af77f27a47.json
+++ b/mobile-attack/relationship/relationship--c78a3e66-b7aa-4feb-bc18-b8af77f27a47.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f44cd4ae-c33a-402a-828c-741c9c088ae6",
+    "id": "bundle--abe799a7-2b8f-4dcc-9237-cbc739aa57bb",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T14:54:04.526Z",
+            "modified": "2025-04-16T21:51:30.160Z",
             "description": "Verified Boot can detect unauthorized modifications to the system partition.(Citation: Android-VerifiedBoot) Android\u2019s SafetyNet API provides remote attestation capabilities, which could potentially be used to identify and respond to compromised devices. Samsung Knox provides a similar remote attestation capability on supported Samsung devices.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
             "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c7d382f1-6fa7-4d6b-bd18-9a0e9d9ee17c.json b/mobile-attack/relationship/relationship--c7d382f1-6fa7-4d6b-bd18-9a0e9d9ee17c.json
index ccf04ee37d..8ef662b685 100644
--- a/mobile-attack/relationship/relationship--c7d382f1-6fa7-4d6b-bd18-9a0e9d9ee17c.json
+++ b/mobile-attack/relationship/relationship--c7d382f1-6fa7-4d6b-bd18-9a0e9d9ee17c.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--7c421c45-0088-4b94-8997-f8268e31d035",
+    "id": "bundle--28412d06-1072-4905-92ef-a00ed2a37d3b",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--c7d382f1-6fa7-4d6b-bd18-9a0e9d9ee17c",
             "created": "2024-02-21T22:05:29.733Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T22:05:29.733Z",
+            "modified": "2025-04-16T21:51:30.367Z",
             "description": "Ensure that traffic is encrypted to reduce adversaries\u2019 ability to intercept, decrypt and manipulate traffic. ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--8220b57e-c400-4525-bf69-f8edc6b389a8",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c7f876d4-99f2-41ac-993c-57a3f2b4e0eb.json b/mobile-attack/relationship/relationship--c7f876d4-99f2-41ac-993c-57a3f2b4e0eb.json
index 8fbe5e19bb..43b3d2ae8b 100644
--- a/mobile-attack/relationship/relationship--c7f876d4-99f2-41ac-993c-57a3f2b4e0eb.json
+++ b/mobile-attack/relationship/relationship--c7f876d4-99f2-41ac-993c-57a3f2b4e0eb.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--69c4794f-d36e-47a7-b56f-d2e3aeaf39bd",
+    "id": "bundle--715430f5-02be-4f78-bcda-93d44ff85674",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:22:43.518Z",
+            "modified": "2025-04-16T21:51:30.578Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can access a device's location.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c81757a7-16b1-4b48-ae52-3d375f533dfd.json b/mobile-attack/relationship/relationship--c81757a7-16b1-4b48-ae52-3d375f533dfd.json
index d2e1ccccbd..05a51e96d4 100644
--- a/mobile-attack/relationship/relationship--c81757a7-16b1-4b48-ae52-3d375f533dfd.json
+++ b/mobile-attack/relationship/relationship--c81757a7-16b1-4b48-ae52-3d375f533dfd.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--5e4af91e-6cba-4677-be8b-5ca078832a93",
+    "id": "bundle--7a3a12ad-4fe3-46aa-9a35-bd84f530ffd1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--c81757a7-16b1-4b48-ae52-3d375f533dfd",
             "created": "2022-04-01T15:03:02.553Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:30.780Z",
             "description": "",
-            "modified": "2022-04-01T15:03:02.553Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
             "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b.json b/mobile-attack/relationship/relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b.json
index 2a1dbb29dc..51ec8fbd41 100644
--- a/mobile-attack/relationship/relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b.json
+++ b/mobile-attack/relationship/relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--4d9ffea1-6990-4ac1-80c8-8d4af279dbbb",
+    "id": "bundle--5a4d7cb6-a3fa-49eb-bd55-e147866ae7d6",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--c83c84e8-a556-4efe-ae24-75970ee8ad4b",
             "created": "2017-12-14T16:46:06.044Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Kaspersky-WUC",
-                    "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/",
-                    "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016."
+                    "description": "Costin Raiu, Denis Maslennikov, Kurt Baumgartner. (2013, March 26). Android Trojan Found in Targeted Attack. Retrieved December 23, 2016.",
+                    "url": "https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:30.992Z",
             "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) used SMS to receive command and control messages.(Citation: Kaspersky-WUC)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c8559423-10b0-4d5e-9057-65cbfd7ee1c0.json b/mobile-attack/relationship/relationship--c8559423-10b0-4d5e-9057-65cbfd7ee1c0.json
index 282043df21..999112f665 100644
--- a/mobile-attack/relationship/relationship--c8559423-10b0-4d5e-9057-65cbfd7ee1c0.json
+++ b/mobile-attack/relationship/relationship--c8559423-10b0-4d5e-9057-65cbfd7ee1c0.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--23b050b4-2602-4dc1-9427-5b4e02f14971",
+    "id": "bundle--dce66ea9-f4b3-45ed-a277-d6c8beb286e1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--c8559423-10b0-4d5e-9057-65cbfd7ee1c0",
             "type": "relationship",
+            "id": "relationship--c8559423-10b0-4d5e-9057-65cbfd7ee1c0",
             "created": "2021-10-01T14:42:48.728Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList BusyGasper",
-                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/",
-                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021."
+                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.",
+                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"
                 }
             ],
-            "modified": "2021-10-01T14:42:48.728Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:31.181Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can send an SMS message after the device boots, messages containing logs, messages to adversary-specified numbers with custom content, and can delete all SMS messages on the device.(Citation: SecureList BusyGasper)",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c86918a3-6e41-4dfb-8b18-650fff596801.json b/mobile-attack/relationship/relationship--c86918a3-6e41-4dfb-8b18-650fff596801.json
index 7853af6fca..84b9f7289b 100644
--- a/mobile-attack/relationship/relationship--c86918a3-6e41-4dfb-8b18-650fff596801.json
+++ b/mobile-attack/relationship/relationship--c86918a3-6e41-4dfb-8b18-650fff596801.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--38311dcd-2e9a-4747-a874-3a06d2663b4a",
+    "id": "bundle--8ca83b31-7a6c-433b-83d2-3bde38e8a415",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--c86918a3-6e41-4dfb-8b18-650fff596801",
             "type": "relationship",
+            "id": "relationship--c86918a3-6e41-4dfb-8b18-650fff596801",
             "created": "2020-09-11T16:22:03.207Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout ViperRAT",
-                    "url": "https://blog.lookout.com/viperrat-mobile-apt",
-                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
+                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/viperrat-mobile-apt"
                 }
             ],
-            "modified": "2020-09-11T16:22:03.207Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:31.408Z",
             "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect device photos, PDF documents, Office documents, browser history, and browser bookmarks.(Citation: Lookout ViperRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c877df57-0b8b-4286-aebb-6cca709638f3.json b/mobile-attack/relationship/relationship--c877df57-0b8b-4286-aebb-6cca709638f3.json
new file mode 100644
index 0000000000..8c590e86dc
--- /dev/null
+++ b/mobile-attack/relationship/relationship--c877df57-0b8b-4286-aebb-6cca709638f3.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--62951911-5f7d-42dc-b662-1aa4020f7281",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--c877df57-0b8b-4286-aebb-6cca709638f3",
+            "created": "2025-03-24T15:00:09.464Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "McAfee MoqHao 2019",
+                    "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.",
+                    "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:31.611Z",
+            "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has used the Tencent Push Notification Service to receive commands from the C2 server.(Citation: McAfee MoqHao 2019) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42",
+            "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c89d6493-3f33-4568-ac77-ba13b206ae69.json b/mobile-attack/relationship/relationship--c89d6493-3f33-4568-ac77-ba13b206ae69.json
index 3efb6e4437..2dc5bd7954 100644
--- a/mobile-attack/relationship/relationship--c89d6493-3f33-4568-ac77-ba13b206ae69.json
+++ b/mobile-attack/relationship/relationship--c89d6493-3f33-4568-ac77-ba13b206ae69.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--23070e36-92bd-465f-9325-822c1c7477e8",
+    "id": "bundle--c935716d-5f25-4f6c-b08f-d2628202efa6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T22:24:12.960Z",
+            "modified": "2025-04-16T21:51:31.823Z",
             "description": "The user can view applications with administrator access through the device settings, and may also notice if user data is inexplicably missing. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c89f8f8d-222b-4b83-9fa4-47fd716a271f.json b/mobile-attack/relationship/relationship--c89f8f8d-222b-4b83-9fa4-47fd716a271f.json
index ff048b217d..00fa7c604c 100644
--- a/mobile-attack/relationship/relationship--c89f8f8d-222b-4b83-9fa4-47fd716a271f.json
+++ b/mobile-attack/relationship/relationship--c89f8f8d-222b-4b83-9fa4-47fd716a271f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d00553a5-a912-4bd1-9064-8fa4e91cf29b",
+    "id": "bundle--3ed21519-62c5-452c-85af-8f223eaeecca",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:49:00.042Z",
+            "modified": "2025-04-16T21:51:32.029Z",
             "description": "[DEFENSOR ID](https://attack.mitre.org/software/S0479) abuses the accessibility service to auto-start the malware on device boot. This is accomplished by receiving the `android.accessibilityservice.AccessibilityService` intent.(Citation: ESET DEFENSOR ID)",
             "relationship_type": "uses",
             "source_ref": "malware--5a5dca4c-03c1-4b99-bfcf-c206e20aa663",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c8bfe893-49d8-4d6c-8f7d-5cd9fc932dee.json b/mobile-attack/relationship/relationship--c8bfe893-49d8-4d6c-8f7d-5cd9fc932dee.json
index 4ee0457daa..51b45d361f 100644
--- a/mobile-attack/relationship/relationship--c8bfe893-49d8-4d6c-8f7d-5cd9fc932dee.json
+++ b/mobile-attack/relationship/relationship--c8bfe893-49d8-4d6c-8f7d-5cd9fc932dee.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--9ca0bb7d-eb49-4548-89b9-089371f8fe89",
+    "id": "bundle--b5161c2b-b20c-4800-b98d-2f50806c6a38",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--c8bfe893-49d8-4d6c-8f7d-5cd9fc932dee",
             "created": "2023-12-18T18:16:16.811Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:16:16.811Z",
+            "modified": "2025-04-16T21:51:32.242Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) has been distributed using phishing techniques, such as push notifications from compromised websites.(Citation: securelist_brata_0819)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c8d0d360-eb9e-4fb4-97a2-efaf6d4f1059.json b/mobile-attack/relationship/relationship--c8d0d360-eb9e-4fb4-97a2-efaf6d4f1059.json
index e42d33f090..77b21abe6d 100644
--- a/mobile-attack/relationship/relationship--c8d0d360-eb9e-4fb4-97a2-efaf6d4f1059.json
+++ b/mobile-attack/relationship/relationship--c8d0d360-eb9e-4fb4-97a2-efaf6d4f1059.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--7d9b1013-e42a-4d5b-b8ac-cd5f4bb082ea",
+    "id": "bundle--d23edbcb-65dc-47a9-b048-1e051546d19b",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--c8d0d360-eb9e-4fb4-97a2-efaf6d4f1059",
             "created": "2023-03-20T18:51:23.032Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-20T18:51:23.032Z",
+            "modified": "2025-04-16T21:51:32.433Z",
             "description": "",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
             "target_ref": "attack-pattern--d2e112dc-f6d4-488d-b8df-ecbfb57a0a2d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9.json b/mobile-attack/relationship/relationship--c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9.json
index ad8df499b1..ac10d9aaf1 100644
--- a/mobile-attack/relationship/relationship--c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9.json
+++ b/mobile-attack/relationship/relationship--c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--480abc1d-9602-4fc8-a82b-c308d4408598",
+    "id": "bundle--41def407-e22a-44f2-81b8-f3d463c5dab4",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--c90bfd4c-3c7e-4528-b5f6-574ef29ecdc9",
             "created": "2022-03-28T19:32:05.234Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:32.631Z",
             "description": "Application developers should be cautious when selecting third-party libraries to integrate into their application.",
-            "modified": "2022-03-28T19:32:05.234Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
             "target_ref": "attack-pattern--7827ced0-95e7-4d05-bdcf-0d8f2d37a3d3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c943d462-fea7-4c01-88b2-de134153095b.json b/mobile-attack/relationship/relationship--c943d462-fea7-4c01-88b2-de134153095b.json
index d167172d3a..425d870354 100644
--- a/mobile-attack/relationship/relationship--c943d462-fea7-4c01-88b2-de134153095b.json
+++ b/mobile-attack/relationship/relationship--c943d462-fea7-4c01-88b2-de134153095b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--002d355b-36ad-4103-844e-2ca01b7624ac",
+    "id": "bundle--e2971d83-0a49-4b6a-865e-ae5109411efd",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T22:09:50.728Z",
+            "modified": "2025-04-16T21:51:32.821Z",
             "description": "Application vetting services typically flag permissions requested by an application, which can be reviewed by an administrator. Certain dangerous permissions, such as `RECEIVE_SMS`, could receive additional scrutiny.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c96c3405-1d9b-46e4-8f57-a6c49eb68a31.json b/mobile-attack/relationship/relationship--c96c3405-1d9b-46e4-8f57-a6c49eb68a31.json
index 806ad3794d..f18b2bf9b2 100644
--- a/mobile-attack/relationship/relationship--c96c3405-1d9b-46e4-8f57-a6c49eb68a31.json
+++ b/mobile-attack/relationship/relationship--c96c3405-1d9b-46e4-8f57-a6c49eb68a31.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b6af33b9-9df4-4725-baa2-cffb31aed9dd",
+    "id": "bundle--7e8b5ff8-5a01-45ce-ac8c-77ff7fc1c412",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--c96c3405-1d9b-46e4-8f57-a6c49eb68a31",
             "created": "2022-04-06T13:41:17.517Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:33.030Z",
             "description": "",
-            "modified": "2022-04-06T13:41:17.517Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--e399430e-30b7-48c5-b70a-f44dc8c175cb",
             "target_ref": "attack-pattern--74e6003f-c7f4-4047-983b-708cc19b96b6",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c9769c36-d89b-40eb-92cb-8faa7d37a140.json b/mobile-attack/relationship/relationship--c9769c36-d89b-40eb-92cb-8faa7d37a140.json
index bcd132e897..363b60bced 100644
--- a/mobile-attack/relationship/relationship--c9769c36-d89b-40eb-92cb-8faa7d37a140.json
+++ b/mobile-attack/relationship/relationship--c9769c36-d89b-40eb-92cb-8faa7d37a140.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--0c18ca24-d4f6-4d6c-88bf-4e9dca2cb38d",
+    "id": "bundle--eea452b5-26f8-4133-ac1d-1f704d584d1c",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--c9769c36-d89b-40eb-92cb-8faa7d37a140",
             "created": "2023-09-25T19:54:37.211Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-25T19:54:37.211Z",
+            "modified": "2025-04-16T21:51:33.285Z",
             "description": "When devices are enrolled in an EMM/MDM using device owner (iOS) or fully managed (Android) mode, the EMM/MDM can collect a list of installed applications on the device. An administrator can then act on, for example blocking, specific remote access applications from being installed on managed devices. ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b.json b/mobile-attack/relationship/relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b.json
index 1d83a17ec1..340f91240f 100644
--- a/mobile-attack/relationship/relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b.json
+++ b/mobile-attack/relationship/relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b.json
@@ -1,30 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--8180d83d-9b87-4478-89a4-7d2498035c22",
+    "id": "bundle--76b0143d-abf6-4db7-85f7-1ae8c13b492b",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b",
+            "created": "2018-10-17T00:14:20.652Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Wandera-RedDrop",
+                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"
+                }
+            ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--c9b3d86a-9c5e-4fe3-9c1c-dbd0bb89a74b",
-            "type": "relationship",
-            "created": "2018-10-17T00:14:20.652Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "url": "https://www.wandera.com/reddrop-malware/",
-                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
-                    "source_name": "Wandera-RedDrop"
-                }
-            ],
-            "modified": "2019-10-15T19:27:27.997Z",
+            "modified": "2025-04-16T21:51:33.541Z",
             "description": "[RedDrop](https://attack.mitre.org/software/S0326) collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.(Citation: Wandera-RedDrop)",
             "relationship_type": "uses",
             "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--c9c22e0d-c427-42ef-ae76-beb8ae9f6bf2.json b/mobile-attack/relationship/relationship--c9c22e0d-c427-42ef-ae76-beb8ae9f6bf2.json
index 579b50aa75..c5561697c0 100644
--- a/mobile-attack/relationship/relationship--c9c22e0d-c427-42ef-ae76-beb8ae9f6bf2.json
+++ b/mobile-attack/relationship/relationship--c9c22e0d-c427-42ef-ae76-beb8ae9f6bf2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4f5df44e-3b7e-48fb-b4bf-d25ac57d4bee",
+    "id": "bundle--3e08cbaa-10bb-4479-b21d-ea187fd73dbf",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:58:31.945Z",
+            "modified": "2025-04-16T21:51:33.732Z",
             "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect the device\u2019s network information.(Citation: Cybereason FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
             "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ca06c79e-8cbd-480a-92a4-cd7cdaaf81c1.json b/mobile-attack/relationship/relationship--ca06c79e-8cbd-480a-92a4-cd7cdaaf81c1.json
index a22f42dccf..b8ea65d4aa 100644
--- a/mobile-attack/relationship/relationship--ca06c79e-8cbd-480a-92a4-cd7cdaaf81c1.json
+++ b/mobile-attack/relationship/relationship--ca06c79e-8cbd-480a-92a4-cd7cdaaf81c1.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--3751b5ea-0792-4da7-9d21-3550391b24c8",
+    "id": "bundle--a7fe2d22-b197-467f-8d0b-3dc89e9049d5",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--ca06c79e-8cbd-480a-92a4-cd7cdaaf81c1",
             "created": "2024-02-21T21:05:12.760Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T21:05:12.760Z",
+            "modified": "2025-04-16T21:51:33.923Z",
             "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.(Citation: Lookout-PegasusAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
             "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ca0d9894-0c37-4a34-9b24-1887b7cd1106.json b/mobile-attack/relationship/relationship--ca0d9894-0c37-4a34-9b24-1887b7cd1106.json
index 2e90b23f3c..d49fd8fad8 100644
--- a/mobile-attack/relationship/relationship--ca0d9894-0c37-4a34-9b24-1887b7cd1106.json
+++ b/mobile-attack/relationship/relationship--ca0d9894-0c37-4a34-9b24-1887b7cd1106.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6db97734-6bf2-43e0-82e7-7b570f013cbb",
+    "id": "bundle--8822477f-39e0-4c7f-ad5b-371da9149239",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T15:29:35.623Z",
+            "modified": "2025-04-16T21:51:34.113Z",
             "description": "Application vetting services can look for applications requesting the `BIND_NOTIFICATION_LISTENER_SERVICE` permission in a service declaration. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ca486783-9413-4f39-8d2f-3adcb3e79127.json b/mobile-attack/relationship/relationship--ca486783-9413-4f39-8d2f-3adcb3e79127.json
index 071a24eea1..82041e0c82 100644
--- a/mobile-attack/relationship/relationship--ca486783-9413-4f39-8d2f-3adcb3e79127.json
+++ b/mobile-attack/relationship/relationship--ca486783-9413-4f39-8d2f-3adcb3e79127.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4856c921-49cc-4315-aeba-731fd4d1aacb",
+    "id": "bundle--8d8bab83-847c-42a4-82c0-b7e93bc1da2e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--ca486783-9413-4f39-8d2f-3adcb3e79127",
             "type": "relationship",
+            "id": "relationship--ca486783-9413-4f39-8d2f-3adcb3e79127",
             "created": "2020-12-24T21:55:56.657Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T21:55:56.657Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:34.329Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has used an AES encrypted file in the assets folder with an unsuspecting name (e.g. \u2018GoogleMusic.png\u2019) for holding configuration and C2 information.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e.json b/mobile-attack/relationship/relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e.json
index 88c57e9e11..adc140acbb 100644
--- a/mobile-attack/relationship/relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e.json
+++ b/mobile-attack/relationship/relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--7e12df73-9a9a-48a9-a658-aa2b71f949ad",
+    "id": "bundle--4ade09c9-8e0b-485d-a60f-2d733e8abe85",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e",
             "type": "relationship",
+            "id": "relationship--ca4eb452-4a2f-41d7-a015-81f43e96737e",
             "created": "2019-09-23T13:36:08.386Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "securelist rotexy 2018",
                     "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
-                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
-                    "source_name": "securelist rotexy 2018"
+                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"
                 }
             ],
-            "modified": "2019-09-23T13:36:08.386Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:34.529Z",
             "description": "[Rotexy](https://attack.mitre.org/software/S0411) collects the device's IMEI and sends it to the command and control server.(Citation: securelist rotexy 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ca568149-9971-4d15-b3db-ff7dabd49695.json b/mobile-attack/relationship/relationship--ca568149-9971-4d15-b3db-ff7dabd49695.json
index e9bbc3e682..5c5fff93ff 100644
--- a/mobile-attack/relationship/relationship--ca568149-9971-4d15-b3db-ff7dabd49695.json
+++ b/mobile-attack/relationship/relationship--ca568149-9971-4d15-b3db-ff7dabd49695.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--8c77b52b-29ed-4626-9df4-dc91fe73e1d9",
+    "id": "bundle--b23a2c10-5f77-4391-9379-c2aa21e92418",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--ca568149-9971-4d15-b3db-ff7dabd49695",
             "created": "2023-07-21T19:37:16.030Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:37:16.030Z",
+            "modified": "2025-04-16T21:51:34.721Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can capture keystrokes.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ca8c38e6-8343-4f5e-929d-2759a0d49d59.json b/mobile-attack/relationship/relationship--ca8c38e6-8343-4f5e-929d-2759a0d49d59.json
index 0748d1d3c9..4eee6cee62 100644
--- a/mobile-attack/relationship/relationship--ca8c38e6-8343-4f5e-929d-2759a0d49d59.json
+++ b/mobile-attack/relationship/relationship--ca8c38e6-8343-4f5e-929d-2759a0d49d59.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--cdd40b24-c855-446e-8679-b5897315c79e",
+    "id": "bundle--fb5b5f52-18ed-4379-abe0-13477308129b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--ca8c38e6-8343-4f5e-929d-2759a0d49d59",
             "created": "2020-11-24T18:18:33.743Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Threat Fabric Exobot",
-                    "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html",
-                    "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020."
+                    "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:34.918Z",
             "description": "[Exobot](https://attack.mitre.org/software/S0522) has used web injects to capture users\u2019 credentials.(Citation: Threat Fabric Exobot)",
-            "modified": "2022-04-15T17:39:22.154Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ca9e5e50-49e9-44cc-a0a4-4ec8633a9506.json b/mobile-attack/relationship/relationship--ca9e5e50-49e9-44cc-a0a4-4ec8633a9506.json
index b8dc4cbe22..5adcff4610 100644
--- a/mobile-attack/relationship/relationship--ca9e5e50-49e9-44cc-a0a4-4ec8633a9506.json
+++ b/mobile-attack/relationship/relationship--ca9e5e50-49e9-44cc-a0a4-4ec8633a9506.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--6fc3fb4f-9e1f-4893-ad80-33ca78dc42d1",
+    "id": "bundle--2e34ade0-a1d9-4568-87a9-f1638028362d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--ca9e5e50-49e9-44cc-a0a4-4ec8633a9506",
             "type": "relationship",
+            "id": "relationship--ca9e5e50-49e9-44cc-a0a4-4ec8633a9506",
             "created": "2020-11-20T16:37:28.567Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Symantec GoldenCup",
-                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans",
-                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."
+                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.",
+                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"
                 }
             ],
-            "modified": "2020-11-20T16:37:28.567Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:35.106Z",
             "description": "[Golden Cup](https://attack.mitre.org/software/S0535) has encrypted exfiltrated data using AES in ECB mode.(Citation: Symantec GoldenCup)",
             "relationship_type": "uses",
             "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e",
             "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cacc0b72-9d73-4381-90e9-545ba908722c.json b/mobile-attack/relationship/relationship--cacc0b72-9d73-4381-90e9-545ba908722c.json
index 9a41f48ae8..e7a66df0d8 100644
--- a/mobile-attack/relationship/relationship--cacc0b72-9d73-4381-90e9-545ba908722c.json
+++ b/mobile-attack/relationship/relationship--cacc0b72-9d73-4381-90e9-545ba908722c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--568ed504-d67e-42d0-9c63-f7cbec1ab3b6",
+    "id": "bundle--bb1d884d-5a8f-469a-8e44-dc1df9b0e514",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--cacc0b72-9d73-4381-90e9-545ba908722c",
             "type": "relationship",
+            "id": "relationship--cacc0b72-9d73-4381-90e9-545ba908722c",
             "created": "2019-09-15T15:35:33.215Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Talos Gustuff Apr 2019",
                     "description": "Vitor Ventura. (2019, April 9).  Gustuff banking botnet targets Australia . Retrieved September 3, 2019.",
-                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html",
-                    "source_name": "Talos Gustuff Apr 2019"
+                    "url": "https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html"
                 }
             ],
-            "modified": "2019-09-15T15:35:33.215Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:35.344Z",
             "description": "[Gustuff](https://attack.mitre.org/software/S0406) injects the global action `GLOBAL_ACTION_BACK` to mimic pressing the back button to close the application if a call to an open antivirus application is detected.(Citation: Talos Gustuff Apr 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--ff8e0c38-be47-410f-a2d3-a3d24a87c617",
             "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cb5465c0-a577-45b1-becf-305e0bd47497.json b/mobile-attack/relationship/relationship--cb5465c0-a577-45b1-becf-305e0bd47497.json
index 95bb42ef55..211ba030d1 100644
--- a/mobile-attack/relationship/relationship--cb5465c0-a577-45b1-becf-305e0bd47497.json
+++ b/mobile-attack/relationship/relationship--cb5465c0-a577-45b1-becf-305e0bd47497.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--7f15f278-d8fb-4b6c-bcb0-9374f47d4235",
+    "id": "bundle--be84cde2-f367-4c10-8962-237dc342a5da",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--cb5465c0-a577-45b1-becf-305e0bd47497",
             "created": "2023-08-23T22:49:18.075Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-23T22:49:18.075Z",
+            "modified": "2025-04-16T21:51:35.558Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) may prevent malware's uninstallation by abusing Android\u2019s ` performGlobalAction(int)` API call.",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cb5a81bb-a3c6-4d7c-836c-c0bd6227b48f.json b/mobile-attack/relationship/relationship--cb5a81bb-a3c6-4d7c-836c-c0bd6227b48f.json
index 50e6fd92b4..3273f0de35 100644
--- a/mobile-attack/relationship/relationship--cb5a81bb-a3c6-4d7c-836c-c0bd6227b48f.json
+++ b/mobile-attack/relationship/relationship--cb5a81bb-a3c6-4d7c-836c-c0bd6227b48f.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--34fdbc81-409a-4aa0-8db0-8862ce5a9990",
+    "id": "bundle--6107ca25-0c89-4b03-ab3a-6ec8e3cfa2c1",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--cb5a81bb-a3c6-4d7c-836c-c0bd6227b48f",
             "created": "2023-07-21T19:42:12.649Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:42:12.649Z",
+            "modified": "2025-04-16T21:51:35.771Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can inject malicious packages into applications already existing on an infected device.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cb80178a-5f9c-41bd-95a2-a7c5fe23c12c.json b/mobile-attack/relationship/relationship--cb80178a-5f9c-41bd-95a2-a7c5fe23c12c.json
index 36df3a3cca..a850ad3875 100644
--- a/mobile-attack/relationship/relationship--cb80178a-5f9c-41bd-95a2-a7c5fe23c12c.json
+++ b/mobile-attack/relationship/relationship--cb80178a-5f9c-41bd-95a2-a7c5fe23c12c.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--32ebd73c-dccc-4c2f-992f-d1b864d001c1",
+    "id": "bundle--c93698e2-50a1-4732-993e-25dff0564aa5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--cb80178a-5f9c-41bd-95a2-a7c5fe23c12c",
             "created": "2022-04-01T18:48:03.156Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:35.965Z",
             "description": "",
-            "modified": "2022-04-01T18:48:03.156Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
             "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cbb07bef-f1da-41f6-b786-4a255e8bf985.json b/mobile-attack/relationship/relationship--cbb07bef-f1da-41f6-b786-4a255e8bf985.json
index ce4db86654..aebf67efa1 100644
--- a/mobile-attack/relationship/relationship--cbb07bef-f1da-41f6-b786-4a255e8bf985.json
+++ b/mobile-attack/relationship/relationship--cbb07bef-f1da-41f6-b786-4a255e8bf985.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--c6f8f451-0dbc-4a2e-9352-45c2bbfcc2a0",
+    "id": "bundle--94588ce8-8d5d-45bb-a944-b76370f68d6c",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--cbb07bef-f1da-41f6-b786-4a255e8bf985",
             "created": "2023-08-04T18:34:07.176Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T18:34:07.176Z",
+            "modified": "2025-04-16T21:51:36.156Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate compressed ZIP files containing gathered info to C2 infrastructure.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cbb48fa1-0677-4a07-bdbf-eda1827e52f1.json b/mobile-attack/relationship/relationship--cbb48fa1-0677-4a07-bdbf-eda1827e52f1.json
index 6d5379da5d..1d8ab4ba97 100644
--- a/mobile-attack/relationship/relationship--cbb48fa1-0677-4a07-bdbf-eda1827e52f1.json
+++ b/mobile-attack/relationship/relationship--cbb48fa1-0677-4a07-bdbf-eda1827e52f1.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--62633a4f-73c4-4a10-a658-17a79657414c",
+    "id": "bundle--deb2bc0a-fdf9-47fc-b847-e9706ca59deb",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:18:05.613Z",
+            "modified": "2025-04-16T21:51:36.379Z",
             "description": "[Exobot](https://attack.mitre.org/software/S0522) can lock the device with a password and permanently disable the screen.(Citation: Threat Fabric Exobot)",
             "relationship_type": "uses",
             "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98",
             "target_ref": "attack-pattern--eb6cf439-1bcb-4d10-bc68-1eed844ed7b3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cbf17fea-141e-44b8-831c-b3cc41066420.json b/mobile-attack/relationship/relationship--cbf17fea-141e-44b8-831c-b3cc41066420.json
index 3ad54a629f..62144c5ac7 100644
--- a/mobile-attack/relationship/relationship--cbf17fea-141e-44b8-831c-b3cc41066420.json
+++ b/mobile-attack/relationship/relationship--cbf17fea-141e-44b8-831c-b3cc41066420.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a76e4be5-fd23-4608-b49a-2246f8b51118",
+    "id": "bundle--8684ac57-11ea-409e-b525-908d40b192ee",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--cbf17fea-141e-44b8-831c-b3cc41066420",
             "type": "relationship",
+            "id": "relationship--cbf17fea-141e-44b8-831c-b3cc41066420",
             "created": "2021-01-20T16:01:19.409Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Trend Micro Anubis",
-                    "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html",
-                    "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021."
+                    "description": "K. Sun. (2019, January 17). Google Play Apps Drop Anubis, Use Motion-based Evasion. Retrieved January 20, 2021.",
+                    "url": "https://www.trendmicro.com/en_us/research/19/a/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics.html"
                 }
             ],
-            "modified": "2021-01-20T16:01:19.409Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:36.582Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) can download attacker-specified APK files.(Citation: Trend Micro Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cc0b8984-f561-4453-a2be-9be8bd62561e.json b/mobile-attack/relationship/relationship--cc0b8984-f561-4453-a2be-9be8bd62561e.json
index c23b084545..547c564c49 100644
--- a/mobile-attack/relationship/relationship--cc0b8984-f561-4453-a2be-9be8bd62561e.json
+++ b/mobile-attack/relationship/relationship--cc0b8984-f561-4453-a2be-9be8bd62561e.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--0aa4b723-e20e-4f8c-a9a9-2bfe2972a4ca",
+    "id": "bundle--408bed5a-8770-4966-8cdd-7290057ad728",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--cc0b8984-f561-4453-a2be-9be8bd62561e",
             "created": "2023-09-28T17:21:45.855Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:21:45.855Z",
+            "modified": "2025-04-16T21:51:36.811Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can monitor a device\u2019s notifications.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cc345ae4-0d60-4f21-98b3-596c15118745.json b/mobile-attack/relationship/relationship--cc345ae4-0d60-4f21-98b3-596c15118745.json
index 7a783c1df8..04b3236feb 100644
--- a/mobile-attack/relationship/relationship--cc345ae4-0d60-4f21-98b3-596c15118745.json
+++ b/mobile-attack/relationship/relationship--cc345ae4-0d60-4f21-98b3-596c15118745.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--095d013c-270e-4b2b-be11-a18d52fc1bcc",
+    "id": "bundle--87b33808-1273-43ab-bde2-e094098a8f3b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:38:03.367Z",
+            "modified": "2025-04-16T21:51:37.008Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can send SMS messages.(Citation: threatfabric_sova_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cc3cf438-7206-46df-a4a4-999472ea6a9a.json b/mobile-attack/relationship/relationship--cc3cf438-7206-46df-a4a4-999472ea6a9a.json
index b0fa96a212..f9805d289b 100644
--- a/mobile-attack/relationship/relationship--cc3cf438-7206-46df-a4a4-999472ea6a9a.json
+++ b/mobile-attack/relationship/relationship--cc3cf438-7206-46df-a4a4-999472ea6a9a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--bab8dca9-d2f0-4ceb-b7b0-00c92c95902b",
+    "id": "bundle--3b513eb3-1e03-412e-807d-4fe05e49cc27",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:45:42.081Z",
+            "modified": "2025-04-16T21:51:37.234Z",
             "description": "[SimBad](https://attack.mitre.org/software/S0419) hides its icon from the application launcher.(Citation: CheckPoint SimBad 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--f79c01eb-2954-40d8-a819-00b342f47ce7",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cc3e1864-0b7b-4ca1-b123-d9c7553f3398.json b/mobile-attack/relationship/relationship--cc3e1864-0b7b-4ca1-b123-d9c7553f3398.json
index 42a4926fc5..ba3c581e7c 100644
--- a/mobile-attack/relationship/relationship--cc3e1864-0b7b-4ca1-b123-d9c7553f3398.json
+++ b/mobile-attack/relationship/relationship--cc3e1864-0b7b-4ca1-b123-d9c7553f3398.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--14bf5081-5f7c-42c5-be7a-77dff6623ed9",
+    "id": "bundle--9ca39f0d-4005-46f2-be90-cdb2e060bb80",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--cc3e1864-0b7b-4ca1-b123-d9c7553f3398",
             "created": "2024-02-20T23:48:31.513Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:48:31.513Z",
+            "modified": "2025-04-16T21:51:37.446Z",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device network configuration information, such as Wi-Fi SSID and IMSI.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cc49561f-8364-4908-9111-ad3a6dcd922c.json b/mobile-attack/relationship/relationship--cc49561f-8364-4908-9111-ad3a6dcd922c.json
index 27ab18891c..df3f4217b0 100644
--- a/mobile-attack/relationship/relationship--cc49561f-8364-4908-9111-ad3a6dcd922c.json
+++ b/mobile-attack/relationship/relationship--cc49561f-8364-4908-9111-ad3a6dcd922c.json
@@ -1,22 +1,22 @@
 {
     "type": "bundle",
-    "id": "bundle--08306ea2-e07c-4ff1-b5a0-9b679f213336",
+    "id": "bundle--3b63b8b7-ce18-4dfc-ba8b-a2f6d766a097",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--cc49561f-8364-4908-9111-ad3a6dcd922c",
+            "created": "2018-10-17T00:14:20.652Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--cc49561f-8364-4908-9111-ad3a6dcd922c",
-            "type": "relationship",
-            "created": "2018-10-17T00:14:20.652Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2018-10-17T00:14:20.652Z",
+            "modified": "2025-04-16T21:51:37.639Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--11bd699b-f2c2-4e48-bf46-fb3f8acd9799",
             "target_ref": "attack-pattern--0d95940f-9583-4e0f-824c-a42c1be47fad",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cc4ae06f-0258-4fe9-b63a-334d283e766d.json b/mobile-attack/relationship/relationship--cc4ae06f-0258-4fe9-b63a-334d283e766d.json
index e1cc9ce6cb..77a6bdb197 100644
--- a/mobile-attack/relationship/relationship--cc4ae06f-0258-4fe9-b63a-334d283e766d.json
+++ b/mobile-attack/relationship/relationship--cc4ae06f-0258-4fe9-b63a-334d283e766d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--67a29fed-ed17-4ae8-916f-8cbc20d005ca",
+    "id": "bundle--a101cfd4-7656-4f56-a794-e188c61e2ac6",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--cc4ae06f-0258-4fe9-b63a-334d283e766d",
             "type": "relationship",
+            "id": "relationship--cc4ae06f-0258-4fe9-b63a-334d283e766d",
             "created": "2021-02-08T16:36:20.774Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "BlackBerry Bahamut",
-                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf",
-                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."
+                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.",
+                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"
                 }
             ],
-            "modified": "2021-05-24T13:16:56.495Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:37.853Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has encrypted application strings using AES in ECB mode and Blowfish, and stored strings encoded in hex during Operation BULL. Further, in Operation BULL, encryption keys were stored within the application\u2019s launcher icon file.(Citation: BlackBerry Bahamut)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cc81b56c-cf73-4307-b950-e80246985195.json b/mobile-attack/relationship/relationship--cc81b56c-cf73-4307-b950-e80246985195.json
index 244e1d92c7..11ad445241 100644
--- a/mobile-attack/relationship/relationship--cc81b56c-cf73-4307-b950-e80246985195.json
+++ b/mobile-attack/relationship/relationship--cc81b56c-cf73-4307-b950-e80246985195.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--56f8da3c-e00b-4c7e-b338-968f2f8f89e6",
+    "id": "bundle--4762ab5b-1e0a-4564-8b47-559fbc0f1a1f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--cc81b56c-cf73-4307-b950-e80246985195",
             "created": "2019-10-18T14:50:57.473Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "OS security updates typically contain exploit patches when disclosed.",
-            "modified": "2022-03-28T19:20:44.337Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:38.068Z",
+            "description": "OS security updates typically contain exploit patches when disclosed.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--dfe29258-ce59-421c-9dee-e85cb9fa90cd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ccb6f906-a785-4695-91a5-f1bc210892dc.json b/mobile-attack/relationship/relationship--ccb6f906-a785-4695-91a5-f1bc210892dc.json
index ba8853ab92..43d069e4bf 100644
--- a/mobile-attack/relationship/relationship--ccb6f906-a785-4695-91a5-f1bc210892dc.json
+++ b/mobile-attack/relationship/relationship--ccb6f906-a785-4695-91a5-f1bc210892dc.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--490496cc-f578-4277-bd7d-5dcb11f46877",
+    "id": "bundle--e5bbe248-577f-4a3d-acfa-510c2b5f9774",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--ccb6f906-a785-4695-91a5-f1bc210892dc",
             "created": "2023-08-04T18:35:55.269Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T18:35:55.269Z",
+            "modified": "2025-04-16T21:51:38.273Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate collected data as a ZIP file.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cce1848e-5f32-429a-8c9d-e32367052675.json b/mobile-attack/relationship/relationship--cce1848e-5f32-429a-8c9d-e32367052675.json
index 2e63132686..ee88973dbf 100644
--- a/mobile-attack/relationship/relationship--cce1848e-5f32-429a-8c9d-e32367052675.json
+++ b/mobile-attack/relationship/relationship--cce1848e-5f32-429a-8c9d-e32367052675.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f47827e8-e504-4da4-9700-822f9721292d",
+    "id": "bundle--4eb1adc0-7046-4820-8187-b883c1d4bf88",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-04T17:32:51.808Z",
+            "modified": "2025-04-16T21:51:38.472Z",
             "description": "[AndroRAT](https://attack.mitre.org/software/S0292) masquerades as legitimate applications.(Citation: forcepoint_bitter)(Citation: blackberry_mobile_malware_apt_esp) ",
             "relationship_type": "uses",
             "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cce49043-52b0-407c-b4f0-0f4727351d4b.json b/mobile-attack/relationship/relationship--cce49043-52b0-407c-b4f0-0f4727351d4b.json
index 76e7b095a8..da45af74ca 100644
--- a/mobile-attack/relationship/relationship--cce49043-52b0-407c-b4f0-0f4727351d4b.json
+++ b/mobile-attack/relationship/relationship--cce49043-52b0-407c-b4f0-0f4727351d4b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b2947b44-7b9b-4dae-b442-ec09d51bb391",
+    "id": "bundle--9fc47d54-fbde-4644-9afd-1c1848529ad3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-19T18:33:11.697Z",
+            "modified": "2025-04-16T21:51:38.687Z",
             "description": "[FlixOnline](https://attack.mitre.org/software/S1103) requests overlay permissions, which can allow it to create fake Login screens for other apps.(Citation: checkpoint_flixonline_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c.json b/mobile-attack/relationship/relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c.json
index 80beaa8680..cdf96f3a33 100644
--- a/mobile-attack/relationship/relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c.json
+++ b/mobile-attack/relationship/relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--61c392a5-20b6-4871-88f4-3d5e2bbacbcc",
+    "id": "bundle--0a59f59f-3368-4246-a072-547fc9dc41f7",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c",
             "type": "relationship",
+            "id": "relationship--cce5d90f-edff-454d-bafa-caf33b71ed6c",
             "created": "2019-12-10T16:07:41.078Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList DVMap June 2017",
-                    "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/",
-                    "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019."
+                    "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.",
+                    "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"
                 }
             ],
-            "modified": "2019-12-10T16:07:41.078Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:38.888Z",
             "description": "[Dvmap](https://attack.mitre.org/software/S0420) attempts to gain root access by using local exploits.(Citation: SecureList DVMap June 2017)",
             "relationship_type": "uses",
             "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cce82a76-5390-473d-9e7c-9450d1509d1d.json b/mobile-attack/relationship/relationship--cce82a76-5390-473d-9e7c-9450d1509d1d.json
index 9a4c142ede..033bdbd386 100644
--- a/mobile-attack/relationship/relationship--cce82a76-5390-473d-9e7c-9450d1509d1d.json
+++ b/mobile-attack/relationship/relationship--cce82a76-5390-473d-9e7c-9450d1509d1d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--819e3e76-e90a-4eef-aca7-5cd936bcb93c",
+    "id": "bundle--fbc30fe2-cb77-4250-a978-0888bd20891b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--cce82a76-5390-473d-9e7c-9450d1509d1d",
             "type": "relationship",
+            "id": "relationship--cce82a76-5390-473d-9e7c-9450d1509d1d",
             "created": "2020-07-15T20:20:59.314Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "modified": "2020-07-15T20:20:59.314Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:39.084Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can download its second (Loader) and third (Core) stages after the dropper is installed.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac.json b/mobile-attack/relationship/relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac.json
index 4c7822c8b2..d3cf95f7dd 100644
--- a/mobile-attack/relationship/relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac.json
+++ b/mobile-attack/relationship/relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--1ff4da72-c513-4cf5-959e-84ca4e82760f",
+    "id": "bundle--ea7754ab-6ec0-48eb-a3c9-cfde808129d2",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac",
             "type": "relationship",
+            "id": "relationship--ccfffa97-17fd-4826-9a16-c9d8174fb8ac",
             "created": "2020-01-27T17:05:58.237Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Trend Micro Bouncing Golf 2019",
                     "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
-                    "source_name": "Trend Micro Bouncing Golf 2019"
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
                 }
             ],
-            "modified": "2020-01-27T17:05:58.237Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:39.286Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device\u2019s battery level, network operator, connection information, sensor information, and information about the device\u2019s storage and memory.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cd0f76da-ea06-4710-ab1d-53a7e29a6328.json b/mobile-attack/relationship/relationship--cd0f76da-ea06-4710-ab1d-53a7e29a6328.json
index df90197f86..0ac4b82c11 100644
--- a/mobile-attack/relationship/relationship--cd0f76da-ea06-4710-ab1d-53a7e29a6328.json
+++ b/mobile-attack/relationship/relationship--cd0f76da-ea06-4710-ab1d-53a7e29a6328.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--dd6cf6f8-039d-4388-abbc-a7e48a2fa8a0",
+    "id": "bundle--522e13c5-c7c8-4a1c-b964-82c9d3d61428",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--cd0f76da-ea06-4710-ab1d-53a7e29a6328",
             "created": "2022-03-30T19:34:09.377Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:39.485Z",
             "description": "",
-            "modified": "2022-03-30T19:34:09.377Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--8c7862ff-3449-4ac6-b0fd-ac1298a822a5",
             "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cd1ad516-d953-40cb-b0d5-b384ceb410f2.json b/mobile-attack/relationship/relationship--cd1ad516-d953-40cb-b0d5-b384ceb410f2.json
new file mode 100644
index 0000000000..1c6089daf0
--- /dev/null
+++ b/mobile-attack/relationship/relationship--cd1ad516-d953-40cb-b0d5-b384ceb410f2.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--d661518a-876d-4836-ade4-6b2ae0bb7785",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--cd1ad516-d953-40cb-b0d5-b384ceb410f2",
+            "created": "2025-03-24T20:28:22.440Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:39.725Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has a plugin that can take screenshots.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cd440baa-9989-486e-b34b-d9469ffc79a5.json b/mobile-attack/relationship/relationship--cd440baa-9989-486e-b34b-d9469ffc79a5.json
new file mode 100644
index 0000000000..31c7429fad
--- /dev/null
+++ b/mobile-attack/relationship/relationship--cd440baa-9989-486e-b34b-d9469ffc79a5.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--5096ee1e-0b26-4de8-8632-c6f615232d42",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--cd440baa-9989-486e-b34b-d9469ffc79a5",
+            "created": "2024-03-26T19:35:37.865Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "sophos_android_apt_spyware",
+                    "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"
+                },
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:39.923Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) can take record and take screenshots of the victim device.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438.json b/mobile-attack/relationship/relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438.json
index 7f2cbe690b..48ee649e12 100644
--- a/mobile-attack/relationship/relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438.json
+++ b/mobile-attack/relationship/relationship--cd503879-ccb4-4d47-af5a-90fe7e37c438.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--fa9a574f-10e4-4659-9db9-9a10ab0c96c2",
+    "id": "bundle--bc3c3de0-15fe-4c04-9df8-b549b656f63c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:53:53.384Z",
+            "modified": "2025-04-16T21:51:40.119Z",
             "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests contact lists from victims.(Citation: PaloAlto-SpyDealer)",
             "relationship_type": "uses",
             "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3.json b/mobile-attack/relationship/relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3.json
index 3d0d62695c..8a55316408 100644
--- a/mobile-attack/relationship/relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3.json
+++ b/mobile-attack/relationship/relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--56079530-f84b-4dc1-9ff7-833a7e16de81",
+    "id": "bundle--00ea8439-7a26-4128-8ae5-bda54abf22df",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3",
             "type": "relationship",
+            "id": "relationship--cd6a9777-a8fd-43ca-91dc-cafc7d4b7df3",
             "created": "2020-01-27T17:05:58.215Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Trend Micro Bouncing Golf 2019",
                     "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
-                    "source_name": "Trend Micro Bouncing Golf 2019"
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
                 }
             ],
-            "modified": "2020-01-27T17:05:58.215Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:40.333Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain a list of running processes.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--1b51f5bc-b97a-498a-8dbd-bc6b1901bf19",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cd7a2294-1e14-42e8-b870-d99d73443b88.json b/mobile-attack/relationship/relationship--cd7a2294-1e14-42e8-b870-d99d73443b88.json
index ec67f3b9be..dc7193afd5 100644
--- a/mobile-attack/relationship/relationship--cd7a2294-1e14-42e8-b870-d99d73443b88.json
+++ b/mobile-attack/relationship/relationship--cd7a2294-1e14-42e8-b870-d99d73443b88.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--3cc11983-f5f1-4ea4-b0fc-155d3aa9b4ad",
+    "id": "bundle--2da58f70-46c7-4891-8e20-8005c87d095a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--cd7a2294-1e14-42e8-b870-d99d73443b88",
             "created": "2022-04-01T12:37:42.068Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:40.532Z",
             "description": "Users should be taught the danger behind granting unnecessary permissions to an application and should be advised to use extra scrutiny when an application requests them. ",
-            "modified": "2022-04-01T12:37:42.068Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cd7f9e74-e134-408d-aeb2-1ce19d4dd4e3.json b/mobile-attack/relationship/relationship--cd7f9e74-e134-408d-aeb2-1ce19d4dd4e3.json
new file mode 100644
index 0000000000..dd01c65c1d
--- /dev/null
+++ b/mobile-attack/relationship/relationship--cd7f9e74-e134-408d-aeb2-1ce19d4dd4e3.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--5966ca82-9bb9-4cc8-aad9-0579d547c9c9",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--cd7f9e74-e134-408d-aeb2-1ce19d4dd4e3",
+            "created": "2025-03-28T14:52:26.566Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:40.734Z",
+            "description": "(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "campaign--d0695b5f-b761-49e0-b3e3-2e5307f8def3",
+            "target_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cd8c383a-2a62-45e5-917f-a26efe5ba03c.json b/mobile-attack/relationship/relationship--cd8c383a-2a62-45e5-917f-a26efe5ba03c.json
index e6a7b4fccf..af8ef61a6a 100644
--- a/mobile-attack/relationship/relationship--cd8c383a-2a62-45e5-917f-a26efe5ba03c.json
+++ b/mobile-attack/relationship/relationship--cd8c383a-2a62-45e5-917f-a26efe5ba03c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--20f24623-4395-4f8b-9fb4-0f0cdfe6da18",
+    "id": "bundle--cf8863b7-b2d4-4d62-8da1-23a8555d9837",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T17:08:59.640Z",
+            "modified": "2025-04-16T21:51:40.921Z",
             "description": "Application vetting services could potentially detect the usage of APIs intended for suppressing the application\u2019s icon.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cd9e8334-2ff6-4f64-993f-4e11a68ef7ca.json b/mobile-attack/relationship/relationship--cd9e8334-2ff6-4f64-993f-4e11a68ef7ca.json
index a1e05f6691..cc8b371732 100644
--- a/mobile-attack/relationship/relationship--cd9e8334-2ff6-4f64-993f-4e11a68ef7ca.json
+++ b/mobile-attack/relationship/relationship--cd9e8334-2ff6-4f64-993f-4e11a68ef7ca.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4c243ab5-28f6-40af-89fa-2e64a339d13d",
+    "id": "bundle--96e3f63f-07c6-4288-8eab-d46032c12ec5",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T16:34:37.498Z",
+            "modified": "2025-04-16T21:51:41.112Z",
             "description": "Google sends a notification to the device when Android Device Manager is used to locate it. Additionally, Google provides the ability for users to view their general account activity and alerts users when their credentials have been used on a new device. Apple iCloud also provides notifications to users of account activity such as when credentials have been used. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
             "target_ref": "attack-pattern--9ef05e3d-52db-4c12-be4f-519214bbe91f",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cda58372-ae70-4716-8baf-cc06cb884ad6.json b/mobile-attack/relationship/relationship--cda58372-ae70-4716-8baf-cc06cb884ad6.json
index 2216879ff5..8e1d476f34 100644
--- a/mobile-attack/relationship/relationship--cda58372-ae70-4716-8baf-cc06cb884ad6.json
+++ b/mobile-attack/relationship/relationship--cda58372-ae70-4716-8baf-cc06cb884ad6.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--987a1da9-86e7-41f7-ad53-b1540a1280a4",
+    "id": "bundle--f88ce1c6-e243-481a-b638-9e8aeecd6f0d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--cda58372-ae70-4716-8baf-cc06cb884ad6",
             "type": "relationship",
+            "id": "relationship--cda58372-ae70-4716-8baf-cc06cb884ad6",
             "created": "2020-12-24T22:04:28.015Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T22:04:28.015Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:41.340Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected a list of installed application names.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cdb9788e-7d16-482e-92b6-cbde0b3de357.json b/mobile-attack/relationship/relationship--cdb9788e-7d16-482e-92b6-cbde0b3de357.json
index d9740599aa..54d7b0b238 100644
--- a/mobile-attack/relationship/relationship--cdb9788e-7d16-482e-92b6-cbde0b3de357.json
+++ b/mobile-attack/relationship/relationship--cdb9788e-7d16-482e-92b6-cbde0b3de357.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--82c2524b-2ae4-40f9-906f-98cb115e0d5c",
+    "id": "bundle--72e055a2-e1b3-4ee7-867d-e8dd333ca8f1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--cdb9788e-7d16-482e-92b6-cbde0b3de357",
             "type": "relationship",
+            "id": "relationship--cdb9788e-7d16-482e-92b6-cbde0b3de357",
             "created": "2020-12-17T20:15:22.408Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Palo Alto HenBox",
-                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/",
-                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."
+                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.",
+                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
                 }
             ],
-            "modified": "2020-12-17T20:15:22.408Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:41.568Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) can track the device\u2019s location.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cde60121-3d7c-47c8-abeb-582854425599.json b/mobile-attack/relationship/relationship--cde60121-3d7c-47c8-abeb-582854425599.json
index b268562621..1dbb130df8 100644
--- a/mobile-attack/relationship/relationship--cde60121-3d7c-47c8-abeb-582854425599.json
+++ b/mobile-attack/relationship/relationship--cde60121-3d7c-47c8-abeb-582854425599.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--973121a6-2a9a-4373-b5f8-48dbd26ee0cb",
+    "id": "bundle--8ac6e811-c434-4e22-bde4-980323157c68",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--cde60121-3d7c-47c8-abeb-582854425599",
             "type": "relationship",
+            "id": "relationship--cde60121-3d7c-47c8-abeb-582854425599",
             "created": "2020-07-20T13:27:33.512Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos-WolfRAT",
-                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
-                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."
+                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.",
+                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"
                 }
             ],
-            "modified": "2020-08-10T21:57:54.531Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:41.775Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can update the running malware.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cdf06664-903e-499b-86b4-b7bcce3c0740.json b/mobile-attack/relationship/relationship--cdf06664-903e-499b-86b4-b7bcce3c0740.json
index b2ce645687..6fb6d89c47 100644
--- a/mobile-attack/relationship/relationship--cdf06664-903e-499b-86b4-b7bcce3c0740.json
+++ b/mobile-attack/relationship/relationship--cdf06664-903e-499b-86b4-b7bcce3c0740.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--9308651a-9e67-4493-af89-a29b4414501a",
+    "id": "bundle--4e6ddb15-9ae0-4406-8cb9-00d8fda6ed53",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--cdf06664-903e-499b-86b4-b7bcce3c0740",
             "created": "2023-09-28T17:20:27.451Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:20:27.451Z",
+            "modified": "2025-04-16T21:51:41.963Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can modify, send, and delete SMS messages.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ce26f077-c47a-4185-8ed7-ec0d9ae2b625.json b/mobile-attack/relationship/relationship--ce26f077-c47a-4185-8ed7-ec0d9ae2b625.json
index 554ee9857b..4d92f84d9d 100644
--- a/mobile-attack/relationship/relationship--ce26f077-c47a-4185-8ed7-ec0d9ae2b625.json
+++ b/mobile-attack/relationship/relationship--ce26f077-c47a-4185-8ed7-ec0d9ae2b625.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--43baa398-b782-433d-bacb-8ac225349f8e",
+    "id": "bundle--9a33809b-6128-450e-a83e-6eaf338bccd8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--ce26f077-c47a-4185-8ed7-ec0d9ae2b625",
             "created": "2022-03-31T16:33:55.074Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:42.158Z",
             "description": "",
-            "modified": "2022-03-31T16:33:55.074Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--e4c347e9-fb91-4bc5-83b8-391e389131e2",
             "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef.json b/mobile-attack/relationship/relationship--ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef.json
index 8f3b9dedc1..fd76106f0d 100644
--- a/mobile-attack/relationship/relationship--ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef.json
+++ b/mobile-attack/relationship/relationship--ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--33f88102-3673-4e32-9f17-90b9793a98b8",
+    "id": "bundle--202e20da-e134-4b8a-9fb6-6ab9b4028b6c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--ce51f1b3-7813-4517-bbcf-7ae8abf6d2ef",
             "created": "2020-07-27T14:14:56.993Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Google Security Zen",
-                    "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html",
-                    "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020."
+                    "description": "Siewierski, L. (2019, January 11). PHA Family Highlights: Zen and its cousins . Retrieved July 27, 2020.",
+                    "url": "https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:42.382Z",
             "description": "[Zen](https://attack.mitre.org/software/S0494) can simulate user clicks on ads.(Citation: Google Security Zen)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--22faaa56-a8ac-4292-9be6-b571b255ee40",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ce5f506a-8fc9-40a2-a78e-96796c896f1b.json b/mobile-attack/relationship/relationship--ce5f506a-8fc9-40a2-a78e-96796c896f1b.json
index 43beb2b9d6..a548619f90 100644
--- a/mobile-attack/relationship/relationship--ce5f506a-8fc9-40a2-a78e-96796c896f1b.json
+++ b/mobile-attack/relationship/relationship--ce5f506a-8fc9-40a2-a78e-96796c896f1b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--255d64c6-5180-43a9-b855-a650da030c0e",
+    "id": "bundle--5db393fe-83b4-41a9-9081-c22141a06cd6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T15:31:45.237Z",
+            "modified": "2025-04-16T21:51:42.577Z",
             "description": "The user can see which applications are registered as device administrators in the device settings.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ce645a25-160f-443d-b288-fdd108b78a06.json b/mobile-attack/relationship/relationship--ce645a25-160f-443d-b288-fdd108b78a06.json
index c23b12051e..c51d36a6af 100644
--- a/mobile-attack/relationship/relationship--ce645a25-160f-443d-b288-fdd108b78a06.json
+++ b/mobile-attack/relationship/relationship--ce645a25-160f-443d-b288-fdd108b78a06.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a435d6cf-4be6-4a1c-8824-9a69a2c9c634",
+    "id": "bundle--d81f4c4e-8eae-4804-80a5-e836190cc900",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:41:00.652Z",
+            "modified": "2025-04-16T21:51:42.797Z",
             "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device\u2019s call log.(Citation: Lookout ViperRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe.json b/mobile-attack/relationship/relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe.json
index 962d2a907b..1f630369bf 100644
--- a/mobile-attack/relationship/relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe.json
+++ b/mobile-attack/relationship/relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--f05241f3-45c1-4805-b489-c0863c8598f7",
+    "id": "bundle--988c165c-b320-4949-847e-c75a45a810b3",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--ce6c7f21-91a5-4d63-bd03-a6b57e025afe",
             "created": "2017-10-25T14:48:53.746Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "A locked bootloader could prevent unauthorized modifications to protected operating system files. ",
-            "modified": "2022-03-30T20:07:33.678Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:43.003Z",
+            "description": "A locked bootloader could prevent unauthorized modifications to protected operating system files. ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--8ccd428d-39da-4e8f-a55b-d48ea1d56e58",
             "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd.json b/mobile-attack/relationship/relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd.json
index 34178ac2cc..808635097b 100644
--- a/mobile-attack/relationship/relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd.json
+++ b/mobile-attack/relationship/relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--c2f9dc81-0679-4255-a3e7-0880f432402c",
+    "id": "bundle--0b728533-e22f-478b-a852-b99784521cb3",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd",
             "type": "relationship",
+            "id": "relationship--ce8cc50a-f3c9-4a6a-b6be-f3e8bdd293bd",
             "created": "2019-07-10T15:35:43.699Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
+                    "source_name": "Lookout Dark Caracal Jan 2018",
                     "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
-                    "source_name": "Lookout Dark Caracal Jan 2018"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
                 }
             ],
-            "modified": "2019-08-09T18:06:11.839Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:43.234Z",
             "description": "[Pallas](https://attack.mitre.org/software/S0399) captures audio from the device microphone.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cea30219-a255-43ae-b731-9512c5044523.json b/mobile-attack/relationship/relationship--cea30219-a255-43ae-b731-9512c5044523.json
index a64e9db0b6..e01ba27a5d 100644
--- a/mobile-attack/relationship/relationship--cea30219-a255-43ae-b731-9512c5044523.json
+++ b/mobile-attack/relationship/relationship--cea30219-a255-43ae-b731-9512c5044523.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--8d28f9f6-8eaa-402d-b6cc-3714c27eba4b",
+    "id": "bundle--f4ca4015-a52a-43f8-9d76-9ecadbc55b95",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--cea30219-a255-43ae-b731-9512c5044523",
             "created": "2022-04-18T19:46:02.547Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:43.428Z",
             "description": "",
-            "modified": "2022-04-18T19:46:02.547Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--b3c2e5de-0941-4b57-ba61-af029eb5517a",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c.json b/mobile-attack/relationship/relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c.json
index 8fda3cd81f..ec5b139c9d 100644
--- a/mobile-attack/relationship/relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c.json
+++ b/mobile-attack/relationship/relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--c80e5034-9ae9-44c8-b510-1466cba5e9ed",
+    "id": "bundle--5f0b4d2b-cfe2-4ab6-a93f-77d4c9e19b70",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c",
             "type": "relationship",
+            "id": "relationship--ced70cea-b2ac-45b8-9f7d-779eedbdf06c",
             "created": "2020-01-27T17:05:58.273Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Trend Micro Bouncing Golf 2019",
                     "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
-                    "source_name": "Trend Micro Bouncing Golf 2019"
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
                 }
             ],
-            "modified": "2020-01-27T17:05:58.273Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:43.626Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can record audio and phone calls.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a.json b/mobile-attack/relationship/relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a.json
index b1fb0daa3d..90dc10cbff 100644
--- a/mobile-attack/relationship/relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a.json
+++ b/mobile-attack/relationship/relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--3e3c2b83-1d47-40cc-aaa8-e63edc1fae11",
+    "id": "bundle--6eec6d48-4501-43d2-b20b-6b6eece5bf85",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a",
             "type": "relationship",
+            "id": "relationship--cf26d49c-1d1b-4861-9d6e-959f4f15b73a",
             "created": "2019-08-09T17:53:48.716Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
+                    "source_name": "TrendMicro-RCSAndroid",
                     "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
-                    "source_name": "TrendMicro-RCSAndroid"
+                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
                 }
             ],
-            "modified": "2019-08-09T17:53:48.716Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:43.821Z",
             "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can capture photos using the front and back cameras.(Citation: TrendMicro-RCSAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cf2cfc6e-896a-4c99-b286-41f8dbd6fa4c.json b/mobile-attack/relationship/relationship--cf2cfc6e-896a-4c99-b286-41f8dbd6fa4c.json
index 69c1dd43b9..4772ca167e 100644
--- a/mobile-attack/relationship/relationship--cf2cfc6e-896a-4c99-b286-41f8dbd6fa4c.json
+++ b/mobile-attack/relationship/relationship--cf2cfc6e-896a-4c99-b286-41f8dbd6fa4c.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--f691d853-264d-469d-b28d-cea18005f057",
+    "id": "bundle--054e0098-221b-436f-ae75-460d95c9f2e6",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--cf2cfc6e-896a-4c99-b286-41f8dbd6fa4c",
             "created": "2023-09-28T17:21:26.448Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:21:26.448Z",
+            "modified": "2025-04-16T21:51:44.026Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can use VNC to remotely control an infected device.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cf4243f5-562a-457f-bb15-d45a2047f7ca.json b/mobile-attack/relationship/relationship--cf4243f5-562a-457f-bb15-d45a2047f7ca.json
index d5b8614549..eff47b7cfc 100644
--- a/mobile-attack/relationship/relationship--cf4243f5-562a-457f-bb15-d45a2047f7ca.json
+++ b/mobile-attack/relationship/relationship--cf4243f5-562a-457f-bb15-d45a2047f7ca.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--919688fa-4a4f-4a5d-9700-bb56b951f9e3",
+    "id": "bundle--d4b8f28b-2872-415c-8bf1-064ef6f2f956",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:10:15.827Z",
+            "modified": "2025-04-16T21:51:44.290Z",
             "description": "[Exodus](https://attack.mitre.org/software/S0405) Two collects a list of nearby base stations.(Citation: SWB Exodus March 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cf4fe189-58cf-42aa-89c7-75bd0a83a263.json b/mobile-attack/relationship/relationship--cf4fe189-58cf-42aa-89c7-75bd0a83a263.json
index 76d8caac59..59f22430e1 100644
--- a/mobile-attack/relationship/relationship--cf4fe189-58cf-42aa-89c7-75bd0a83a263.json
+++ b/mobile-attack/relationship/relationship--cf4fe189-58cf-42aa-89c7-75bd0a83a263.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--c2ec03d3-1115-4beb-aeed-51c46c22c8f8",
+    "id": "bundle--36a15a92-a4ee-4720-909b-dca4776f2e47",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T15:29:32.423Z",
+            "modified": "2025-04-16T21:51:44.484Z",
             "description": "When an application requests administrator permission, the user is presented with a popup and the option to grant or deny the request. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
             "target_ref": "attack-pattern--08ea902d-ecb5-47ed-a453-2798057bb2d3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cf696296-751a-41e5-a9b0-907c7b991b2a.json b/mobile-attack/relationship/relationship--cf696296-751a-41e5-a9b0-907c7b991b2a.json
index b03ab5ee8d..6235e8e9cb 100644
--- a/mobile-attack/relationship/relationship--cf696296-751a-41e5-a9b0-907c7b991b2a.json
+++ b/mobile-attack/relationship/relationship--cf696296-751a-41e5-a9b0-907c7b991b2a.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--2bb63650-d80b-4549-bcf4-4b62908f7705",
+    "id": "bundle--b03668db-bfc5-45e1-873b-f5c88317f757",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--cf696296-751a-41e5-a9b0-907c7b991b2a",
             "created": "2023-09-22T19:14:54.719Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-22T19:14:54.719Z",
+            "modified": "2025-04-16T21:51:44.688Z",
             "description": "Application vetting services may detect API calls for deleting files.  ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cf80894a-07e5-4c45-83a6-ed1eed81d2d8.json b/mobile-attack/relationship/relationship--cf80894a-07e5-4c45-83a6-ed1eed81d2d8.json
index 5b2fd6c280..a277c8c588 100644
--- a/mobile-attack/relationship/relationship--cf80894a-07e5-4c45-83a6-ed1eed81d2d8.json
+++ b/mobile-attack/relationship/relationship--cf80894a-07e5-4c45-83a6-ed1eed81d2d8.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--9eafe483-900f-4e06-a2f5-a44d051512a7",
+    "id": "bundle--c1152ca9-ceda-4433-b173-30f90fd8a982",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--cf80894a-07e5-4c45-83a6-ed1eed81d2d8",
             "created": "2024-02-20T23:57:43.867Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:57:43.867Z",
+            "modified": "2025-04-16T21:51:44.893Z",
             "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.(Citation: Lookout-PegasusAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cf879fe8-9c31-48de-9e49-668d6cda67c5.json b/mobile-attack/relationship/relationship--cf879fe8-9c31-48de-9e49-668d6cda67c5.json
index 26472931af..ff70c1e9d7 100644
--- a/mobile-attack/relationship/relationship--cf879fe8-9c31-48de-9e49-668d6cda67c5.json
+++ b/mobile-attack/relationship/relationship--cf879fe8-9c31-48de-9e49-668d6cda67c5.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--084f4da9-dd25-43ef-8c3c-3c23e2e23a49",
+    "id": "bundle--22a6bbf7-f912-4d83-9737-ceeac37e7781",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--cf879fe8-9c31-48de-9e49-668d6cda67c5",
             "created": "2023-07-12T20:35:36.527Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-12T20:35:36.527Z",
+            "modified": "2025-04-16T21:51:45.090Z",
             "description": "Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious repackaged apps.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3.json b/mobile-attack/relationship/relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3.json
index b606b44246..304a0a191d 100644
--- a/mobile-attack/relationship/relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3.json
+++ b/mobile-attack/relationship/relationship--cfa1d194-7401-46ba-bfed-5f311aeb22d3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--af373f88-1145-4cb7-aa29-9c5385f14b07",
+    "id": "bundle--77366914-f44c-42ba-8fc9-f5bcd9134f30",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:54:13.685Z",
+            "modified": "2025-04-16T21:51:45.286Z",
             "description": "[Android/Chuli.A](https://attack.mitre.org/software/S0304) stole contact list data stored both on the the phone and the SIM card.(Citation: Kaspersky-WUC)",
             "relationship_type": "uses",
             "source_ref": "malware--d05f7357-4cbe-47ea-bf83-b8604226d533",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d01b311d-8741-4b58-b127-88fecb2b0544.json b/mobile-attack/relationship/relationship--d01b311d-8741-4b58-b127-88fecb2b0544.json
index 39b1e03e2f..5ee3715776 100644
--- a/mobile-attack/relationship/relationship--d01b311d-8741-4b58-b127-88fecb2b0544.json
+++ b/mobile-attack/relationship/relationship--d01b311d-8741-4b58-b127-88fecb2b0544.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a5e4e4ad-a97f-4fa2-bfbf-3380e0bb661d",
+    "id": "bundle--cb3606be-e06b-4555-9bd5-8c1e34e9afbf",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.112Z",
+            "modified": "2025-04-16T21:51:45.493Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) has a keylogger that works in every application installed on the device.(Citation: Cofense Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d056308f-dca7-493e-b152-6f77fa13155d.json b/mobile-attack/relationship/relationship--d056308f-dca7-493e-b152-6f77fa13155d.json
index 389e66c8f0..c0891d650e 100644
--- a/mobile-attack/relationship/relationship--d056308f-dca7-493e-b152-6f77fa13155d.json
+++ b/mobile-attack/relationship/relationship--d056308f-dca7-493e-b152-6f77fa13155d.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--7b4706d1-2603-4390-bab7-056441acac75",
+    "id": "bundle--3b1a6363-d6e6-4849-abfa-2b86da8a65cb",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--d056308f-dca7-493e-b152-6f77fa13155d",
             "created": "2023-12-18T18:17:05.285Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:17:05.285Z",
+            "modified": "2025-04-16T21:51:45.718Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) has collected account information from compromised devices.(Citation: securelist_brata_0819)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d0669f8d-0aa2-416f-9ec4-a991a2000d3e.json b/mobile-attack/relationship/relationship--d0669f8d-0aa2-416f-9ec4-a991a2000d3e.json
index eaebf2524e..31819787a6 100644
--- a/mobile-attack/relationship/relationship--d0669f8d-0aa2-416f-9ec4-a991a2000d3e.json
+++ b/mobile-attack/relationship/relationship--d0669f8d-0aa2-416f-9ec4-a991a2000d3e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--f51c7257-81c2-42df-aefd-3b294f90ef6b",
+    "id": "bundle--bf122152-1a30-4ce9-9889-8d6e0efdf1cc",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--d0669f8d-0aa2-416f-9ec4-a991a2000d3e",
             "created": "2023-09-21T19:37:30.610Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-21T19:37:30.610Z",
+            "modified": "2025-04-16T21:51:45.915Z",
             "description": "Some mobile security products offer a loopback VPN used for inspecting traffic. This could proactively block traffic to websites that are known for phishing or appear to be conducting a phishing attack.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--78671282-26aa-486c-a7a5-5921e1616b58",
             "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d09a4d42-45bd-4b2a-aef4-3aa3982115ad.json b/mobile-attack/relationship/relationship--d09a4d42-45bd-4b2a-aef4-3aa3982115ad.json
index 35d2ce3761..e290045447 100644
--- a/mobile-attack/relationship/relationship--d09a4d42-45bd-4b2a-aef4-3aa3982115ad.json
+++ b/mobile-attack/relationship/relationship--d09a4d42-45bd-4b2a-aef4-3aa3982115ad.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--9c4b3f7f-7e2e-4b39-972c-655a289665f8",
+    "id": "bundle--e70b909d-6494-4548-9362-913ae1a3eb0b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--d09a4d42-45bd-4b2a-aef4-3aa3982115ad",
             "created": "2022-04-05T19:45:03.117Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:46.102Z",
             "description": "",
-            "modified": "2022-04-05T19:45:03.117Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
             "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2.json b/mobile-attack/relationship/relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2.json
index 5474767c98..afa529d386 100644
--- a/mobile-attack/relationship/relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2.json
+++ b/mobile-attack/relationship/relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--26e24f17-f65b-404d-bfcb-46d3e7d139ff",
+    "id": "bundle--233c3a47-29db-4698-9706-55a4dfb8832b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2",
             "type": "relationship",
+            "id": "relationship--d09abcd8-49bf-4d0f-8b17-0db7ada10ec2",
             "created": "2020-09-11T15:53:38.453Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "securelist rotexy 2018",
-                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
-                    "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019."
+                    "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
+                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"
                 }
             ],
-            "modified": "2020-09-11T15:53:38.453Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:46.323Z",
             "description": "[Rotexy](https://attack.mitre.org/software/S0411) can automatically reply to SMS messages, and optionally delete them.(Citation: securelist rotexy 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d0c039cb-c815-4d9c-a100-a45f923bc65b.json b/mobile-attack/relationship/relationship--d0c039cb-c815-4d9c-a100-a45f923bc65b.json
index 1927d52aa4..c6e52e84e1 100644
--- a/mobile-attack/relationship/relationship--d0c039cb-c815-4d9c-a100-a45f923bc65b.json
+++ b/mobile-attack/relationship/relationship--d0c039cb-c815-4d9c-a100-a45f923bc65b.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--17d92c0f-e1d4-4190-8362-2b6a8754c82f",
+    "id": "bundle--3e0a7a90-e217-471a-aa88-25df23a55c0a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d0c039cb-c815-4d9c-a100-a45f923bc65b",
             "type": "relationship",
+            "id": "relationship--d0c039cb-c815-4d9c-a100-a45f923bc65b",
             "created": "2020-12-24T21:45:56.981Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T21:45:56.981Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:46.512Z",
             "description": "[SilkBean](https://attack.mitre.org/software/S0549) has access to the device\u2019s location.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d.json b/mobile-attack/relationship/relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d.json
index 4b94b5ef71..96a8394dc5 100644
--- a/mobile-attack/relationship/relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d.json
+++ b/mobile-attack/relationship/relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--f0f3e3a2-2232-4e55-9a1b-5e9ba130e3ec",
+    "id": "bundle--5ff729c9-6b48-43c0-ab6f-208b901a2df3",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d",
             "type": "relationship",
+            "id": "relationship--d0c21324-62e3-46e5-823b-ea0c03a4885d",
             "created": "2020-01-21T15:30:39.335Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout-Monokle",
-                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
-                    "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019."
+                    "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
+                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
                 }
             ],
-            "modified": "2020-01-21T15:30:39.335Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:46.718Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can download attacker-specified files.(Citation: Lookout-Monokle) ",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d1318f71-7f70-4820-a3fc-0d05af038733.json b/mobile-attack/relationship/relationship--d1318f71-7f70-4820-a3fc-0d05af038733.json
index ccb48deb7a..5e6790fc55 100644
--- a/mobile-attack/relationship/relationship--d1318f71-7f70-4820-a3fc-0d05af038733.json
+++ b/mobile-attack/relationship/relationship--d1318f71-7f70-4820-a3fc-0d05af038733.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--7611c278-5e4c-437d-8381-2394b1e93401",
+    "id": "bundle--efdc298d-44d3-438f-ad54-5ee5b893fc4e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--d1318f71-7f70-4820-a3fc-0d05af038733",
             "created": "2021-10-01T14:42:49.154Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SecureList BusyGasper",
-                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/",
-                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021."
+                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.",
+                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:46.914Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can perform actions when one of two hardcoded magic SMS strings is received.(Citation: SecureList BusyGasper)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d13724d0-a5e2-433b-86bf-ead04359edec.json b/mobile-attack/relationship/relationship--d13724d0-a5e2-433b-86bf-ead04359edec.json
index 0b5cb8e8b8..9438ca91ee 100644
--- a/mobile-attack/relationship/relationship--d13724d0-a5e2-433b-86bf-ead04359edec.json
+++ b/mobile-attack/relationship/relationship--d13724d0-a5e2-433b-86bf-ead04359edec.json
@@ -1,43 +1,42 @@
 {
     "type": "bundle",
-    "id": "bundle--8c2d8ae1-87df-4137-9861-ab56a19c939e",
+    "id": "bundle--303dcd90-2344-48b6-b4e0-35b39c0050c9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--d13724d0-a5e2-433b-86bf-ead04359edec",
             "created": "2022-04-01T15:13:10.022Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "iOS Universal Links",
-                    "url": "https://developer.apple.com/ios/universal-links/",
-                    "description": "Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020."
+                    "description": "Apple. (n.d.). Universal Links for Developers. Retrieved September 11, 2020.",
+                    "url": "https://developer.apple.com/ios/universal-links/"
                 },
                 {
                     "source_name": "Android App Links",
-                    "url": "https://developer.android.com/training/app-links/verify-site-associations",
-                    "description": "Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020."
+                    "description": "Google. (n.d.). Verify Android App Links. Retrieved September 11, 2020.",
+                    "url": "https://developer.android.com/training/app-links/verify-site-associations"
                 },
                 {
                     "source_name": "IETF-PKCE",
-                    "url": "https://tools.ietf.org/html/rfc7636",
-                    "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016."
+                    "description": "N. Sakimura, J. Bradley, and N. Agarwal. (2015, September). IETF RFC 7636: Proof Key for Code Exchange by OAuth Public Clients. Retrieved December 21, 2016.",
+                    "url": "https://tools.ietf.org/html/rfc7636"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:47.125Z",
             "description": "Developers should use Android App Links(Citation: Android App Links) and iOS Universal Links(Citation: iOS Universal Links) to provide a secure binding between URIs and applications, preventing malicious applications from intercepting redirections. Additionally, for OAuth use cases, PKCE(Citation: IETF-PKCE) should be used to prevent use of stolen authorization codes. ",
-            "modified": "2022-04-01T15:13:10.022Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
             "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d170a088-b115-4a86-b093-8aa32666a470.json b/mobile-attack/relationship/relationship--d170a088-b115-4a86-b093-8aa32666a470.json
index e4631412a2..b6ea55fd1a 100644
--- a/mobile-attack/relationship/relationship--d170a088-b115-4a86-b093-8aa32666a470.json
+++ b/mobile-attack/relationship/relationship--d170a088-b115-4a86-b093-8aa32666a470.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a669331d-907e-42b2-839b-2583be9bdf02",
+    "id": "bundle--4d728c19-abdd-4a40-acc2-4beeadae7d1f",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T21:04:21.890Z",
+            "modified": "2025-04-16T21:51:47.377Z",
             "description": "On both Android and iOS, the user must grant consent to an application to act as a VPN. Both platforms also provide visual context to the user in the top status bar when a VPN connection is active. The user can see registered VPN services in the device settings. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
             "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d1e11627-23e4-40f3-bcbc-2b832b0bbaa3.json b/mobile-attack/relationship/relationship--d1e11627-23e4-40f3-bcbc-2b832b0bbaa3.json
index 5c4b7ef33d..fd4c288fe9 100644
--- a/mobile-attack/relationship/relationship--d1e11627-23e4-40f3-bcbc-2b832b0bbaa3.json
+++ b/mobile-attack/relationship/relationship--d1e11627-23e4-40f3-bcbc-2b832b0bbaa3.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--1fae2684-0501-4261-a4b4-53ed9fcd32ca",
+    "id": "bundle--802cc67e-e85f-4602-a406-da8c5a1ce6cf",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--d1e11627-23e4-40f3-bcbc-2b832b0bbaa3",
             "created": "2023-02-28T20:31:31.983Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-28T20:31:31.983Z",
+            "modified": "2025-04-16T21:51:47.583Z",
             "description": "[FluBot](https://attack.mitre.org/software/S1067) can intercept SMS messages and USSD messages from Telcom operators.(Citation: proofpoint_flubot_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d22be48b-90fa-4dba-ab6f-f3ad5e08c03e.json b/mobile-attack/relationship/relationship--d22be48b-90fa-4dba-ab6f-f3ad5e08c03e.json
index 3ada4fea4d..390e7b7c69 100644
--- a/mobile-attack/relationship/relationship--d22be48b-90fa-4dba-ab6f-f3ad5e08c03e.json
+++ b/mobile-attack/relationship/relationship--d22be48b-90fa-4dba-ab6f-f3ad5e08c03e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b72b089f-b337-4e2f-bc00-42e18ea039eb",
+    "id": "bundle--d2748554-99a8-4da5-8fcf-1fc6e5c7c9ad",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--d22be48b-90fa-4dba-ab6f-f3ad5e08c03e",
             "created": "2023-09-22T19:15:22.670Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-22T19:15:22.670Z",
+            "modified": "2025-04-16T21:51:47.781Z",
             "description": "Mobile security products can detect which applications can request device administrator permissions. Application vetting services could be extra scrutinous of applications that request device administrator permissions.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e.json b/mobile-attack/relationship/relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e.json
index 20b900c716..49372cf66c 100644
--- a/mobile-attack/relationship/relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e.json
+++ b/mobile-attack/relationship/relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e.json
@@ -1,30 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--e29e7509-b2a2-4f86-a1d4-9cfa8317cbd6",
+    "id": "bundle--de87b544-85d1-45ac-95a1-92ae26821f01",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e",
             "type": "relationship",
+            "id": "relationship--d22d309b-ab00-4f17-b6bf-7706f499cc5e",
             "created": "2019-09-03T19:45:48.489Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
-            "modified": "2019-09-11T13:25:19.128Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:47.971Z",
             "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can extract the GPS coordinates of the device.(Citation: SWB Exodus March 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d22f2c45-d6fa-419a-8f25-65ea37529ccc.json b/mobile-attack/relationship/relationship--d22f2c45-d6fa-419a-8f25-65ea37529ccc.json
index 752b4cb61d..c48438c932 100644
--- a/mobile-attack/relationship/relationship--d22f2c45-d6fa-419a-8f25-65ea37529ccc.json
+++ b/mobile-attack/relationship/relationship--d22f2c45-d6fa-419a-8f25-65ea37529ccc.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a3311ad8-9789-4f8a-a65c-9747609c53e1",
+    "id": "bundle--0ef4d9c2-6379-4895-ba58-839cd3fa7da6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:19:04.639Z",
+            "modified": "2025-04-16T21:51:48.170Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve calendar event information including the event name, when and where it is taking place, and the description.(Citation: Lookout-Monokle) ",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d2304825-cd71-4d74-ab9c-0f4ad510cad3.json b/mobile-attack/relationship/relationship--d2304825-cd71-4d74-ab9c-0f4ad510cad3.json
new file mode 100644
index 0000000000..892754e6c1
--- /dev/null
+++ b/mobile-attack/relationship/relationship--d2304825-cd71-4d74-ab9c-0f4ad510cad3.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--3f3211a9-9127-4be1-9caa-ae9abb3d10b2",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--d2304825-cd71-4d74-ab9c-0f4ad510cad3",
+            "created": "2025-03-27T22:48:46.526Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:48.377Z",
+            "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has collected the device\u2019s phone number and IMEI.(Citation: SecureList OpTriangulation 23Oct2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20",
+            "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d2749285-47d9-44a4-962f-9215e6fb580e.json b/mobile-attack/relationship/relationship--d2749285-47d9-44a4-962f-9215e6fb580e.json
index d54347bd3e..2f4c8947c2 100644
--- a/mobile-attack/relationship/relationship--d2749285-47d9-44a4-962f-9215e6fb580e.json
+++ b/mobile-attack/relationship/relationship--d2749285-47d9-44a4-962f-9215e6fb580e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b85ccad9-9b60-40b2-bba0-4ddbdd2a8684",
+    "id": "bundle--b462ca50-31ba-4f6d-b24f-4d15d76712a2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:54:30.569Z",
+            "modified": "2025-04-16T21:51:48.567Z",
             "description": "[Exobot](https://attack.mitre.org/software/S0522) can access the device\u2019s contact list.(Citation: Threat Fabric Exobot)",
             "relationship_type": "uses",
             "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d2d7476e-66a4-4d46-877c-6e80678bbb38.json b/mobile-attack/relationship/relationship--d2d7476e-66a4-4d46-877c-6e80678bbb38.json
index 0d0b82df8d..364b654ff6 100644
--- a/mobile-attack/relationship/relationship--d2d7476e-66a4-4d46-877c-6e80678bbb38.json
+++ b/mobile-attack/relationship/relationship--d2d7476e-66a4-4d46-877c-6e80678bbb38.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--7053bccd-1e01-4cc9-a636-a644ffd94055",
+    "id": "bundle--ffc44cc8-2af6-4e02-aa93-c657fb327a0b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--d2d7476e-66a4-4d46-877c-6e80678bbb38",
             "created": "2022-04-01T18:43:25.764Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:48.785Z",
             "description": "System partition integrity mechanisms, such as Verified Boot, can detect the unauthorized modification of system files.",
-            "modified": "2022-04-01T18:43:25.764Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
             "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d300eb82-5ca0-48aa-a45f-d34242545e27.json b/mobile-attack/relationship/relationship--d300eb82-5ca0-48aa-a45f-d34242545e27.json
index 0f047b592e..9486ce12f3 100644
--- a/mobile-attack/relationship/relationship--d300eb82-5ca0-48aa-a45f-d34242545e27.json
+++ b/mobile-attack/relationship/relationship--d300eb82-5ca0-48aa-a45f-d34242545e27.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--a7c8f602-b4b9-4e60-87d3-169adfbfa8ae",
+    "id": "bundle--6940e9a5-805b-4fc7-bf99-2e087f87b79d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--d300eb82-5ca0-48aa-a45f-d34242545e27",
             "created": "2022-03-30T15:08:28.814Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:48.983Z",
             "description": "Device attestation could detect unauthorized operating system modifications. ",
-            "modified": "2022-03-30T15:08:28.814Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
             "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d32003ba-959b-4377-aa04-f75275c32abf.json b/mobile-attack/relationship/relationship--d32003ba-959b-4377-aa04-f75275c32abf.json
index 8d7cd14e5f..c07dabeab3 100644
--- a/mobile-attack/relationship/relationship--d32003ba-959b-4377-aa04-f75275c32abf.json
+++ b/mobile-attack/relationship/relationship--d32003ba-959b-4377-aa04-f75275c32abf.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b154d23f-2b26-42fd-b3c9-978a8fdfc580",
+    "id": "bundle--2099913c-8fa0-460f-a20c-00d4498692ca",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:40:27.131Z",
+            "modified": "2025-04-16T21:51:49.173Z",
             "description": "[Triada](https://attack.mitre.org/software/S0424) utilized HTTP to exfiltrate data through POST requests to the command and control server.(Citation: Google Triada June 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d358ac0b-4c67-44e3-939b-24cd36d3c3fb.json b/mobile-attack/relationship/relationship--d358ac0b-4c67-44e3-939b-24cd36d3c3fb.json
index 5a19bef90d..68630d6896 100644
--- a/mobile-attack/relationship/relationship--d358ac0b-4c67-44e3-939b-24cd36d3c3fb.json
+++ b/mobile-attack/relationship/relationship--d358ac0b-4c67-44e3-939b-24cd36d3c3fb.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--680491d7-b0ba-4c84-93cd-570685306030",
+    "id": "bundle--a01835a3-5923-497d-99ff-019fd19f2603",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:58:57.686Z",
+            "modified": "2025-04-16T21:51:49.370Z",
             "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect the device\u2019s cell tower information.(Citation: Lookout ViperRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
             "target_ref": "attack-pattern--dd818ea5-adf5-41c7-93b5-f3b839a219fb",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d39ceb9c-ef0c-4820-b363-dc8ce0f0d00c.json b/mobile-attack/relationship/relationship--d39ceb9c-ef0c-4820-b363-dc8ce0f0d00c.json
index 6f9826ab8c..e6917987b1 100644
--- a/mobile-attack/relationship/relationship--d39ceb9c-ef0c-4820-b363-dc8ce0f0d00c.json
+++ b/mobile-attack/relationship/relationship--d39ceb9c-ef0c-4820-b363-dc8ce0f0d00c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--300dcef7-ddc7-49b7-8b67-060ee4665f03",
+    "id": "bundle--1bbd04e9-a7f8-4170-ada5-e710e8b37377",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:58.621Z",
+            "modified": "2025-04-16T21:51:49.571Z",
             "description": "[FakeSpy](https://attack.mitre.org/software/S0509) masquerades as local postal service applications.(Citation: Cybereason FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d3b4f74a-5183-405b-b64b-b79e1c4bd6fc.json b/mobile-attack/relationship/relationship--d3b4f74a-5183-405b-b64b-b79e1c4bd6fc.json
index 3f8a3d85b7..7c46cdb714 100644
--- a/mobile-attack/relationship/relationship--d3b4f74a-5183-405b-b64b-b79e1c4bd6fc.json
+++ b/mobile-attack/relationship/relationship--d3b4f74a-5183-405b-b64b-b79e1c4bd6fc.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--2b7af520-17dd-4cd9-acff-95a77a83ea2d",
+    "id": "bundle--06008030-a5cc-4e16-80e4-dad2acf517dc",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--d3b4f74a-5183-405b-b64b-b79e1c4bd6fc",
             "created": "2024-02-21T20:50:38.266Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T20:50:38.266Z",
+            "modified": "2025-04-16T21:51:49.776Z",
             "description": "[Corona Updates](https://attack.mitre.org/software/S0425) can collect device network configuration information, such as Wi-Fi SSID and IMSI.(Citation: TrendMicro Coronavirus Updates)",
             "relationship_type": "uses",
             "source_ref": "malware--366c800f-97a8-48d5-b0a6-79d00198252a",
             "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d3d901d7-1ddd-476c-af65-15a1affc422f.json b/mobile-attack/relationship/relationship--d3d901d7-1ddd-476c-af65-15a1affc422f.json
index e3e6861bf9..4424e07751 100644
--- a/mobile-attack/relationship/relationship--d3d901d7-1ddd-476c-af65-15a1affc422f.json
+++ b/mobile-attack/relationship/relationship--d3d901d7-1ddd-476c-af65-15a1affc422f.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--9612d9a9-7489-476a-82e0-5b6179a1d695",
+    "id": "bundle--e2a18ec8-7af8-455f-8bc1-760ac726f041",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--d3d901d7-1ddd-476c-af65-15a1affc422f",
             "created": "2024-03-26T19:03:58.841Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
                     "source_name": "fb_arid_viper",
-                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
+                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T19:03:58.841Z",
+            "modified": "2025-04-16T21:51:49.981Z",
             "description": "[Phenakite](https://attack.mitre.org/software/S1126) can capture pictures and videos.(Citation: fb_arid_viper)",
             "relationship_type": "uses",
             "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d3e06522-2a30-4d56-801e-9461178b80ce.json b/mobile-attack/relationship/relationship--d3e06522-2a30-4d56-801e-9461178b80ce.json
index cad672481b..49b5d3135b 100644
--- a/mobile-attack/relationship/relationship--d3e06522-2a30-4d56-801e-9461178b80ce.json
+++ b/mobile-attack/relationship/relationship--d3e06522-2a30-4d56-801e-9461178b80ce.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--336afdec-87e9-4ad2-a472-bf7ab8263f86",
+    "id": "bundle--58f41985-c892-44ba-aefb-bfdeeaa9ba54",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:45:54.913Z",
+            "modified": "2025-04-16T21:51:50.180Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can hide its icon after launch.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d3e52467-d090-4ebd-b9b1-3022cc6d5df0.json b/mobile-attack/relationship/relationship--d3e52467-d090-4ebd-b9b1-3022cc6d5df0.json
index 7579171b63..525b233180 100644
--- a/mobile-attack/relationship/relationship--d3e52467-d090-4ebd-b9b1-3022cc6d5df0.json
+++ b/mobile-attack/relationship/relationship--d3e52467-d090-4ebd-b9b1-3022cc6d5df0.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--202afa20-f457-4741-ba68-3b27ade6edd1",
+    "id": "bundle--620c7750-2f8f-44fa-82d4-83e751957a10",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-11T22:08:03.095Z",
+            "modified": "2025-04-16T21:51:50.375Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can resist removal by going to the home screen during uninstall.(Citation: threatfabric_sova_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d3e6bc20-1f9c-41b6-89f0-ef95689add86.json b/mobile-attack/relationship/relationship--d3e6bc20-1f9c-41b6-89f0-ef95689add86.json
index ab4eaaf580..a9cc3b1fe9 100644
--- a/mobile-attack/relationship/relationship--d3e6bc20-1f9c-41b6-89f0-ef95689add86.json
+++ b/mobile-attack/relationship/relationship--d3e6bc20-1f9c-41b6-89f0-ef95689add86.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--bcda675d-e14a-494b-bf08-92e47901e936",
+    "id": "bundle--f365e90c-9c47-483c-a951-3bbebdea09b6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T22:12:07.772Z",
+            "modified": "2025-04-16T21:51:50.562Z",
             "description": "Application vetting services could detect the invocations of methods that could be used to execute shell commands.(Citation: Samsung Knox Mobile Threat Defense)",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d4154247-90ce-43b9-8c17-5c28f67617f5.json b/mobile-attack/relationship/relationship--d4154247-90ce-43b9-8c17-5c28f67617f5.json
index f2cbd41dcf..fbb8c4194e 100644
--- a/mobile-attack/relationship/relationship--d4154247-90ce-43b9-8c17-5c28f67617f5.json
+++ b/mobile-attack/relationship/relationship--d4154247-90ce-43b9-8c17-5c28f67617f5.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ee20d016-d6a9-4e0f-bd51-95efb48d23df",
+    "id": "bundle--24c9575a-d352-4358-b241-fd1260398e65",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d4154247-90ce-43b9-8c17-5c28f67617f5",
             "type": "relationship",
+            "id": "relationship--d4154247-90ce-43b9-8c17-5c28f67617f5",
             "created": "2020-12-24T21:55:56.747Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T21:55:56.747Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:50.781Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed browser history, as well as the files for 15 other apps.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d447a927-c8a1-4123-bdac-ff9ab36f49be.json b/mobile-attack/relationship/relationship--d447a927-c8a1-4123-bdac-ff9ab36f49be.json
index f028cd5d49..052a44bed5 100644
--- a/mobile-attack/relationship/relationship--d447a927-c8a1-4123-bdac-ff9ab36f49be.json
+++ b/mobile-attack/relationship/relationship--d447a927-c8a1-4123-bdac-ff9ab36f49be.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--c96cd470-b4ed-4d28-a0ab-93c5ee85b112",
+    "id": "bundle--1ff0ad17-2128-4100-a3e2-c42273b7bd87",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--d447a927-c8a1-4123-bdac-ff9ab36f49be",
             "created": "2024-02-21T00:01:21.483Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T00:01:21.483Z",
+            "modified": "2025-04-16T21:51:50.978Z",
             "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect network configuration data from the device, including phone number, SIM operator, and network operator.(Citation: Lookout ViperRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d44b097a-1bba-40bd-8ec8-d717a3f3df0c.json b/mobile-attack/relationship/relationship--d44b097a-1bba-40bd-8ec8-d717a3f3df0c.json
index 8f919e99ad..4247c95ae7 100644
--- a/mobile-attack/relationship/relationship--d44b097a-1bba-40bd-8ec8-d717a3f3df0c.json
+++ b/mobile-attack/relationship/relationship--d44b097a-1bba-40bd-8ec8-d717a3f3df0c.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--42575928-4be4-47d8-90dd-f1f90c9f27ac",
+    "id": "bundle--4e842835-3e4a-41e8-b268-81b99111ad9a",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--d44b097a-1bba-40bd-8ec8-d717a3f3df0c",
             "created": "2023-03-03T16:24:30.564Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-03T16:24:30.564Z",
+            "modified": "2025-04-16T21:51:51.173Z",
             "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has hijacked normal application\u2019s launch routines to display ads.(Citation: paloalto_yispecter_1015)",
             "relationship_type": "uses",
             "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
             "target_ref": "attack-pattern--670a4d75-103b-4b14-8a9e-4652fa795edd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d499cfc8-d5f8-4e05-ad82-a18d2823c558.json b/mobile-attack/relationship/relationship--d499cfc8-d5f8-4e05-ad82-a18d2823c558.json
new file mode 100644
index 0000000000..02e343b181
--- /dev/null
+++ b/mobile-attack/relationship/relationship--d499cfc8-d5f8-4e05-ad82-a18d2823c558.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--38e0f0e7-6fa3-48ae-8df8-2006317e1c1b",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--d499cfc8-d5f8-4e05-ad82-a18d2823c558",
+            "created": "2025-03-12T22:10:11.013Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Promon FjordPhantom Oct2024",
+                    "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.",
+                    "url": "https://promon.io/security-news/fjordphantom-android-malware"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:51.392Z",
+            "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) has been distributed via email, SMS and other messaging applications.(Citation: Promon FjordPhantom Oct2024) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4",
+            "target_ref": "attack-pattern--defc1257-4db1-4fb3-8ef5-bb77f63146df",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d4a5a902-231e-4878-ad5b-39620498b018.json b/mobile-attack/relationship/relationship--d4a5a902-231e-4878-ad5b-39620498b018.json
index 892e44bb48..08f71f19e1 100644
--- a/mobile-attack/relationship/relationship--d4a5a902-231e-4878-ad5b-39620498b018.json
+++ b/mobile-attack/relationship/relationship--d4a5a902-231e-4878-ad5b-39620498b018.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--aa18872a-5b21-49d4-837e-66d18498711c",
+    "id": "bundle--9aa09795-9b7e-488f-babb-b41f31ab53df",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d4a5a902-231e-4878-ad5b-39620498b018",
             "type": "relationship",
+            "id": "relationship--d4a5a902-231e-4878-ad5b-39620498b018",
             "created": "2019-09-04T14:28:15.941Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Lookout-Monokle",
                     "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
-                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
-                    "source_name": "Lookout-Monokle"
+                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
                 }
             ],
-            "modified": "2019-09-04T14:32:12.589Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:51.581Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can record audio from the device's microphone and can record phone calls, specifying the output audio quality.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c.json b/mobile-attack/relationship/relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c.json
index 35bcf8a2d4..13e5e42191 100644
--- a/mobile-attack/relationship/relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c.json
+++ b/mobile-attack/relationship/relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--9fb0d1fc-bf86-409f-a92a-5966899c9015",
+    "id": "bundle--d665b42c-0ee3-4f1f-b676-8da09781dbe9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c",
             "type": "relationship",
+            "id": "relationship--d53a8ff0-7252-477e-8767-fd485dd62e7c",
             "created": "2020-12-18T20:14:47.381Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "WhiteOps TERRACOTTA",
-                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study",
-                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."
+                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.",
+                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"
                 }
             ],
-            "modified": "2020-12-28T18:59:33.140Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:51.771Z",
             "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) has collected the device\u2019s phone number and can check if the active network connection is metered.(Citation: WhiteOps TERRACOTTA)",
             "relationship_type": "uses",
             "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1.json b/mobile-attack/relationship/relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1.json
index 2713167a8a..e18562a869 100644
--- a/mobile-attack/relationship/relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1.json
+++ b/mobile-attack/relationship/relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--27c27d5a-a045-4471-8159-ca67608cb51e",
+    "id": "bundle--9ef1ca20-bd00-457b-8d1b-cbbd37de8821",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1",
             "type": "relationship",
+            "id": "relationship--d54bdaff-8eb8-4a02-9f64-bc33c892e9d1",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:51.964Z",
             "description": "[ZergHelper](https://attack.mitre.org/software/S0287) attempts to extend its capabilities via dynamic updating of its code.(Citation: Xiao-ZergHelper)",
             "relationship_type": "uses",
             "source_ref": "malware--3c3b55a6-c3e9-4043-8aae-283fe96220c0",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d54d3475-19ee-4ac5-98b0-ec1ae9336dfb.json b/mobile-attack/relationship/relationship--d54d3475-19ee-4ac5-98b0-ec1ae9336dfb.json
index ad6b2fa2b1..9987645197 100644
--- a/mobile-attack/relationship/relationship--d54d3475-19ee-4ac5-98b0-ec1ae9336dfb.json
+++ b/mobile-attack/relationship/relationship--d54d3475-19ee-4ac5-98b0-ec1ae9336dfb.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7923ab0a-a789-4252-8256-60f36ccd2952",
+    "id": "bundle--ed7d520b-7214-4776-9872-aff86a4a3736",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T17:06:44.919Z",
+            "modified": "2025-04-16T21:51:52.157Z",
             "description": "The user can review which applications have location permissions in the operating system\u2019s settings menu.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d5533ca1-d57e-4bbf-bf0c-d114e4b79078.json b/mobile-attack/relationship/relationship--d5533ca1-d57e-4bbf-bf0c-d114e4b79078.json
index 4d93105df7..54c653ac68 100644
--- a/mobile-attack/relationship/relationship--d5533ca1-d57e-4bbf-bf0c-d114e4b79078.json
+++ b/mobile-attack/relationship/relationship--d5533ca1-d57e-4bbf-bf0c-d114e4b79078.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--f8681e2b-6862-4747-ae45-2fe33f5bec10",
+    "id": "bundle--31bf879b-bf6a-4bb5-bad6-e5cbd3b54b0a",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--d5533ca1-d57e-4bbf-bf0c-d114e4b79078",
             "created": "2023-08-04T18:32:39.763Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T18:32:39.763Z",
+            "modified": "2025-04-16T21:51:52.374Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can access a device\u2019s camera and take photos.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d562ed4d-ac4d-476b-872e-9e228c580889.json b/mobile-attack/relationship/relationship--d562ed4d-ac4d-476b-872e-9e228c580889.json
index 3f09b7f5dc..8bb4c45e66 100644
--- a/mobile-attack/relationship/relationship--d562ed4d-ac4d-476b-872e-9e228c580889.json
+++ b/mobile-attack/relationship/relationship--d562ed4d-ac4d-476b-872e-9e228c580889.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--1f9256f2-9892-4f15-a41c-706c72d02035",
+    "id": "bundle--0fa494c7-b094-4b02-855c-4b2b0ca68b28",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d562ed4d-ac4d-476b-872e-9e228c580889",
             "type": "relationship",
+            "id": "relationship--d562ed4d-ac4d-476b-872e-9e228c580889",
             "created": "2020-11-20T16:37:28.506Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Symantec GoldenCup",
-                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans",
-                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020."
+                    "description": "R. Iarchy, E. Rynkowski. (2018, July 5). GoldenCup: New Cyber Threat Targeting World Cup Fans. Retrieved October 29, 2020.",
+                    "url": "https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans"
                 }
             ],
-            "modified": "2020-11-20T16:37:28.506Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:52.596Z",
             "description": "[Golden Cup](https://attack.mitre.org/software/S0535) can obtain a list of installed applications.(Citation: Symantec GoldenCup)",
             "relationship_type": "uses",
             "source_ref": "malware--f3975cc0-72bc-4308-836e-ac701b83860e",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a.json b/mobile-attack/relationship/relationship--d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a.json
index 9d2f3247a4..a08d4a3afe 100644
--- a/mobile-attack/relationship/relationship--d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a.json
+++ b/mobile-attack/relationship/relationship--d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--f6dbf05f-bbc2-48f8-949c-407f7eadb9f1",
+    "id": "bundle--a0e2885c-739a-4251-858e-d83a1a3c1b00",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a",
             "type": "relationship",
+            "id": "relationship--d5928f73-c4ba-4eb1-bf8a-e75ff6806a4a",
             "created": "2020-11-10T17:08:35.713Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-11-10T17:08:35.713Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:52.804Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can collect notes and data from the MiCode app.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d59da983-c521-47b6-83ab-435f7d58611d.json b/mobile-attack/relationship/relationship--d59da983-c521-47b6-83ab-435f7d58611d.json
index 4b0f005d17..b5f8580cc7 100644
--- a/mobile-attack/relationship/relationship--d59da983-c521-47b6-83ab-435f7d58611d.json
+++ b/mobile-attack/relationship/relationship--d59da983-c521-47b6-83ab-435f7d58611d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e1ed4690-7c6f-40e9-937e-546853cacfda",
+    "id": "bundle--5792acfd-360c-407a-a73f-7d1e7ae701d6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:12:57.861Z",
+            "modified": "2025-04-16T21:51:53.002Z",
             "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) uses HTTP requests for C2 communication.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d621eba9-676f-47a4-8358-d68eeff2fb9a.json b/mobile-attack/relationship/relationship--d621eba9-676f-47a4-8358-d68eeff2fb9a.json
index f3a6c7153f..558be01a7d 100644
--- a/mobile-attack/relationship/relationship--d621eba9-676f-47a4-8358-d68eeff2fb9a.json
+++ b/mobile-attack/relationship/relationship--d621eba9-676f-47a4-8358-d68eeff2fb9a.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--782a2dfe-cb7b-4969-9281-1e127991e855",
+    "id": "bundle--c7f05bc7-d648-48ad-ac70-48b98473702f",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--d621eba9-676f-47a4-8358-d68eeff2fb9a",
             "created": "2023-03-03T16:25:09.978Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-03T16:25:09.978Z",
+            "modified": "2025-04-16T21:51:53.324Z",
             "description": "[YiSpecter](https://attack.mitre.org/software/S0311) is believed to have initially infected devices using internet traffic hijacking to generate abnormal popups.(Citation: paloalto_yispecter_1015) ",
             "relationship_type": "uses",
             "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
             "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5.json b/mobile-attack/relationship/relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5.json
index 6b8f4d795a..458e70ac93 100644
--- a/mobile-attack/relationship/relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5.json
+++ b/mobile-attack/relationship/relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--de506f53-ef8c-40fc-b6f1-f0cfe7e31248",
+    "id": "bundle--3f68869b-1305-4842-aafd-20512bc7866a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5",
             "type": "relationship",
+            "id": "relationship--d638565b-ca8e-459f-9c3b-1bd8828606f5",
             "created": "2020-11-24T17:55:12.897Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos GPlayed",
-                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html",
-                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."
+                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.",
+                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"
                 }
             ],
-            "modified": "2020-11-24T17:55:12.897Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:53.517Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) can collect the user\u2019s browser cookies.(Citation: Talos GPlayed)",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d63de13b-0253-42f4-b13d-34bccf76ad94.json b/mobile-attack/relationship/relationship--d63de13b-0253-42f4-b13d-34bccf76ad94.json
index f7f62a72c6..a19ae7b0b5 100644
--- a/mobile-attack/relationship/relationship--d63de13b-0253-42f4-b13d-34bccf76ad94.json
+++ b/mobile-attack/relationship/relationship--d63de13b-0253-42f4-b13d-34bccf76ad94.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--1ebb3a03-0fea-4a06-a512-8f717fb57548",
+    "id": "bundle--1e1b315d-272e-4a06-92b5-3291c67e93c5",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T15:01:30.483Z",
+            "modified": "2025-04-16T21:51:53.720Z",
             "description": "Applications could be vetted for their use of the `startForeground()` API, and could be further scrutinized if usage is found.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--648f8051-1a35-46d3-b1d8-3a3f5cf2cc8e",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d63f27cf-95a3-42bb-86dd-dc18e22cb898.json b/mobile-attack/relationship/relationship--d63f27cf-95a3-42bb-86dd-dc18e22cb898.json
index 68bde76f0d..4cb9a20220 100644
--- a/mobile-attack/relationship/relationship--d63f27cf-95a3-42bb-86dd-dc18e22cb898.json
+++ b/mobile-attack/relationship/relationship--d63f27cf-95a3-42bb-86dd-dc18e22cb898.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6ba8960a-2e52-40cb-a1d9-5c6cbcbdd407",
+    "id": "bundle--c36fa0b0-19ad-41e5-a6bd-ff93f28fed6a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:41:16.423Z",
+            "modified": "2025-04-16T21:51:53.910Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can retrieve call history.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d64c4924-76f0-4b2e-858d-b0df733334d0.json b/mobile-attack/relationship/relationship--d64c4924-76f0-4b2e-858d-b0df733334d0.json
index 0fa38f52c8..e3ca70e783 100644
--- a/mobile-attack/relationship/relationship--d64c4924-76f0-4b2e-858d-b0df733334d0.json
+++ b/mobile-attack/relationship/relationship--d64c4924-76f0-4b2e-858d-b0df733334d0.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5428c82c-dd43-42f0-b18e-068a64550375",
+    "id": "bundle--7a00acfc-810d-426c-81d1-c12812075410",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:23:09.430Z",
+            "modified": "2025-04-16T21:51:54.100Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can modify system settings to give itself device administrator privileges.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d663cb6f-9fc8-48a0-827f-29757b12ae71.json b/mobile-attack/relationship/relationship--d663cb6f-9fc8-48a0-827f-29757b12ae71.json
index eb7a1aad53..09d4f49abc 100644
--- a/mobile-attack/relationship/relationship--d663cb6f-9fc8-48a0-827f-29757b12ae71.json
+++ b/mobile-attack/relationship/relationship--d663cb6f-9fc8-48a0-827f-29757b12ae71.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--75eee57d-571a-48ee-b2b4-cc339e6b95db",
+    "id": "bundle--abe4071d-1a59-409d-aee1-21e3e60ee229",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--d663cb6f-9fc8-48a0-827f-29757b12ae71",
             "created": "2022-03-30T20:53:54.296Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:54.322Z",
             "description": "",
-            "modified": "2022-03-30T20:53:54.296Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
             "target_ref": "attack-pattern--498e7b81-238d-404c-aa5e-332904d63286",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d66a3e5f-700e-40d0-b16a-bbb3306256c7.json b/mobile-attack/relationship/relationship--d66a3e5f-700e-40d0-b16a-bbb3306256c7.json
index a14f36df21..e784708a39 100644
--- a/mobile-attack/relationship/relationship--d66a3e5f-700e-40d0-b16a-bbb3306256c7.json
+++ b/mobile-attack/relationship/relationship--d66a3e5f-700e-40d0-b16a-bbb3306256c7.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--95398544-a394-4ccc-b572-d0da2e01f2c7",
+    "id": "bundle--149717c6-8a4f-467d-8173-52c20eba82e4",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T22:17:39.302Z",
+            "modified": "2025-04-16T21:51:54.530Z",
             "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
             "target_ref": "attack-pattern--29f1f56c-7b7a-4c14-9e39-59577ea2743c",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d6be8665-afbb-4be5-a56a-493af01b120a.json b/mobile-attack/relationship/relationship--d6be8665-afbb-4be5-a56a-493af01b120a.json
index ea4b9b8db3..a4ce77fc9b 100644
--- a/mobile-attack/relationship/relationship--d6be8665-afbb-4be5-a56a-493af01b120a.json
+++ b/mobile-attack/relationship/relationship--d6be8665-afbb-4be5-a56a-493af01b120a.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b30d0669-b54a-43e2-bbfe-50cd18d3ea78",
+    "id": "bundle--d3763370-e719-427d-89a7-f01fbd04b9a1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--d6be8665-afbb-4be5-a56a-493af01b120a",
             "created": "2022-03-30T15:52:29.935Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:54.724Z",
             "description": "Mobile security products can potentially detect jailbroken or rooted devices.",
-            "modified": "2022-03-30T15:52:29.935Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4.json b/mobile-attack/relationship/relationship--d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4.json
index 1aedf42757..a35b9fe290 100644
--- a/mobile-attack/relationship/relationship--d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4.json
+++ b/mobile-attack/relationship/relationship--d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a4640653-586a-4342-ae7c-77fad3d4d820",
+    "id": "bundle--1664fbbf-8806-4d51-ada8-3f7b235f62b1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4",
             "type": "relationship",
+            "id": "relationship--d6e4fdc6-c936-4bb9-861f-fafd3b72fcb4",
             "created": "2021-02-17T20:43:52.413Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout FrozenCell",
-                    "url": "https://blog.lookout.com/frozencell-mobile-threat",
-                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."
+                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.",
+                    "url": "https://blog.lookout.com/frozencell-mobile-threat"
                 }
             ],
-            "modified": "2021-02-17T20:43:52.413Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:54.933Z",
             "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has compressed and encrypted data before exfiltration using password protected .7z archives.(Citation: Lookout FrozenCell)",
             "relationship_type": "uses",
             "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62",
             "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55.json b/mobile-attack/relationship/relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55.json
index d584be1f90..14faf10fc0 100644
--- a/mobile-attack/relationship/relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55.json
+++ b/mobile-attack/relationship/relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--213505fa-5fa6-4b22-842b-ed978a7fa644",
+    "id": "bundle--c3215945-aef9-446f-ac3f-50bfc67590a2",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55",
             "type": "relationship",
+            "id": "relationship--d6f78e9b-94d1-4d59-b00e-89fad2261c55",
             "created": "2020-04-24T17:46:31.603Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecurityIntelligence TrickMo",
-                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
-                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
+                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.",
+                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"
                 }
             ],
-            "modified": "2020-04-24T17:46:31.603Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:55.133Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) can steal pictures from the device.(Citation: SecurityIntelligence TrickMo)",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d7007bf2-fcd6-4327-9ffb-bdee5bdeb383.json b/mobile-attack/relationship/relationship--d7007bf2-fcd6-4327-9ffb-bdee5bdeb383.json
index 64306bd00a..211bf69f03 100644
--- a/mobile-attack/relationship/relationship--d7007bf2-fcd6-4327-9ffb-bdee5bdeb383.json
+++ b/mobile-attack/relationship/relationship--d7007bf2-fcd6-4327-9ffb-bdee5bdeb383.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--221b31ef-ebfb-408f-ae18-466ad0179ffc",
+    "id": "bundle--20acb7ef-4353-44a8-ab61-6c7320f6dd7b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--d7007bf2-fcd6-4327-9ffb-bdee5bdeb383",
             "created": "2022-04-05T20:17:46.149Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:55.370Z",
             "description": "",
-            "modified": "2022-04-05T20:17:46.149Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--393e8c12-a416-4575-ba90-19cc85656796",
             "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d700c625-d0b6-4570-a538-0ba57bd7bda5.json b/mobile-attack/relationship/relationship--d700c625-d0b6-4570-a538-0ba57bd7bda5.json
index c58c612844..f573633d05 100644
--- a/mobile-attack/relationship/relationship--d700c625-d0b6-4570-a538-0ba57bd7bda5.json
+++ b/mobile-attack/relationship/relationship--d700c625-d0b6-4570-a538-0ba57bd7bda5.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d13a1498-793e-4c0b-ad80-c7cbe533cc33",
+    "id": "bundle--3d9be7d4-c5c5-446e-9d4e-3f137d522caa",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T16:32:32.957Z",
+            "modified": "2025-04-16T21:51:55.563Z",
             "description": "Android applications requesting the `ACCESS_COARSE_LOCATION`, `ACCESS_FINE_LOCATION`, or `ACCESS_BACKGROUND_LOCATION` permissions and iOS applications including the `NSLocationWhenInUseUsageDescription`, `NSLocationAlwaysAndWhenInUseUsageDescription`, and/or `NSLocationAlwaysUsageDescription` keys in their `Info.plist` file could be scrutinized during the application vetting process. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0.json b/mobile-attack/relationship/relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0.json
index 78fb19d52f..782f4fcaae 100644
--- a/mobile-attack/relationship/relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0.json
+++ b/mobile-attack/relationship/relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--1a76a420-d59a-40b2-9a1b-355859567e62",
+    "id": "bundle--83c33f3e-0e7c-4801-aa7a-dffae0e78fe5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0",
             "type": "relationship",
+            "id": "relationship--d70aaf50-29b7-4687-98ea-ffaa3fa858c0",
             "created": "2020-12-24T21:55:56.692Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T21:55:56.692Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:55.786Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has searched for specific existing data directories, including the Gmail app, Dropbox app, Pictures, and thumbnails.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--cf28ca46-1fd3-46b4-b1f6-ec0b72361848",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d716163d-2492-4088-9235-b2310312ba27.json b/mobile-attack/relationship/relationship--d716163d-2492-4088-9235-b2310312ba27.json
index b28b80edca..fcf250b315 100644
--- a/mobile-attack/relationship/relationship--d716163d-2492-4088-9235-b2310312ba27.json
+++ b/mobile-attack/relationship/relationship--d716163d-2492-4088-9235-b2310312ba27.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--9e3130ae-f79d-4fcc-9e70-1625e6af5ea8",
+    "id": "bundle--9b0ea5a3-289d-44cb-a01d-31c4774d1d19",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--d716163d-2492-4088-9235-b2310312ba27",
             "created": "2022-04-06T15:44:48.422Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:55.980Z",
             "description": "",
-            "modified": "2022-04-06T15:44:48.422Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--d731c21e-f27d-4756-b418-0e2aaabd6d63",
             "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d71fab20-a56c-4404-a65d-aaa37056f16e.json b/mobile-attack/relationship/relationship--d71fab20-a56c-4404-a65d-aaa37056f16e.json
index 8e9d0d8957..6502f63f25 100644
--- a/mobile-attack/relationship/relationship--d71fab20-a56c-4404-a65d-aaa37056f16e.json
+++ b/mobile-attack/relationship/relationship--d71fab20-a56c-4404-a65d-aaa37056f16e.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--ff6a9664-5e41-47b0-a75f-cb1e4285c809",
+    "id": "bundle--220dd775-c51f-4541-9aef-ec816a7e9908",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--d71fab20-a56c-4404-a65d-aaa37056f16e",
             "created": "2022-04-01T15:16:16.027Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Trend Micro iOS URL Hijacking",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/",
-                    "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12).  iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020."
+                    "description": "L. Wu, Y. Zhou, M. Li. (2019, July 12).  iOS URL Scheme Susceptible to Hijacking. Retrieved September 11, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:56.181Z",
             "description": "iOS 11 introduced a first-come-first-served principle for URIs, allowing only the prior installed app to be launched via the URI.(Citation: Trend Micro iOS URL Hijacking) Android 6 introduced App Links.",
-            "modified": "2022-04-01T15:16:16.027Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d724bcf3-25d2-406a-b612-333fea5e2385.json b/mobile-attack/relationship/relationship--d724bcf3-25d2-406a-b612-333fea5e2385.json
index 9316c12bde..3bb20e9dc5 100644
--- a/mobile-attack/relationship/relationship--d724bcf3-25d2-406a-b612-333fea5e2385.json
+++ b/mobile-attack/relationship/relationship--d724bcf3-25d2-406a-b612-333fea5e2385.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--780ccbc0-0954-4bf5-95bd-a0637647db91",
+    "id": "bundle--12b41eb3-04c6-4b21-89df-82716b75b8db",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--d724bcf3-25d2-406a-b612-333fea5e2385",
             "created": "2020-10-29T17:48:27.440Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Threat Fabric Exobot",
-                    "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html",
-                    "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020."
+                    "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:56.381Z",
             "description": "[Exobot](https://attack.mitre.org/software/S0522) can show phishing popups when a targeted application is running.(Citation: Threat Fabric Exobot)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d76d838b-bbc7-459a-884a-2da8c36a2ba2.json b/mobile-attack/relationship/relationship--d76d838b-bbc7-459a-884a-2da8c36a2ba2.json
index 3d278d883f..17f52aa975 100644
--- a/mobile-attack/relationship/relationship--d76d838b-bbc7-459a-884a-2da8c36a2ba2.json
+++ b/mobile-attack/relationship/relationship--d76d838b-bbc7-459a-884a-2da8c36a2ba2.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--aa34fbbb-dc4e-47b6-8213-a0f10c8fe97c",
+    "id": "bundle--8afe42b5-b36f-4c07-8859-9f795a992767",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--d76d838b-bbc7-459a-884a-2da8c36a2ba2",
             "created": "2022-04-08T16:29:55.322Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:56.575Z",
             "description": "",
-            "modified": "2022-04-08T16:29:55.322Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--b332a960-3c04-495a-827f-f17a5daed3a6",
             "target_ref": "attack-pattern--a91262d5-b9ff-463f-b8d2-12e4ea1eb3c9",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d7aa436a-e66d-4217-be66-4414703dec07.json b/mobile-attack/relationship/relationship--d7aa436a-e66d-4217-be66-4414703dec07.json
index 1d934c707b..bfd17b9880 100644
--- a/mobile-attack/relationship/relationship--d7aa436a-e66d-4217-be66-4414703dec07.json
+++ b/mobile-attack/relationship/relationship--d7aa436a-e66d-4217-be66-4414703dec07.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--00b71dd5-26a9-40cd-aeba-a9340f8215b8",
+    "id": "bundle--b3611878-473a-43f9-a211-529d6f555a0f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d7aa436a-e66d-4217-be66-4414703dec07",
             "type": "relationship",
+            "id": "relationship--d7aa436a-e66d-4217-be66-4414703dec07",
             "created": "2020-11-10T17:08:35.634Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-11-10T17:08:35.634Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:56.779Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has used incorrect file extensions and encryption to hide most of its assets, including secondary APKs, configuration files, and JAR or DEX files.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064.json b/mobile-attack/relationship/relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064.json
index fcac95ee99..e8dcb4457c 100644
--- a/mobile-attack/relationship/relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064.json
+++ b/mobile-attack/relationship/relationship--d7ae7fb1-c363-4969-a4af-e2dd44a3c064.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--33f8dc89-7a7e-48bd-a50f-feb5e3f2aa57",
+    "id": "bundle--f1ba96e3-d6ff-4314-9a59-e654a4c12c44",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:27:01.081Z",
+            "modified": "2025-04-16T21:51:56.975Z",
             "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) attempts to modify the device's system partition.(Citation: Lookout-PegasusAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
             "target_ref": "attack-pattern--4f14e30b-8b57-4a7b-9093-2c0778ea99cf",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d7ca70d4-2006-4252-b243-e52be760e24d.json b/mobile-attack/relationship/relationship--d7ca70d4-2006-4252-b243-e52be760e24d.json
index 53ba94d2c3..b74510a1d9 100644
--- a/mobile-attack/relationship/relationship--d7ca70d4-2006-4252-b243-e52be760e24d.json
+++ b/mobile-attack/relationship/relationship--d7ca70d4-2006-4252-b243-e52be760e24d.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--1cdef5b0-75c1-49d7-ae7c-719c36a71039",
+    "id": "bundle--4076f1b5-20d6-4ef3-84d3-983259761fdd",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--d7ca70d4-2006-4252-b243-e52be760e24d",
             "created": "2022-04-01T13:26:39.773Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:57.175Z",
             "description": "Access to SMS messages is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their SMS messages. ",
-            "modified": "2022-04-01T13:26:39.773Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d7d78682-c9ad-4880-ae6e-3fc79f3737f1.json b/mobile-attack/relationship/relationship--d7d78682-c9ad-4880-ae6e-3fc79f3737f1.json
index 143fa5e687..b839ff01f4 100644
--- a/mobile-attack/relationship/relationship--d7d78682-c9ad-4880-ae6e-3fc79f3737f1.json
+++ b/mobile-attack/relationship/relationship--d7d78682-c9ad-4880-ae6e-3fc79f3737f1.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e802be4f-5f7e-455b-9edf-eb0154f92e21",
+    "id": "bundle--67236fee-ca88-4356-a47a-03b01b9d4e8e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:37:35.704Z",
+            "modified": "2025-04-16T21:51:57.367Z",
             "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can delete data from a compromised device.(Citation: CyberMerchants-FlexiSpy)",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d8001cd5-3e71-44af-ae85-26f5f56e5cb8.json b/mobile-attack/relationship/relationship--d8001cd5-3e71-44af-ae85-26f5f56e5cb8.json
new file mode 100644
index 0000000000..60eb403af8
--- /dev/null
+++ b/mobile-attack/relationship/relationship--d8001cd5-3e71-44af-ae85-26f5f56e5cb8.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--480a1d84-08e7-433e-bde2-3cae018cfad3",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--d8001cd5-3e71-44af-ae85-26f5f56e5cb8",
+            "created": "2025-03-24T14:51:50.965Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "McAfee MoqHao 2019",
+                    "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.",
+                    "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:57.566Z",
+            "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has collected device network information, such as the IMEI and the phone number.(Citation: McAfee MoqHao 2019) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42",
+            "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37.json b/mobile-attack/relationship/relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37.json
index 3da3b713e8..5bac98aac8 100644
--- a/mobile-attack/relationship/relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37.json
+++ b/mobile-attack/relationship/relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37.json
@@ -1,23 +1,23 @@
 {
     "type": "bundle",
-    "id": "bundle--cd2f710a-21fe-4b82-a0ec-00adf73dc61d",
+    "id": "bundle--89a6ae2f-40ee-4aac-942e-b409daf005b2",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37",
+            "created": "2020-05-07T15:24:49.583Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--d84604bc-2314-4340-b9c1-b1265c0f6c37",
-            "type": "relationship",
-            "created": "2020-05-07T15:24:49.583Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2020-05-27T13:23:34.544Z",
+            "modified": "2025-04-16T21:51:57.773Z",
             "description": "Many vulnerabilities related to injecting code into existing applications have been patched in previous Android releases.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--0beabf44-e8d8-4ae4-9122-ef56369a2564",
             "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891.json b/mobile-attack/relationship/relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891.json
index ae4b8307bc..ab1cf16835 100644
--- a/mobile-attack/relationship/relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891.json
+++ b/mobile-attack/relationship/relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--c82d2ea8-01fd-44dc-810c-1db2d11c915a",
+    "id": "bundle--cd5f1cff-8de3-47ef-b5ae-1066a9eb22e8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891",
             "type": "relationship",
+            "id": "relationship--d87b468e-f610-4e95-8dfb-8cf029f0e891",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:57.960Z",
             "description": "[HummingBad](https://attack.mitre.org/software/S0322) can exploit unfixed vulnerabilities in older Android versions to root victim phones.(Citation: ArsTechnica-HummingBad)",
             "relationship_type": "uses",
             "source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d87b9e3a-9e6b-404d-8fc1-22262ff31157.json b/mobile-attack/relationship/relationship--d87b9e3a-9e6b-404d-8fc1-22262ff31157.json
index 3dc171c6ee..f5623e80b7 100644
--- a/mobile-attack/relationship/relationship--d87b9e3a-9e6b-404d-8fc1-22262ff31157.json
+++ b/mobile-attack/relationship/relationship--d87b9e3a-9e6b-404d-8fc1-22262ff31157.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--87176f24-8786-4122-a08e-83144ef227b8",
+    "id": "bundle--a2b1b5a8-9cdb-4559-8b04-5be28962ea89",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--d87b9e3a-9e6b-404d-8fc1-22262ff31157",
             "created": "2023-08-23T22:18:21.774Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-23T22:18:21.774Z",
+            "modified": "2025-04-16T21:51:58.150Z",
             "description": "Network traffic analysis may reveal processes communicating with malicious domains.  ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
             "target_ref": "attack-pattern--5abfc5e6-3c56-49e7-ad72-502d01acf28b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d886f368-a38b-4cb3-906f-9b284f58b369.json b/mobile-attack/relationship/relationship--d886f368-a38b-4cb3-906f-9b284f58b369.json
index 8c81b9216e..d33063ea1c 100644
--- a/mobile-attack/relationship/relationship--d886f368-a38b-4cb3-906f-9b284f58b369.json
+++ b/mobile-attack/relationship/relationship--d886f368-a38b-4cb3-906f-9b284f58b369.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--25f99523-6661-446b-8686-e0aa716efa92",
+    "id": "bundle--9f8071fd-7af2-42e2-a1c0-edf321bbc511",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d886f368-a38b-4cb3-906f-9b284f58b369",
             "type": "relationship",
+            "id": "relationship--d886f368-a38b-4cb3-906f-9b284f58b369",
             "created": "2019-12-10T16:07:41.066Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList DVMap June 2017",
-                    "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/",
-                    "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019."
+                    "description": "R. Unuchek. (2017, June 8). Dvmap: the first Android malware with code injection. Retrieved December 10, 2019.",
+                    "url": "https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/"
                 }
             ],
-            "modified": "2019-12-10T16:07:41.066Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:58.371Z",
             "description": "[Dvmap](https://attack.mitre.org/software/S0420) decrypts executables from archive files stored in the `assets` directory of the installation binary.(Citation: SecureList DVMap June 2017)",
             "relationship_type": "uses",
             "source_ref": "malware--22b596a6-d288-4409-8520-5f2846f85514",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab.json b/mobile-attack/relationship/relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab.json
index e4379cda9c..40e3db4efe 100644
--- a/mobile-attack/relationship/relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab.json
+++ b/mobile-attack/relationship/relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--5934b615-3b9a-44e5-8ccc-1b2c5cbb28cd",
+    "id": "bundle--e95efe6e-8d43-4ab5-a0bf-9e5baf01720f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab",
             "type": "relationship",
+            "id": "relationship--d8ca4ea5-5242-4f0f-b3b7-008673f561ab",
             "created": "2020-09-11T16:22:03.229Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout ViperRAT",
-                    "url": "https://blog.lookout.com/viperrat-mobile-apt",
-                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020."
+                    "description": "M. Flossman. (2017, February 16). ViperRAT: The mobile APT targeting the Israeli Defense Force that should be on your radar. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/viperrat-mobile-apt"
                 }
             ],
-            "modified": "2020-09-11T16:22:03.229Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:58.575Z",
             "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect and record audio content.(Citation: Lookout ViperRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218.json b/mobile-attack/relationship/relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218.json
index abe1a6aa4f..97f80d7564 100644
--- a/mobile-attack/relationship/relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218.json
+++ b/mobile-attack/relationship/relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ef70c904-f9b8-48ea-90e3-adc7d8088bf9",
+    "id": "bundle--45377270-41c2-4acc-8dfa-c87673c341d8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218",
             "type": "relationship",
+            "id": "relationship--d8d773ab-b0e3-484b-bdb8-c1a1ab48d218",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
+                    "source_name": "PaloAlto-SpyDealer",
                     "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
-                    "source_name": "PaloAlto-SpyDealer"
+                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
                 }
             ],
-            "modified": "2019-08-09T17:56:05.686Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:58.778Z",
             "description": "[SpyDealer](https://attack.mitre.org/software/S0324) uses the commercial rooting app Baidu Easy Root to gain root privilege and maintain persistence on the victim.(Citation: PaloAlto-SpyDealer)",
             "relationship_type": "uses",
             "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7.json b/mobile-attack/relationship/relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7.json
index e6ac243baa..29ff60bafd 100644
--- a/mobile-attack/relationship/relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7.json
+++ b/mobile-attack/relationship/relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--f8ab33c8-df06-4e75-9c2c-4370118053ac",
+    "id": "bundle--73e6d329-0f2f-448a-8298-9861f47bc71e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7",
             "type": "relationship",
+            "id": "relationship--d933bba1-61ab-4fea-b7db-7e2a4f4146e7",
             "created": "2020-12-14T15:02:35.230Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Securelist Asacub",
-                    "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/",
-                    "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020."
+                    "description": "T. Shishkova. (2018, August 28).  The rise of mobile banker Asacub. Retrieved December 14, 2020.",
+                    "url": "https://securelist.com/the-rise-of-mobile-banker-asacub/87591/"
                 }
             ],
-            "modified": "2020-12-14T15:02:35.230Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:58.972Z",
             "description": "[Asacub](https://attack.mitre.org/software/S0540) has encrypted C2 communications using Base64-encoded RC4.(Citation: Securelist Asacub)",
             "relationship_type": "uses",
             "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4",
             "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d956ffe6-9847-45f6-8ebe-479e93aa68d9.json b/mobile-attack/relationship/relationship--d956ffe6-9847-45f6-8ebe-479e93aa68d9.json
index ee3f962179..5eec34a34a 100644
--- a/mobile-attack/relationship/relationship--d956ffe6-9847-45f6-8ebe-479e93aa68d9.json
+++ b/mobile-attack/relationship/relationship--d956ffe6-9847-45f6-8ebe-479e93aa68d9.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--adc3d3cf-ee17-45af-b893-d74277c6c428",
+    "id": "bundle--07ea30fa-5c8e-4a3a-a555-c8ecbded052c",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--d956ffe6-9847-45f6-8ebe-479e93aa68d9",
             "created": "2024-01-26T17:37:34.983Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-01-26T17:37:34.983Z",
+            "modified": "2025-04-16T21:51:59.158Z",
             "description": "[FlixOnline](https://attack.mitre.org/software/S1103) can hide its application icon.(Citation: checkpoint_flixonline_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d995dfff-e4b2-4e07-8e76-b064354f591a.json b/mobile-attack/relationship/relationship--d995dfff-e4b2-4e07-8e76-b064354f591a.json
index cb6224d523..9a1d2f94f8 100644
--- a/mobile-attack/relationship/relationship--d995dfff-e4b2-4e07-8e76-b064354f591a.json
+++ b/mobile-attack/relationship/relationship--d995dfff-e4b2-4e07-8e76-b064354f591a.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--da20331b-7d69-49b5-98b9-a3073440d529",
+    "id": "bundle--64aeb4ff-7b5b-4385-ade3-52244f7394ea",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--d995dfff-e4b2-4e07-8e76-b064354f591a",
             "created": "2022-04-01T12:49:32.365Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:59.378Z",
             "description": "Calendar access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their device calendar. ",
-            "modified": "2022-04-01T12:49:32.365Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d9aab2e1-31e0-45b2-a40b-0cbe60677b4b.json b/mobile-attack/relationship/relationship--d9aab2e1-31e0-45b2-a40b-0cbe60677b4b.json
index 2cfe0b4845..adb29b4826 100644
--- a/mobile-attack/relationship/relationship--d9aab2e1-31e0-45b2-a40b-0cbe60677b4b.json
+++ b/mobile-attack/relationship/relationship--d9aab2e1-31e0-45b2-a40b-0cbe60677b4b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4513484e-1c77-4266-b477-3b78ed59d01e",
+    "id": "bundle--a451f63b-4d07-4786-bc33-305bf3ee3240",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:24:43.120Z",
+            "modified": "2025-04-16T21:51:59.567Z",
             "description": "[Exobot](https://attack.mitre.org/software/S0522) can request device administrator permissions.(Citation: Threat Fabric Exobot)",
             "relationship_type": "uses",
             "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98",
             "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--d9c63320-5855-42dc-8cd5-595755495259.json b/mobile-attack/relationship/relationship--d9c63320-5855-42dc-8cd5-595755495259.json
new file mode 100644
index 0000000000..56f4c1c553
--- /dev/null
+++ b/mobile-attack/relationship/relationship--d9c63320-5855-42dc-8cd5-595755495259.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--19f7152c-d92f-48be-99ea-d08202713073",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--d9c63320-5855-42dc-8cd5-595755495259",
+            "created": "2025-03-12T22:10:57.369Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Promon FjordPhantom Oct2024",
+                    "description": "Promon Security Research Team. (2024, October 1). Retrieved February 19, 2025.",
+                    "url": "https://promon.io/security-news/fjordphantom-android-malware"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:59.785Z",
+            "description": "[FjordPhantom](https://attack.mitre.org/software/S1208) has used the hooking framework in a variety of ways, including returning false information to detection mechanisms, pretending that GooglePlayServices are unavailable, and manipulating UI functionality.(Citation: Promon FjordPhantom Oct2024) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--cfe91950-c01f-4e1f-ada1-7ac9b4f79fd4",
+            "target_ref": "attack-pattern--ccde43e4-78f9-4f32-b401-c081e7db71ea",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--da424f3f-8a93-4a66-858c-b33f587108e6.json b/mobile-attack/relationship/relationship--da424f3f-8a93-4a66-858c-b33f587108e6.json
index e0b0e2cd3a..b33905b99a 100644
--- a/mobile-attack/relationship/relationship--da424f3f-8a93-4a66-858c-b33f587108e6.json
+++ b/mobile-attack/relationship/relationship--da424f3f-8a93-4a66-858c-b33f587108e6.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--f0fbbab3-30eb-4476-a05f-6158bf47ce56",
+    "id": "bundle--42461565-ff64-4f76-be3f-3045f83aaa93",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--da424f3f-8a93-4a66-858c-b33f587108e6",
             "type": "relationship",
+            "id": "relationship--da424f3f-8a93-4a66-858c-b33f587108e6",
             "created": "2020-10-29T17:48:27.225Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Threat Fabric Exobot",
-                    "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html",
-                    "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020."
+                    "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"
                 }
             ],
-            "modified": "2020-10-29T17:48:27.225Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:51:59.991Z",
             "description": "[Exobot](https://attack.mitre.org/software/S0522) can obtain the device\u2019s country and carrier name.(Citation: Threat Fabric Exobot)",
             "relationship_type": "uses",
             "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--da4296d7-5fdb-45b6-9791-b023d634c08d.json b/mobile-attack/relationship/relationship--da4296d7-5fdb-45b6-9791-b023d634c08d.json
index 3bf9fa756a..aabbe76202 100644
--- a/mobile-attack/relationship/relationship--da4296d7-5fdb-45b6-9791-b023d634c08d.json
+++ b/mobile-attack/relationship/relationship--da4296d7-5fdb-45b6-9791-b023d634c08d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--6a5ef8cc-93db-41f6-9813-f2eb54f24fca",
+    "id": "bundle--0023d20d-817d-47de-b67c-f63a9e81390c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--da4296d7-5fdb-45b6-9791-b023d634c08d",
             "type": "relationship",
+            "id": "relationship--da4296d7-5fdb-45b6-9791-b023d634c08d",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/",
+                    "source_name": "TrendMicro-RCSAndroid",
                     "description": "Veo Zhang. (2015, July 21). Hacking Team RCSAndroid Spying Tool Listens to Calls; Roots Devices to Get In. Retrieved December 22, 2016.",
-                    "source_name": "TrendMicro-RCSAndroid"
+                    "url": "http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/"
                 }
             ],
-            "modified": "2019-08-09T17:53:48.760Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:00.181Z",
             "description": "[RCSAndroid](https://attack.mitre.org/software/S0295) can record location.(Citation: TrendMicro-RCSAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--363bc05d-13cb-4e98-a5b7-e250f2bbdc2b",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--da55ec01-daf2-4fac-ba0b-243f759b73aa.json b/mobile-attack/relationship/relationship--da55ec01-daf2-4fac-ba0b-243f759b73aa.json
index 476dc2dd6f..dce44d0fa9 100644
--- a/mobile-attack/relationship/relationship--da55ec01-daf2-4fac-ba0b-243f759b73aa.json
+++ b/mobile-attack/relationship/relationship--da55ec01-daf2-4fac-ba0b-243f759b73aa.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--00009945-c41b-4706-b8dc-ff9b6d139287",
+    "id": "bundle--288fc437-5d96-4010-b00d-965cd42c2e6d",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--da55ec01-daf2-4fac-ba0b-243f759b73aa",
             "created": "2023-08-14T16:19:34.080Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -23,16 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:19:34.080Z",
+            "modified": "2025-04-16T21:52:00.380Z",
             "description": "Monitor for pseudo-randomly generated domain names based on frequency analysis, Markov chains, entropy, proportion of dictionary words, ratio of vowels to other characters, and more.(Citation: Data Driven Security DGA) Additionally, check if the suspicious domain has been recently registered, if it has been rarely visited, or if the domain had a spike in activity after being dormant.(Citation: unit42_strat_aged_domain_det) Content delivery network (CDN) domains may trigger these detections due to the format of their domain names.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
             "target_ref": "attack-pattern--2ccc3d39-9598-4d32-9657-42e1c7095d26",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dae02ffb-1db5-4b7d-80a9-2a8cbf1bc852.json b/mobile-attack/relationship/relationship--dae02ffb-1db5-4b7d-80a9-2a8cbf1bc852.json
index 2e89845f11..11532f73b6 100644
--- a/mobile-attack/relationship/relationship--dae02ffb-1db5-4b7d-80a9-2a8cbf1bc852.json
+++ b/mobile-attack/relationship/relationship--dae02ffb-1db5-4b7d-80a9-2a8cbf1bc852.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--7db4930c-1a86-49b3-a0ef-dc73a3a12c3d",
+    "id": "bundle--8feaf99b-7c4e-4a35-98f3-4fcf1cccb549",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--dae02ffb-1db5-4b7d-80a9-2a8cbf1bc852",
             "created": "2023-09-28T17:22:13.691Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:22:13.691Z",
+            "modified": "2025-04-16T21:52:00.579Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can collect sensitive information, such as Google Authenticator codes.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--db1201f0-f925-4c3c-8673-7524a8c20886.json b/mobile-attack/relationship/relationship--db1201f0-f925-4c3c-8673-7524a8c20886.json
index 19dfd963ff..7bbf61b7f1 100644
--- a/mobile-attack/relationship/relationship--db1201f0-f925-4c3c-8673-7524a8c20886.json
+++ b/mobile-attack/relationship/relationship--db1201f0-f925-4c3c-8673-7524a8c20886.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--eacc30c8-51b3-48f3-8afb-f973d3d778c0",
+    "id": "bundle--a098172e-f3c8-477b-83d4-d7767c6916d5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--db1201f0-f925-4c3c-8673-7524a8c20886",
             "type": "relationship",
+            "id": "relationship--db1201f0-f925-4c3c-8673-7524a8c20886",
             "created": "2021-02-17T20:43:52.274Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout FrozenCell",
-                    "url": "https://blog.lookout.com/frozencell-mobile-threat",
-                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020."
+                    "description": "Michael Flossman. (2017, October 5). FrozenCell: Multi-platform surveillance campaign against Palestinians. Retrieved November 11, 2020.",
+                    "url": "https://blog.lookout.com/frozencell-mobile-threat"
                 }
             ],
-            "modified": "2021-02-17T20:43:52.274Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:00.772Z",
             "description": "[FrozenCell](https://attack.mitre.org/software/S0577) has recorded calls.(Citation: Lookout FrozenCell)",
             "relationship_type": "uses",
             "source_ref": "malware--96ea1e13-d50f-45f1-b0cf-4ac9bc5a2d62",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a.json b/mobile-attack/relationship/relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a.json
index 03d637947f..170a196232 100644
--- a/mobile-attack/relationship/relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a.json
+++ b/mobile-attack/relationship/relationship--db34a2c8-01e0-4cd3-a497-0f4bca36812a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--532ad83a-e98a-4958-bc29-cb3900779174",
+    "id": "bundle--9f515a55-fff9-462c-b94b-b2a645afe40a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:27:51.998Z",
+            "modified": "2025-04-16T21:52:00.969Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can obtain the device\u2019s call log.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac.json b/mobile-attack/relationship/relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac.json
index 588f64350e..2bdfa9c306 100644
--- a/mobile-attack/relationship/relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac.json
+++ b/mobile-attack/relationship/relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--984c6ed8-7aa3-464a-a709-2877976209ff",
+    "id": "bundle--d94b1106-f955-4ce9-ba47-bb0abc990b32",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac",
             "type": "relationship",
+            "id": "relationship--db3fc82d-d353-438d-aa5e-9b5e7e60f0ac",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
                 }
             ],
-            "modified": "2019-08-09T17:52:31.748Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:01.156Z",
             "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) checks if the device is on Wi-Fi, a cellular network, and is roaming.(Citation: Lookout-PegasusAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dba7bd66-5f8e-41a8-ad67-ae04cfd1c8ff.json b/mobile-attack/relationship/relationship--dba7bd66-5f8e-41a8-ad67-ae04cfd1c8ff.json
index d6a29ece28..f316e67a60 100644
--- a/mobile-attack/relationship/relationship--dba7bd66-5f8e-41a8-ad67-ae04cfd1c8ff.json
+++ b/mobile-attack/relationship/relationship--dba7bd66-5f8e-41a8-ad67-ae04cfd1c8ff.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b0411fa9-27ae-4281-af8f-c66ca854e6f4",
+    "id": "bundle--54b9cf95-1a79-440c-a0bd-1876777888ae",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--dba7bd66-5f8e-41a8-ad67-ae04cfd1c8ff",
             "created": "2023-09-21T22:31:55.337Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-21T22:31:55.337Z",
+            "modified": "2025-04-16T21:52:01.375Z",
             "description": "Application vetting services may be able to list domains and/or IP addresses that applications communicate with.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
             "target_ref": "attack-pattern--28fdd23d-aee3-4afe-bc3f-5f1f52929258",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dbdaa604-b94c-43d1-b8cc-e8e2bbc3fdce.json b/mobile-attack/relationship/relationship--dbdaa604-b94c-43d1-b8cc-e8e2bbc3fdce.json
index 3ca1eb6f2a..bfaff13df3 100644
--- a/mobile-attack/relationship/relationship--dbdaa604-b94c-43d1-b8cc-e8e2bbc3fdce.json
+++ b/mobile-attack/relationship/relationship--dbdaa604-b94c-43d1-b8cc-e8e2bbc3fdce.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--9ebb8cdf-fef9-4589-ba43-8beb9d5a190f",
+    "id": "bundle--b4918631-d17b-476f-8931-199831cd18f0",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--dbdaa604-b94c-43d1-b8cc-e8e2bbc3fdce",
             "created": "2023-12-18T19:08:25.585Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T19:08:25.585Z",
+            "modified": "2025-04-16T21:52:01.562Z",
             "description": "[AhRat](https://attack.mitre.org/software/S1095) can send SMS messages.(Citation: welivesecurity_ahrat_0523)",
             "relationship_type": "uses",
             "source_ref": "malware--24c8f6db-71e0-41ef-a1dc-83399a5b17e5",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dbef53a9-f9c4-4582-8e93-349ad488de12.json b/mobile-attack/relationship/relationship--dbef53a9-f9c4-4582-8e93-349ad488de12.json
index 75acb963ba..9d856b3674 100644
--- a/mobile-attack/relationship/relationship--dbef53a9-f9c4-4582-8e93-349ad488de12.json
+++ b/mobile-attack/relationship/relationship--dbef53a9-f9c4-4582-8e93-349ad488de12.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--13ac20bb-188e-4ccd-859e-ed968b64008b",
+    "id": "bundle--50e99f00-1d5d-434d-8175-601e41e1e95d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-29T21:27:42.197Z",
+            "modified": "2025-04-16T21:52:01.800Z",
             "description": "[TangleBot](https://attack.mitre.org/software/S1069) can request permission to view call logs.(Citation: cloudmark_tanglebot_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--68156e5a-4c3a-46dd-9c5e-c0bfdec6651f",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dbeff88d-441f-47f9-8afc-60400ee3ab97.json b/mobile-attack/relationship/relationship--dbeff88d-441f-47f9-8afc-60400ee3ab97.json
index 177d215022..95c46616b8 100644
--- a/mobile-attack/relationship/relationship--dbeff88d-441f-47f9-8afc-60400ee3ab97.json
+++ b/mobile-attack/relationship/relationship--dbeff88d-441f-47f9-8afc-60400ee3ab97.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--6d4565bf-830c-48b5-8c9b-e599b58306de",
+    "id": "bundle--d35c79fa-032a-4919-9da8-e04568bb9b38",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--dbeff88d-441f-47f9-8afc-60400ee3ab97",
             "created": "2023-02-06T19:06:37.359Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-06T19:06:37.359Z",
+            "modified": "2025-04-16T21:52:02.004Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can receive files from the C2 at runtime.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dc354395-cccf-471a-9335-8538ce20f1ec.json b/mobile-attack/relationship/relationship--dc354395-cccf-471a-9335-8538ce20f1ec.json
index 0f94a96d44..09ec683c11 100644
--- a/mobile-attack/relationship/relationship--dc354395-cccf-471a-9335-8538ce20f1ec.json
+++ b/mobile-attack/relationship/relationship--dc354395-cccf-471a-9335-8538ce20f1ec.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--acce8210-7203-4ab2-8da9-a5b8e0cda636",
+    "id": "bundle--a6a00987-6f22-42e4-bc8c-96974fdfdc7a",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--dc354395-cccf-471a-9335-8538ce20f1ec",
             "created": "2023-07-21T19:33:28.471Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:33:28.471Z",
+            "modified": "2025-04-16T21:52:02.237Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can exfiltrate SMS logs.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357.json b/mobile-attack/relationship/relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357.json
index 716fbfb174..992f91dba2 100644
--- a/mobile-attack/relationship/relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357.json
+++ b/mobile-attack/relationship/relationship--dc6514a0-2e9c-4f29-8c15-99e6d382e357.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--53a5972c-2a3e-4f13-a500-6727d4b18819",
+    "id": "bundle--bab4fab8-ee03-43ba-945f-865f4ad42fd8",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:31:46.913Z",
+            "modified": "2025-04-16T21:52:02.447Z",
             "description": "[FinFisher](https://attack.mitre.org/software/S0182) captures and exfiltrates SMS messages.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--a5528622-3a8a-4633-86ce-8cdaf8423858",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dc70704a-54b3-4000-8c55-4919044de5c0.json b/mobile-attack/relationship/relationship--dc70704a-54b3-4000-8c55-4919044de5c0.json
index d4086246f9..b241f31e8e 100644
--- a/mobile-attack/relationship/relationship--dc70704a-54b3-4000-8c55-4919044de5c0.json
+++ b/mobile-attack/relationship/relationship--dc70704a-54b3-4000-8c55-4919044de5c0.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--c0723943-dc65-4594-aec7-449dc4c6a67f",
+    "id": "bundle--300114f8-c88f-43b2-bffd-f56359e72014",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--dc70704a-54b3-4000-8c55-4919044de5c0",
             "created": "2024-03-26T19:03:10.647Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
                     "source_name": "fb_arid_viper",
-                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
+                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T19:03:10.647Z",
+            "modified": "2025-04-16T21:52:02.636Z",
             "description": "[Phenakite](https://attack.mitre.org/software/S1126) can exfiltrate the victim device\u2019s contact list.(Citation: fb_arid_viper) ",
             "relationship_type": "uses",
             "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dc7ef843-a073-4e23-b717-c505d4863b02.json b/mobile-attack/relationship/relationship--dc7ef843-a073-4e23-b717-c505d4863b02.json
index b64aed47ff..af71d33ea1 100644
--- a/mobile-attack/relationship/relationship--dc7ef843-a073-4e23-b717-c505d4863b02.json
+++ b/mobile-attack/relationship/relationship--dc7ef843-a073-4e23-b717-c505d4863b02.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7330ece6-de40-4a56-8c66-49d468865ffd",
+    "id": "bundle--fc9f395b-cd41-4189-8fcf-aa0ea2b7b11b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:27:15.979Z",
+            "modified": "2025-04-16T21:52:02.835Z",
             "description": "If the user sees a notification with text they do not recognize, they should review their list of installed applications.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dcae3b7c-27d2-4377-9dc6-59dae15ac962.json b/mobile-attack/relationship/relationship--dcae3b7c-27d2-4377-9dc6-59dae15ac962.json
index 420a103440..037ac83357 100644
--- a/mobile-attack/relationship/relationship--dcae3b7c-27d2-4377-9dc6-59dae15ac962.json
+++ b/mobile-attack/relationship/relationship--dcae3b7c-27d2-4377-9dc6-59dae15ac962.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ebfcb95c-7e9e-4514-af15-3bf5cab32e15",
+    "id": "bundle--2c2fe798-a2b0-485e-90b8-71d666045263",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T16:58:03.072Z",
+            "modified": "2025-04-16T21:52:03.022Z",
             "description": "[Rotexy](https://attack.mitre.org/software/S0411) can lock an HTML page in the foreground, requiring the user enter credit card information that matches information previously intercepted in SMS messages, such as the last 4 digits of a credit card number. If attempts to revoke administrator permissions are detected, [Rotexy](https://attack.mitre.org/software/S0411) periodically switches off the phone screen to inhibit permission removal.(Citation: securelist rotexy 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dcf01e96-1498-4ebf-b46f-d4f4eb796f23.json b/mobile-attack/relationship/relationship--dcf01e96-1498-4ebf-b46f-d4f4eb796f23.json
index b03eff05f4..4ddc32416b 100644
--- a/mobile-attack/relationship/relationship--dcf01e96-1498-4ebf-b46f-d4f4eb796f23.json
+++ b/mobile-attack/relationship/relationship--dcf01e96-1498-4ebf-b46f-d4f4eb796f23.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--80461416-a7df-47d9-b5ab-bebbb956702f",
+    "id": "bundle--3cc11354-ffc3-41be-a60b-ebae61d38d67",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--dcf01e96-1498-4ebf-b46f-d4f4eb796f23",
             "created": "2023-07-21T19:37:42.022Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:37:42.022Z",
+            "modified": "2025-04-16T21:52:03.239Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can retrieve the list of installed applications.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dd54e35c-d68b-4aa8-ad2a-acd4c76243c8.json b/mobile-attack/relationship/relationship--dd54e35c-d68b-4aa8-ad2a-acd4c76243c8.json
index b588c8b4fd..dd4aff8033 100644
--- a/mobile-attack/relationship/relationship--dd54e35c-d68b-4aa8-ad2a-acd4c76243c8.json
+++ b/mobile-attack/relationship/relationship--dd54e35c-d68b-4aa8-ad2a-acd4c76243c8.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--0c468e4b-85b1-4052-92e7-3b6985e109f7",
+    "id": "bundle--79d3e014-4c8c-4688-85ea-d251e5fdb105",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:57:14.522Z",
+            "modified": "2025-04-16T21:52:03.431Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) can use RC4 to encrypt C2 payloads.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ddb5ba6d-0549-44bd-a669-972bd48e927b.json b/mobile-attack/relationship/relationship--ddb5ba6d-0549-44bd-a669-972bd48e927b.json
index 027be1ebab..73232417b1 100644
--- a/mobile-attack/relationship/relationship--ddb5ba6d-0549-44bd-a669-972bd48e927b.json
+++ b/mobile-attack/relationship/relationship--ddb5ba6d-0549-44bd-a669-972bd48e927b.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--0e591655-ef70-4403-b6ef-da7514950422",
+    "id": "bundle--cd930aea-d14a-4ecd-a90a-67677359de7a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--ddb5ba6d-0549-44bd-a669-972bd48e927b",
             "created": "2020-07-15T20:20:59.307Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:03.629Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) has used domain generation algorithms.(Citation: Bitdefender Mandrake)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--fd211238-f767-4599-8c0d-9dca36624626",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ddca1254-b404-4850-9566-0be35c6d7564.json b/mobile-attack/relationship/relationship--ddca1254-b404-4850-9566-0be35c6d7564.json
index 86265cc131..4055bad3d5 100644
--- a/mobile-attack/relationship/relationship--ddca1254-b404-4850-9566-0be35c6d7564.json
+++ b/mobile-attack/relationship/relationship--ddca1254-b404-4850-9566-0be35c6d7564.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b3579033-c297-4963-b84e-508766bf514e",
+    "id": "bundle--56d1fb2c-1769-444a-9132-6de8fe836d04",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:00:11.412Z",
+            "modified": "2025-04-16T21:52:03.843Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) can access the device\u2019s SMS and MMS messages.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e.json b/mobile-attack/relationship/relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e.json
index 4843dcd8a5..9bae8d830a 100644
--- a/mobile-attack/relationship/relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e.json
+++ b/mobile-attack/relationship/relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--1a52957b-afd5-4d96-adb2-d1af253ff5f4",
+    "id": "bundle--248bd487-4cb0-40f7-aba5-b7d63decdee2",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--ddfc5d8c-750d-424a-88d9-acc99bc5f69e",
             "created": "2022-03-30T19:29:07.379Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:04.037Z",
             "description": "Inform users that device rooting or granting unnecessary access to the accessibility service presents security risks that could be taken advantage of without their knowledge.",
-            "modified": "2022-03-30T19:29:07.379Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--de45db46-2251-4a29-b4d7-3fcf679e9484.json b/mobile-attack/relationship/relationship--de45db46-2251-4a29-b4d7-3fcf679e9484.json
index 36f20fe0e3..52c91dd96e 100644
--- a/mobile-attack/relationship/relationship--de45db46-2251-4a29-b4d7-3fcf679e9484.json
+++ b/mobile-attack/relationship/relationship--de45db46-2251-4a29-b4d7-3fcf679e9484.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6fc988c7-b919-4bc2-997f-bf73808d2885",
+    "id": "bundle--8d71f2bb-5661-4fbd-9392-57499b8a4def",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:32:16.401Z",
+            "modified": "2025-04-16T21:52:04.281Z",
             "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can intercept SMS and MMS messages as well as monitor messages for keywords.(Citation: CyberMerchants-FlexiSpy)(Citation: FlexiSpy-Features)",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--de4ecfa3-fa91-4377-810c-5c567de9688b.json b/mobile-attack/relationship/relationship--de4ecfa3-fa91-4377-810c-5c567de9688b.json
index 91fcbb70ee..4adec00fa8 100644
--- a/mobile-attack/relationship/relationship--de4ecfa3-fa91-4377-810c-5c567de9688b.json
+++ b/mobile-attack/relationship/relationship--de4ecfa3-fa91-4377-810c-5c567de9688b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f4b62127-151b-404c-9259-92bf854b15a1",
+    "id": "bundle--6a2d29ed-d606-476e-95af-41a28bd7bd39",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:38:01.842Z",
+            "modified": "2025-04-16T21:52:04.482Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can delete attacker-specified files.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--de69fd86-aaef-4a1e-99e9-ee32c71997d6.json b/mobile-attack/relationship/relationship--de69fd86-aaef-4a1e-99e9-ee32c71997d6.json
index c2f1929609..e08eaa1e3d 100644
--- a/mobile-attack/relationship/relationship--de69fd86-aaef-4a1e-99e9-ee32c71997d6.json
+++ b/mobile-attack/relationship/relationship--de69fd86-aaef-4a1e-99e9-ee32c71997d6.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--15864b6f-dc0a-45a2-adfd-6f613e62c187",
+    "id": "bundle--20f83bee-d6d2-4738-a376-92534c83ddc1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--de69fd86-aaef-4a1e-99e9-ee32c71997d6",
             "created": "2022-04-05T19:54:12.660Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:04.703Z",
             "description": "",
-            "modified": "2022-04-05T19:54:12.660Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--52651225-0b3a-482d-aa7e-10618fd063b5",
             "target_ref": "attack-pattern--0f4fb01b-d57a-4375-b7a2-342c9d3248f7",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--de7e3a71-1152-481c-8e5c-88f53852cab6.json b/mobile-attack/relationship/relationship--de7e3a71-1152-481c-8e5c-88f53852cab6.json
index e591d41690..70e5e99be9 100644
--- a/mobile-attack/relationship/relationship--de7e3a71-1152-481c-8e5c-88f53852cab6.json
+++ b/mobile-attack/relationship/relationship--de7e3a71-1152-481c-8e5c-88f53852cab6.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--c6dd3352-4007-4b69-9f3c-42817d2b9b94",
+    "id": "bundle--834ed54c-f531-48b5-a094-068787859218",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--de7e3a71-1152-481c-8e5c-88f53852cab6",
             "created": "2022-04-01T15:16:53.239Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:04.911Z",
             "description": "",
-            "modified": "2022-04-01T15:16:53.239Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--789ef15a-34d9-4b32-a779-8cbbc9eb32f5",
             "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dea15947-3a93-4ef6-94c4-ddd8b5bf4db5.json b/mobile-attack/relationship/relationship--dea15947-3a93-4ef6-94c4-ddd8b5bf4db5.json
new file mode 100644
index 0000000000..4c715348a5
--- /dev/null
+++ b/mobile-attack/relationship/relationship--dea15947-3a93-4ef6-94c4-ddd8b5bf4db5.json
@@ -0,0 +1,52 @@
+{
+    "type": "bundle",
+    "id": "bundle--d19c4156-2f3b-4c6e-999f-755355474bb2",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--dea15947-3a93-4ef6-94c4-ddd8b5bf4db5",
+            "created": "2025-03-24T17:49:37.281Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "FirshSecureList LightSpy 2020",
+                    "description": "Firsh, A., et al. (2020, March 26). iOS exploit chain deploys LightSpy feature-rich malware. Retrieved January 13, 2025.",
+                    "url": "https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:05.119Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has the ability to take one picture, continuous pictures or event-related pictures using the device\u2019s camera.(Citation: FirshSecureList LightSpy 2020)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) For iOS devices, the default file type for pictures is in High Efficiency Image Format (HEIC); for Android devices, the default file type for pictures is in JPEG format. ",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--def81edd-4410-47b2-a80f-d47b3f353f54.json b/mobile-attack/relationship/relationship--def81edd-4410-47b2-a80f-d47b3f353f54.json
index 3c3cc3f3ac..eb42f8d945 100644
--- a/mobile-attack/relationship/relationship--def81edd-4410-47b2-a80f-d47b3f353f54.json
+++ b/mobile-attack/relationship/relationship--def81edd-4410-47b2-a80f-d47b3f353f54.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8e9fcc7e-6343-4857-9df8-7ded29c97de6",
+    "id": "bundle--1688feef-0ca5-4a38-aa3c-88eddb736b3d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T14:59:40.699Z",
+            "modified": "2025-04-16T21:52:05.390Z",
             "description": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--df036f55-f749-4dad-9473-d69535e0f98d.json b/mobile-attack/relationship/relationship--df036f55-f749-4dad-9473-d69535e0f98d.json
index 770a2d0b00..86777f34a2 100644
--- a/mobile-attack/relationship/relationship--df036f55-f749-4dad-9473-d69535e0f98d.json
+++ b/mobile-attack/relationship/relationship--df036f55-f749-4dad-9473-d69535e0f98d.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--fd64922c-fa7e-40e9-8b78-a0fc83b69768",
+    "id": "bundle--cde657d7-bce9-4124-9b22-f2de8f98d68b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--df036f55-f749-4dad-9473-d69535e0f98d",
             "created": "2020-06-26T14:55:13.385Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Cybereason EventBot",
-                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born",
-                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020."
+                    "description": "D. Frank, L. Rochberger, Y. Rimmer, A. Dahan. (2020, April 30). EventBot: A New Mobile Banking Trojan is Born. Retrieved June 26, 2020.",
+                    "url": "https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:05.587Z",
             "description": "[EventBot](https://attack.mitre.org/software/S0478) can abuse Android\u2019s accessibility service to record the screen PIN.(Citation: Cybereason EventBot)",
-            "modified": "2022-04-15T17:39:39.931Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--df07166f-917e-4bc4-899e-d689d1d3f785.json b/mobile-attack/relationship/relationship--df07166f-917e-4bc4-899e-d689d1d3f785.json
index cde1167033..bb598ddba7 100644
--- a/mobile-attack/relationship/relationship--df07166f-917e-4bc4-899e-d689d1d3f785.json
+++ b/mobile-attack/relationship/relationship--df07166f-917e-4bc4-899e-d689d1d3f785.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8dc897a6-0de7-4797-aaba-d56eff0569bb",
+    "id": "bundle--363dbb2f-5bc6-4630-8840-72add03d2fd4",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:58.104Z",
+            "modified": "2025-04-16T21:52:05.831Z",
             "description": "[Agent Smith](https://attack.mitre.org/software/S0440) can impersonate any popular application on an infected device, and the core malware disguises itself as a legitimate Google application. [Agent Smith](https://attack.mitre.org/software/S0440)'s dropper is a weaponized legitimate Feng Shui Bundle.(Citation: CheckPoint Agent Smith) ",
             "relationship_type": "uses",
             "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--df337ad4-c88e-425f-b869-ecac29674bf4.json b/mobile-attack/relationship/relationship--df337ad4-c88e-425f-b869-ecac29674bf4.json
index f1e3035e9b..6d0a0dd046 100644
--- a/mobile-attack/relationship/relationship--df337ad4-c88e-425f-b869-ecac29674bf4.json
+++ b/mobile-attack/relationship/relationship--df337ad4-c88e-425f-b869-ecac29674bf4.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--de1529f2-cea9-4ffa-a513-7d6b8a22ce90",
+    "id": "bundle--9533c5b5-f554-45aa-bab9-449239023fce",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--df337ad4-c88e-425f-b869-ecac29674bf4",
             "type": "relationship",
+            "id": "relationship--df337ad4-c88e-425f-b869-ecac29674bf4",
             "created": "2021-03-25T16:39:40.200Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "CYBERWARCON CHEMISTGAMES",
-                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w",
-                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."
+                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.",
+                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"
                 }
             ],
-            "modified": "2021-03-25T16:39:40.200Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:06.031Z",
             "description": "(Citation: CYBERWARCON CHEMISTGAMES)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--381fcf73-60f6-4ab2-9991-6af3cbc35192",
             "target_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dfdf329f-8fc3-4dcb-89b4-c3f1095cd77a.json b/mobile-attack/relationship/relationship--dfdf329f-8fc3-4dcb-89b4-c3f1095cd77a.json
index 102dbf221d..4973235030 100644
--- a/mobile-attack/relationship/relationship--dfdf329f-8fc3-4dcb-89b4-c3f1095cd77a.json
+++ b/mobile-attack/relationship/relationship--dfdf329f-8fc3-4dcb-89b4-c3f1095cd77a.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--11fe5b99-4a8d-4e96-92ea-292230ac175c",
+    "id": "bundle--decdf799-2b6b-4212-9759-3abc3525eaad",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--dfdf329f-8fc3-4dcb-89b4-c3f1095cd77a",
             "created": "2023-12-18T18:14:41.248Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-18T18:14:41.248Z",
+            "modified": "2025-04-16T21:52:06.270Z",
             "description": "[BRATA](https://attack.mitre.org/software/S1094) has utilized commercial software packers.(Citation: mcafee_brata_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--5aff44ab-5a41-49bb-b5d1-b4876d0437f4",
             "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b.json b/mobile-attack/relationship/relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b.json
index e16330462c..4eabd58569 100644
--- a/mobile-attack/relationship/relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b.json
+++ b/mobile-attack/relationship/relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--8fea59b8-7fc5-4356-b65f-8341a9009f46",
+    "id": "bundle--f940bdfc-9081-4f69-9af2-9eff47f8e6c1",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b",
             "type": "relationship",
+            "id": "relationship--dfe6d454-1a24-4c42-97eb-4ddfd1dbb09b",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/",
+                    "source_name": "Kaspersky-Skygofree",
                     "description": "Nikita Buchka and Alexey Firsh. (2018, January 16). Skygofree: Following in the footsteps of HackingTeam. Retrieved September 24, 2018.",
-                    "source_name": "Kaspersky-Skygofree"
+                    "url": "https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/"
                 }
             ],
-            "modified": "2019-08-09T18:08:07.144Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:06.465Z",
             "description": "[Skygofree](https://attack.mitre.org/software/S0327) has the capability to exploit several known vulnerabilities and escalate privileges.(Citation: Kaspersky-Skygofree)",
             "relationship_type": "uses",
             "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dff2d0a7-7579-4091-9bf8-df682bc6506b.json b/mobile-attack/relationship/relationship--dff2d0a7-7579-4091-9bf8-df682bc6506b.json
index eb8dfd5989..38d899960e 100644
--- a/mobile-attack/relationship/relationship--dff2d0a7-7579-4091-9bf8-df682bc6506b.json
+++ b/mobile-attack/relationship/relationship--dff2d0a7-7579-4091-9bf8-df682bc6506b.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--170118ae-cbd7-4b9c-9e59-8ecff31a44e5",
+    "id": "bundle--1cf881cd-09fd-4766-8057-4ea5ad97b1a1",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--dff2d0a7-7579-4091-9bf8-df682bc6506b",
             "created": "2023-12-05T22:17:58.874Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-12-05T22:17:58.874Z",
+            "modified": "2025-04-16T21:52:06.681Z",
             "description": "Mobile security products can potentially detect if a device is vulnerable to a known exploit and can alert the user to update their device. ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--78671282-26aa-486c-a7a5-5921e1616b58",
             "target_ref": "attack-pattern--6ecbc2eb-e85a-440a-ab68-4d98f8d56fbe",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--dff37d8a-b7ca-409b-b4eb-581ca3a74bb5.json b/mobile-attack/relationship/relationship--dff37d8a-b7ca-409b-b4eb-581ca3a74bb5.json
index 5f752bd568..e96afc92c0 100644
--- a/mobile-attack/relationship/relationship--dff37d8a-b7ca-409b-b4eb-581ca3a74bb5.json
+++ b/mobile-attack/relationship/relationship--dff37d8a-b7ca-409b-b4eb-581ca3a74bb5.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d04fe21f-2e07-4748-aaf8-b1fb7107612d",
+    "id": "bundle--ca6d96d8-d053-4ea4-93d7-a8d05b95b592",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.113Z",
+            "modified": "2025-04-16T21:52:06.882Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) can retrieve the C2 address from Twitter and Telegram.(Citation: Cofense Anubis)(Citation: Trend Micro Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea.json b/mobile-attack/relationship/relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea.json
index f6c97f3f24..1f424ee3b9 100644
--- a/mobile-attack/relationship/relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea.json
+++ b/mobile-attack/relationship/relationship--e0121f6c-0312-4fff-9d6c-0a8aea945bea.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5b34ebf1-51a2-41f9-ba5d-74a67a34665f",
+    "id": "bundle--6d9236e8-fb09-4c9c-b836-898baa269274",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-11T22:08:45.192Z",
+            "modified": "2025-04-16T21:52:07.077Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) can use the open-source project RetroFit for C2 communication.(Citation: threatfabric_sova_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e012da15-7669-4764-ad9d-8a1d817bcca9.json b/mobile-attack/relationship/relationship--e012da15-7669-4764-ad9d-8a1d817bcca9.json
index 9654add7c0..949440383a 100644
--- a/mobile-attack/relationship/relationship--e012da15-7669-4764-ad9d-8a1d817bcca9.json
+++ b/mobile-attack/relationship/relationship--e012da15-7669-4764-ad9d-8a1d817bcca9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--556dadb8-384d-4fea-ba2b-08ffc7c40c73",
+    "id": "bundle--178b4594-d171-48d2-a0f4-f74d32d7717a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T16:22:19.012Z",
+            "modified": "2025-04-16T21:52:07.279Z",
             "description": "Application vetting services could look for indications that the application downloads and executes new code at runtime (e.g., on Android, use of `DexClassLoader`, `System.load`, or the WebView `JavaScriptInterface` capability; on iOS, use of JSPatch or similar capabilities).",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e03b0eb5-32c6-4867-9235-77fe32192983.json b/mobile-attack/relationship/relationship--e03b0eb5-32c6-4867-9235-77fe32192983.json
index b1d9295791..6113b01da6 100644
--- a/mobile-attack/relationship/relationship--e03b0eb5-32c6-4867-9235-77fe32192983.json
+++ b/mobile-attack/relationship/relationship--e03b0eb5-32c6-4867-9235-77fe32192983.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--6256b2ca-ddfb-43a5-aa01-8924928feb44",
+    "id": "bundle--45fd0cd1-b59d-474f-a86b-0181326dc093",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--e03b0eb5-32c6-4867-9235-77fe32192983",
             "type": "relationship",
+            "id": "relationship--e03b0eb5-32c6-4867-9235-77fe32192983",
             "created": "2019-09-04T15:38:56.916Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "CyberMerchants-FlexiSpy",
-                    "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html",
-                    "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."
+                    "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.",
+                    "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"
                 }
             ],
-            "modified": "2019-09-10T14:59:26.071Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:07.473Z",
             "description": " [FlexiSpy](https://attack.mitre.org/software/S0408) can track the device's location.(Citation: CyberMerchants-FlexiSpy)",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e03b25b0-0779-48da-b5d7-28f1f6106363.json b/mobile-attack/relationship/relationship--e03b25b0-0779-48da-b5d7-28f1f6106363.json
index 021eb81a43..7f6227ff19 100644
--- a/mobile-attack/relationship/relationship--e03b25b0-0779-48da-b5d7-28f1f6106363.json
+++ b/mobile-attack/relationship/relationship--e03b25b0-0779-48da-b5d7-28f1f6106363.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--d714c18e-501a-40fe-87f6-3d276706d261",
+    "id": "bundle--b7401a39-ff6b-40a0-ad61-14419f4de3c6",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--e03b25b0-0779-48da-b5d7-28f1f6106363",
             "type": "relationship",
+            "id": "relationship--e03b25b0-0779-48da-b5d7-28f1f6106363",
             "created": "2020-12-24T22:04:27.992Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T22:04:27.992Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:07.688Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has taken screenshots.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8.json b/mobile-attack/relationship/relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8.json
index 85e43b29bc..d74de9c30f 100644
--- a/mobile-attack/relationship/relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8.json
+++ b/mobile-attack/relationship/relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--073d5e11-ed06-44dc-9c59-1d82a4a11cef",
+    "id": "bundle--2440b812-32a2-4905-8976-c7c421808964",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8",
             "type": "relationship",
+            "id": "relationship--e05b61a4-ba8a-4aa5-813b-ad76de5945a8",
             "created": "2020-09-24T15:34:51.433Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
                 }
             ],
-            "modified": "2020-09-24T15:34:51.433Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:07.881Z",
             "description": "[Dendroid](https://attack.mitre.org/software/S0301) can record audio and outgoing calls.(Citation: Lookout-Dendroid)",
             "relationship_type": "uses",
             "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e0c3afc8-4b23-45fc-89cf-2cafbb51291e.json b/mobile-attack/relationship/relationship--e0c3afc8-4b23-45fc-89cf-2cafbb51291e.json
index 2a07f27de2..9f9d710824 100644
--- a/mobile-attack/relationship/relationship--e0c3afc8-4b23-45fc-89cf-2cafbb51291e.json
+++ b/mobile-attack/relationship/relationship--e0c3afc8-4b23-45fc-89cf-2cafbb51291e.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--87db0243-b30e-47af-94d7-a3b68ceae9ee",
+    "id": "bundle--ba577452-ec9e-4abe-be7a-e681b9c473bb",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--e0c3afc8-4b23-45fc-89cf-2cafbb51291e",
             "created": "2023-03-03T16:25:52.931Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-03T16:25:52.931Z",
+            "modified": "2025-04-16T21:52:08.073Z",
             "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected information about installed applications.(Citation: paloalto_yispecter_1015)",
             "relationship_type": "uses",
             "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58.json b/mobile-attack/relationship/relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58.json
index 6cc252752a..0a6e08e743 100644
--- a/mobile-attack/relationship/relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58.json
+++ b/mobile-attack/relationship/relationship--e0ebf0cd-9244-4cef-9171-128a12b87b58.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e680ba29-3e9e-4840-b863-5e4325b60e77",
+    "id": "bundle--424548ab-01a6-4a1f-be06-c93baa3a71ea",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:32:29.636Z",
+            "modified": "2025-04-16T21:52:08.270Z",
             "description": "[SpyNote RAT](https://attack.mitre.org/software/S0305) can read SMS messages.(Citation: Zscaler-SpyNote)",
             "relationship_type": "uses",
             "source_ref": "malware--20dbaf05-59b8-4dc6-8777-0b17f4553a23",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e0f58ab7-b246-4c41-9afc-89b582590809.json b/mobile-attack/relationship/relationship--e0f58ab7-b246-4c41-9afc-89b582590809.json
index cbfaa419ff..19812f47b9 100644
--- a/mobile-attack/relationship/relationship--e0f58ab7-b246-4c41-9afc-89b582590809.json
+++ b/mobile-attack/relationship/relationship--e0f58ab7-b246-4c41-9afc-89b582590809.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--6cab022b-f219-4677-a31f-7aa95b4d077f",
+    "id": "bundle--9907faf1-c7ca-4815-846b-f6a5a5d3fffe",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--e0f58ab7-b246-4c41-9afc-89b582590809",
             "type": "relationship",
+            "id": "relationship--e0f58ab7-b246-4c41-9afc-89b582590809",
             "created": "2020-12-18T20:14:47.374Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "WhiteOps TERRACOTTA",
-                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study",
-                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."
+                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.",
+                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"
                 }
             ],
-            "modified": "2020-12-18T20:14:47.374Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:08.469Z",
             "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can download additional modules at runtime via JavaScript `eval` statements.(Citation: WhiteOps TERRACOTTA)",
             "relationship_type": "uses",
             "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e135cefa-f019-479d-86eb-438972df73e0.json b/mobile-attack/relationship/relationship--e135cefa-f019-479d-86eb-438972df73e0.json
index b006752156..6edc5bf4e8 100644
--- a/mobile-attack/relationship/relationship--e135cefa-f019-479d-86eb-438972df73e0.json
+++ b/mobile-attack/relationship/relationship--e135cefa-f019-479d-86eb-438972df73e0.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b06f181f-b294-427a-b23a-e7e3f73b07ad",
+    "id": "bundle--d0681787-8245-4872-8b6a-cbdcac396de3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:48:30.652Z",
+            "modified": "2025-04-16T21:52:08.681Z",
             "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) installs boot hooks into `/system/su.d`.(Citation: FortiGuard-FlexiSpy)",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e14db7d0-4053-4e0a-8b43-b950133e6e36.json b/mobile-attack/relationship/relationship--e14db7d0-4053-4e0a-8b43-b950133e6e36.json
index 22219cde05..a602263cae 100644
--- a/mobile-attack/relationship/relationship--e14db7d0-4053-4e0a-8b43-b950133e6e36.json
+++ b/mobile-attack/relationship/relationship--e14db7d0-4053-4e0a-8b43-b950133e6e36.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f3ce294b-166c-4305-9edf-b283b729bc98",
+    "id": "bundle--8fd42e43-2239-4d28-8609-cb069e960239",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T22:18:26.965Z",
+            "modified": "2025-04-16T21:52:08.872Z",
             "description": "Mobile Threat Defense (MTD) with lower-level OS APIs integrations may have access to running processes and their parameters, potentially detecting unwanted or malicious shells.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
             "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e1fc106e-1671-4103-b767-47b52c9b0742.json b/mobile-attack/relationship/relationship--e1fc106e-1671-4103-b767-47b52c9b0742.json
index 6b479d7d0c..d19410d64c 100644
--- a/mobile-attack/relationship/relationship--e1fc106e-1671-4103-b767-47b52c9b0742.json
+++ b/mobile-attack/relationship/relationship--e1fc106e-1671-4103-b767-47b52c9b0742.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d29584bb-9516-4002-97cc-86f3614cb608",
+    "id": "bundle--846f1d92-1243-49e3-ab70-d19991ba4958",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T21:40:23.283Z",
+            "modified": "2025-04-16T21:52:09.077Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to access the device\u2019s location.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e245ad04-3fe9-4132-8bb4-77cdc4c3a1eb.json b/mobile-attack/relationship/relationship--e245ad04-3fe9-4132-8bb4-77cdc4c3a1eb.json
index 12e3425d93..aaf94a7241 100644
--- a/mobile-attack/relationship/relationship--e245ad04-3fe9-4132-8bb4-77cdc4c3a1eb.json
+++ b/mobile-attack/relationship/relationship--e245ad04-3fe9-4132-8bb4-77cdc4c3a1eb.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f8c2ef65-badb-46df-9647-7e8e6c8ab13a",
+    "id": "bundle--2c235d41-e8fd-47c7-a778-a49df41f4c2b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:58.272Z",
+            "modified": "2025-04-16T21:52:09.281Z",
             "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) has masqueraded as an Android security application.(Citation: TrendMicro-XLoader-FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e245e45a-71a8-408d-8f32-7b7337bffc26.json b/mobile-attack/relationship/relationship--e245e45a-71a8-408d-8f32-7b7337bffc26.json
index bd36795c7b..d3d8470409 100644
--- a/mobile-attack/relationship/relationship--e245e45a-71a8-408d-8f32-7b7337bffc26.json
+++ b/mobile-attack/relationship/relationship--e245e45a-71a8-408d-8f32-7b7337bffc26.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2d6e6c3d-cade-469d-b5e8-0d6363903c93",
+    "id": "bundle--5221fa39-af6f-40ed-91cb-206dfd7d64c4",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "cyble_drinik_1022",
-                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved January 18, 2023.",
-                    "url": "https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
+                    "description": "Cyble. (2022, October 27). Drinik Malware Returns With Advanced Capabilities Targeting Indian Taxpayers. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20221114031945/https://blog.cyble.com/2022/10/27/drinik-malware-returns-with-advanced-capabilities-targeting-indian-taxpayers/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:10:23.208Z",
+            "modified": "2025-04-16T21:52:09.474Z",
             "description": "[Drinik](https://attack.mitre.org/software/S1054) can hide its application icon.(Citation: cyble_drinik_1022)",
             "relationship_type": "uses",
             "source_ref": "malware--d6e009b7-df5e-447a-bfd2-d5b77374edfe",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e269e6a2-a709-4aa1-a260-f3f0d0284056.json b/mobile-attack/relationship/relationship--e269e6a2-a709-4aa1-a260-f3f0d0284056.json
index 6567584cae..ed06fd1bb1 100644
--- a/mobile-attack/relationship/relationship--e269e6a2-a709-4aa1-a260-f3f0d0284056.json
+++ b/mobile-attack/relationship/relationship--e269e6a2-a709-4aa1-a260-f3f0d0284056.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--9fe84d85-04a2-4a1e-8b31-2156cbb96433",
+    "id": "bundle--07a7adfe-be54-4f2e-858b-6e955aa9c663",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--e269e6a2-a709-4aa1-a260-f3f0d0284056",
             "type": "relationship",
+            "id": "relationship--e269e6a2-a709-4aa1-a260-f3f0d0284056",
             "created": "2020-12-24T22:04:27.919Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T22:04:27.919Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:09.704Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has extracted messages from chat programs, such as WeChat.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e29d91f0-ebee-481d-9344-702c90775109.json b/mobile-attack/relationship/relationship--e29d91f0-ebee-481d-9344-702c90775109.json
index 8b36d18596..a375c430a7 100644
--- a/mobile-attack/relationship/relationship--e29d91f0-ebee-481d-9344-702c90775109.json
+++ b/mobile-attack/relationship/relationship--e29d91f0-ebee-481d-9344-702c90775109.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--6e60fd3e-cc59-4656-8fe2-4e6f3dcd1540",
+    "id": "bundle--b1b22df3-e2bb-4bb6-b067-472316deb2e0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--e29d91f0-ebee-481d-9344-702c90775109",
             "type": "relationship",
+            "id": "relationship--e29d91f0-ebee-481d-9344-702c90775109",
             "created": "2020-05-07T15:33:32.928Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "CheckPoint Agent Smith",
-                    "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
-                    "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
+                    "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.",
+                    "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"
                 }
             ],
-            "modified": "2020-05-07T15:33:32.928Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:09.894Z",
             "description": "[Agent Smith](https://attack.mitre.org/software/S0440) can inject fraudulent ad modules into existing applications on a device.(Citation: CheckPoint Agent Smith)",
             "relationship_type": "uses",
             "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
             "target_ref": "attack-pattern--d3bc5020-f6a2-41c0-8ccb-5e563101b60c",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e2ee6825-43c2-441f-ba96-404a330a9059.json b/mobile-attack/relationship/relationship--e2ee6825-43c2-441f-ba96-404a330a9059.json
index d83fb3a734..bd3e1f41fd 100644
--- a/mobile-attack/relationship/relationship--e2ee6825-43c2-441f-ba96-404a330a9059.json
+++ b/mobile-attack/relationship/relationship--e2ee6825-43c2-441f-ba96-404a330a9059.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6cc04879-083c-408a-8fee-8cdb8fbed1b4",
+    "id": "bundle--e6fb26ad-c333-4288-8b07-59639350c210",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:54:51.590Z",
+            "modified": "2025-04-16T21:52:10.104Z",
             "description": "[Charger](https://attack.mitre.org/software/S0323) steals contacts from the victim user's device.(Citation: CheckPoint-Charger)",
             "relationship_type": "uses",
             "source_ref": "malware--d1c600f8-0fb6-4367-921b-85b71947d950",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e3009db5-d1d8-4869-b1ca-d408a052bb4e.json b/mobile-attack/relationship/relationship--e3009db5-d1d8-4869-b1ca-d408a052bb4e.json
index a83ff67a0e..506eb43472 100644
--- a/mobile-attack/relationship/relationship--e3009db5-d1d8-4869-b1ca-d408a052bb4e.json
+++ b/mobile-attack/relationship/relationship--e3009db5-d1d8-4869-b1ca-d408a052bb4e.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--4ca70383-24d0-43c7-991b-3de7196a3cc6",
+    "id": "bundle--d2080823-45e7-413e-9273-6a2cf9d5aaf4",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--e3009db5-d1d8-4869-b1ca-d408a052bb4e",
             "created": "2024-01-26T17:34:10.524Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-01-26T17:34:10.524Z",
+            "modified": "2025-04-16T21:52:10.328Z",
             "description": "[FlixOnline](https://attack.mitre.org/software/S1103) can automatically send replies to a user\u2019s incoming WhatsApp messages.(Citation: checkpoint_flixonline_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e33106e1-16ef-41b8-8d47-78c9f2b4dceb.json b/mobile-attack/relationship/relationship--e33106e1-16ef-41b8-8d47-78c9f2b4dceb.json
index e3bf1cb8ae..c1a91f0eab 100644
--- a/mobile-attack/relationship/relationship--e33106e1-16ef-41b8-8d47-78c9f2b4dceb.json
+++ b/mobile-attack/relationship/relationship--e33106e1-16ef-41b8-8d47-78c9f2b4dceb.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--3fa89729-8eb3-4aad-8453-ae93de25829d",
+    "id": "bundle--a49379a5-1a65-4de2-ba0c-03e01e35c556",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--e33106e1-16ef-41b8-8d47-78c9f2b4dceb",
             "created": "2020-11-10T17:08:35.846Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:10.527Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has used specially crafted SMS messages to control the target device.(Citation: Lookout Uyghur Campaign) ",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e34c8c23-be8f-4da9-b051-5246e5f16ba8.json b/mobile-attack/relationship/relationship--e34c8c23-be8f-4da9-b051-5246e5f16ba8.json
index 49de93c3e6..77f2b6145b 100644
--- a/mobile-attack/relationship/relationship--e34c8c23-be8f-4da9-b051-5246e5f16ba8.json
+++ b/mobile-attack/relationship/relationship--e34c8c23-be8f-4da9-b051-5246e5f16ba8.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d4256325-6004-4444-ba51-3181f6b7e8eb",
+    "id": "bundle--be966b23-dc97-4ea5-ad43-5af480f11e48",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-31T22:14:48.174Z",
+            "modified": "2025-04-16T21:52:10.724Z",
             "description": "[FluBot](https://attack.mitre.org/software/S1067) can send contact lists to its C2 server.(Citation: proofpoint_flubot_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e35b013b-89e8-41b3-a518-7737234ab71b.json b/mobile-attack/relationship/relationship--e35b013b-89e8-41b3-a518-7737234ab71b.json
index edeb89c356..be70075511 100644
--- a/mobile-attack/relationship/relationship--e35b013b-89e8-41b3-a518-7737234ab71b.json
+++ b/mobile-attack/relationship/relationship--e35b013b-89e8-41b3-a518-7737234ab71b.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a7dad438-3120-4f01-bca0-a57ac7b5eb7a",
+    "id": "bundle--09d5f9ca-5abe-4ea5-a62f-1590a52fef39",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--e35b013b-89e8-41b3-a518-7737234ab71b",
             "type": "relationship",
+            "id": "relationship--e35b013b-89e8-41b3-a518-7737234ab71b",
             "created": "2020-01-27T17:05:58.312Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Trend Micro Bouncing Golf 2019",
                     "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
-                    "source_name": "Trend Micro Bouncing Golf 2019"
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
                 }
             ],
-            "modified": "2020-01-27T17:05:58.312Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:10.920Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can take screenshots.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e39ee008-74d1-4669-b515-4d2bb97968c1.json b/mobile-attack/relationship/relationship--e39ee008-74d1-4669-b515-4d2bb97968c1.json
index dcbcef0aea..29fee0db4b 100644
--- a/mobile-attack/relationship/relationship--e39ee008-74d1-4669-b515-4d2bb97968c1.json
+++ b/mobile-attack/relationship/relationship--e39ee008-74d1-4669-b515-4d2bb97968c1.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--21aa30cf-e6f1-4222-8a7b-c962d9d70b4c",
+    "id": "bundle--23d0fa1a-4671-43fc-9d41-ef1ee75582fa",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--e39ee008-74d1-4669-b515-4d2bb97968c1",
             "created": "2024-02-20T23:49:23.124Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:49:23.124Z",
+            "modified": "2025-04-16T21:52:11.125Z",
             "description": "[EventBot](https://attack.mitre.org/software/S0478) can gather device network information.(Citation: Cybereason EventBot) ",
             "relationship_type": "uses",
             "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e3a961ec-8184-4143-b8c2-c33ea0503678.json b/mobile-attack/relationship/relationship--e3a961ec-8184-4143-b8c2-c33ea0503678.json
index 39bcd65a30..6bdc0ce311 100644
--- a/mobile-attack/relationship/relationship--e3a961ec-8184-4143-b8c2-c33ea0503678.json
+++ b/mobile-attack/relationship/relationship--e3a961ec-8184-4143-b8c2-c33ea0503678.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--f79afd69-9ac7-4bdb-be0d-11ab8b6f20f7",
+    "id": "bundle--7926634b-5e53-48ac-b2b8-d4b6d5cd70b8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--e3a961ec-8184-4143-b8c2-c33ea0503678",
             "type": "relationship",
+            "id": "relationship--e3a961ec-8184-4143-b8c2-c33ea0503678",
             "created": "2020-09-24T15:34:51.315Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2014/03/06/dendroid/"
                 }
             ],
-            "modified": "2020-09-24T15:34:51.315Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:11.340Z",
             "description": "[Dendroid](https://attack.mitre.org/software/S0301) can take photos and record videos.(Citation: Lookout-Dendroid)",
             "relationship_type": "uses",
             "source_ref": "malware--317a2c10-d489-431e-b6b2-f0251fddc88e",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e3beb58a-2603-451e-a907-1a3823a90197.json b/mobile-attack/relationship/relationship--e3beb58a-2603-451e-a907-1a3823a90197.json
new file mode 100644
index 0000000000..7dbbe61b49
--- /dev/null
+++ b/mobile-attack/relationship/relationship--e3beb58a-2603-451e-a907-1a3823a90197.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--3ef0fb55-8858-47a2-bfb3-ac9af2983b0b",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--e3beb58a-2603-451e-a907-1a3823a90197",
+            "created": "2025-03-27T22:47:12.701Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:11.537Z",
+            "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has deleted crash logs which may have been created during the initial exploitation phase stored in `/private/var/mobile/Library/Logs/CrashReporter`.(Citation: SecureList OpTriangulation 23Oct2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20",
+            "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e3d04885-95a5-47cb-a038-b58542cf787d.json b/mobile-attack/relationship/relationship--e3d04885-95a5-47cb-a038-b58542cf787d.json
index c579c8be3f..1a6963117f 100644
--- a/mobile-attack/relationship/relationship--e3d04885-95a5-47cb-a038-b58542cf787d.json
+++ b/mobile-attack/relationship/relationship--e3d04885-95a5-47cb-a038-b58542cf787d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3da69bf0-a287-4255-a0eb-00fd0d2112e4",
+    "id": "bundle--dc03ac76-3ba7-4c8c-8e29-95f05cbb2ac2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,22 +12,21 @@
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019.",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:08:39.524Z",
+            "modified": "2025-04-16T21:52:11.734Z",
             "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can exfiltrate the call log.(Citation: SWB Exodus March 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e4019493-bd52-4011-9355-8902be6ff3f3.json b/mobile-attack/relationship/relationship--e4019493-bd52-4011-9355-8902be6ff3f3.json
index be350d1bd6..e761389268 100644
--- a/mobile-attack/relationship/relationship--e4019493-bd52-4011-9355-8902be6ff3f3.json
+++ b/mobile-attack/relationship/relationship--e4019493-bd52-4011-9355-8902be6ff3f3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f4e492d3-a932-4e34-98ed-9be917b29927",
+    "id": "bundle--98c97738-e0a8-4437-a8d7-03d74b947097",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:49:19.083Z",
+            "modified": "2025-04-16T21:52:11.954Z",
             "description": "[SpyDealer](https://attack.mitre.org/software/S0324) registers the broadcast receiver to listen for events related to device boot-up.(Citation: PaloAlto-SpyDealer)",
             "relationship_type": "uses",
             "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e419e0c3-8c16-4e7b-99f5-ecd30c93493a.json b/mobile-attack/relationship/relationship--e419e0c3-8c16-4e7b-99f5-ecd30c93493a.json
index 8f69ea60c8..1065195272 100644
--- a/mobile-attack/relationship/relationship--e419e0c3-8c16-4e7b-99f5-ecd30c93493a.json
+++ b/mobile-attack/relationship/relationship--e419e0c3-8c16-4e7b-99f5-ecd30c93493a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--143cdc73-e260-4778-9bd3-d07675c45835",
+    "id": "bundle--d3cb01a4-581e-476a-9db2-f19d35a985d5",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-26T20:12:58.081Z",
+            "modified": "2025-04-16T21:52:12.152Z",
             "description": "[Conceal Multimedia Files](https://attack.mitre.org/techniques/T1628/003) likely should not be mitigated with preventative controls because the `.nomedia` file may be used legitimately.  ",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--76a32151-5233-465f-a607-7e576c62c932",
             "target_ref": "attack-pattern--ea132c68-b518-4478-ae8d-1763cda26ee3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e4451543-136b-4fe2-a8e2-d005db705aa2.json b/mobile-attack/relationship/relationship--e4451543-136b-4fe2-a8e2-d005db705aa2.json
new file mode 100644
index 0000000000..1884e5f2db
--- /dev/null
+++ b/mobile-attack/relationship/relationship--e4451543-136b-4fe2-a8e2-d005db705aa2.json
@@ -0,0 +1,47 @@
+{
+    "type": "bundle",
+    "id": "bundle--2b46a6f4-e7b3-43d0-be4c-f517a5070697",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--e4451543-136b-4fe2-a8e2-d005db705aa2",
+            "created": "2025-04-14T18:09:08.678Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:12.378Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) collects device information, including the phone number, IMEI, CPU details, screen specifications, and memory information.(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: MelikovBlackBerry LightSpy 2024)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e457921c-4a0b-4d6e-92e7-553929ddf943.json b/mobile-attack/relationship/relationship--e457921c-4a0b-4d6e-92e7-553929ddf943.json
index 2de7f41c1a..0c00b6ac9d 100644
--- a/mobile-attack/relationship/relationship--e457921c-4a0b-4d6e-92e7-553929ddf943.json
+++ b/mobile-attack/relationship/relationship--e457921c-4a0b-4d6e-92e7-553929ddf943.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--75e4ac62-971e-4954-b1f1-de0e8479fc19",
+    "id": "bundle--2f107174-bc3c-4f44-8da0-b712f4b65f2e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:23:48.120Z",
+            "modified": "2025-04-16T21:52:12.586Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can download and install additional malware after initial infection.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e47ea9b6-8e05-4a54-ac6e-ba621dc3b717.json b/mobile-attack/relationship/relationship--e47ea9b6-8e05-4a54-ac6e-ba621dc3b717.json
index 6b2cf1772e..c722579b76 100644
--- a/mobile-attack/relationship/relationship--e47ea9b6-8e05-4a54-ac6e-ba621dc3b717.json
+++ b/mobile-attack/relationship/relationship--e47ea9b6-8e05-4a54-ac6e-ba621dc3b717.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--dcca6643-097b-48d6-9cac-68fcc9e74823",
+    "id": "bundle--0ee36b89-1902-45be-ba11-7f00f7f02f14",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--e47ea9b6-8e05-4a54-ac6e-ba621dc3b717",
             "created": "2024-02-21T20:54:12.536Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T20:54:12.536Z",
+            "modified": "2025-04-16T21:52:12.779Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) checks if the device is connected via Wi-Fi or mobile data.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e4beccfa-a9a5-447d-8164-d39a1b2c5532.json b/mobile-attack/relationship/relationship--e4beccfa-a9a5-447d-8164-d39a1b2c5532.json
index e88b16ce44..5173597eb4 100644
--- a/mobile-attack/relationship/relationship--e4beccfa-a9a5-447d-8164-d39a1b2c5532.json
+++ b/mobile-attack/relationship/relationship--e4beccfa-a9a5-447d-8164-d39a1b2c5532.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--2db94265-463d-4bea-b2c0-09a92ad1032b",
+    "id": "bundle--a196c01f-a298-4f18-9d6a-c84730a20ef0",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--e4beccfa-a9a5-447d-8164-d39a1b2c5532",
             "created": "2023-02-06T19:46:43.041Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-06T19:46:43.041Z",
+            "modified": "2025-04-16T21:52:12.975Z",
             "description": "[S.O.V.A.](https://attack.mitre.org/software/S1062) has included adversary-in-the-middle capabilities.(Citation: threatfabric_sova_0921)",
             "relationship_type": "uses",
             "source_ref": "malware--4b53eb01-57d7-47b4-b078-22766b002b36",
             "target_ref": "attack-pattern--08e22979-d320-48ed-8711-e7bf94aabb13",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e4f90a20-f1c6-4820-8c3e-751c79cc82e8.json b/mobile-attack/relationship/relationship--e4f90a20-f1c6-4820-8c3e-751c79cc82e8.json
index e0b9a7c36d..f9692a099e 100644
--- a/mobile-attack/relationship/relationship--e4f90a20-f1c6-4820-8c3e-751c79cc82e8.json
+++ b/mobile-attack/relationship/relationship--e4f90a20-f1c6-4820-8c3e-751c79cc82e8.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e5da4f53-d3ba-4767-9652-1f7c861b887b",
+    "id": "bundle--af028075-2780-4b25-adde-4afcf953a516",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T15:54:20.664Z",
+            "modified": "2025-04-16T21:52:13.171Z",
             "description": "Application vetting services can look for applications requesting the `android.permission.SYSTEM_ALERT_WINDOW` permission in the list of permissions in the app manifest. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e50c605a-0cdf-4316-bb49-2deccc69143f.json b/mobile-attack/relationship/relationship--e50c605a-0cdf-4316-bb49-2deccc69143f.json
index b9c9f796bd..c0c2c985b8 100644
--- a/mobile-attack/relationship/relationship--e50c605a-0cdf-4316-bb49-2deccc69143f.json
+++ b/mobile-attack/relationship/relationship--e50c605a-0cdf-4316-bb49-2deccc69143f.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--279034f9-1822-492b-b018-e680a8c75795",
+    "id": "bundle--1602b65a-58a8-4c49-b955-4b9506b0e1ee",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--e50c605a-0cdf-4316-bb49-2deccc69143f",
             "created": "2024-03-26T16:19:01.439Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-26T16:19:01.439Z",
+            "modified": "2025-04-16T21:52:13.377Z",
             "description": "[AndroRAT](https://attack.mitre.org/software/S0292) can make phone calls.(Citation: forcepoint_bitter) ",
             "relationship_type": "uses",
             "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
             "target_ref": "attack-pattern--351ddf79-2d3a-41b4-9bef-82ea5d3ccd69",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e5113d45-05bd-499f-a2e0-9edc6d7c03b6.json b/mobile-attack/relationship/relationship--e5113d45-05bd-499f-a2e0-9edc6d7c03b6.json
index 545393bdde..5360679778 100644
--- a/mobile-attack/relationship/relationship--e5113d45-05bd-499f-a2e0-9edc6d7c03b6.json
+++ b/mobile-attack/relationship/relationship--e5113d45-05bd-499f-a2e0-9edc6d7c03b6.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--a6ae6d1b-7931-4a22-b80c-8ca70b6954bb",
+    "id": "bundle--247051ab-9c72-4517-8ade-2d982259e448",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--e5113d45-05bd-499f-a2e0-9edc6d7c03b6",
             "created": "2020-09-14T13:35:45.911Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "ESET-Twitoor",
-                    "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/",
-                    "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016."
+                    "description": "ESET. (2016, August 24). First Twitter-controlled Android botnet discovered. Retrieved December 22, 2016.",
+                    "url": "http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:13.572Z",
             "description": "[Twitoor](https://attack.mitre.org/software/S0302) can be controlled via Twitter.(Citation: ESET-Twitoor)",
-            "modified": "2022-04-20T17:56:24.292Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--41e3fd01-7b83-471f-835d-d2b1dc9a770c",
             "target_ref": "attack-pattern--d916f176-a1ca-4a78-9fdd-4058bc28162e",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e515259a-63b1-4ac8-bbec-4b0103d0a79a.json b/mobile-attack/relationship/relationship--e515259a-63b1-4ac8-bbec-4b0103d0a79a.json
new file mode 100644
index 0000000000..de2d1bbc58
--- /dev/null
+++ b/mobile-attack/relationship/relationship--e515259a-63b1-4ac8-bbec-4b0103d0a79a.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--299a00e9-91b3-4368-899d-6f7197b5b107",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--e515259a-63b1-4ac8-bbec-4b0103d0a79a",
+            "created": "2025-04-14T16:50:39.750Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:13.769Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) uses the embedded `time_waste` function to bypass standard iOS API restrictions and enable unauthorized audio/video recording. This exploit injects a `.dylib` into the `SpringBoard` process, allowing persistent access to audio and video capture.(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e524f30e-11b5-4bd9-83f1-9694e6d8f030.json b/mobile-attack/relationship/relationship--e524f30e-11b5-4bd9-83f1-9694e6d8f030.json
new file mode 100644
index 0000000000..4369a1309f
--- /dev/null
+++ b/mobile-attack/relationship/relationship--e524f30e-11b5-4bd9-83f1-9694e6d8f030.json
@@ -0,0 +1,42 @@
+{
+    "type": "bundle",
+    "id": "bundle--ba1acb4a-f473-47e1-8886-88df2d4f1e91",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--e524f30e-11b5-4bd9-83f1-9694e6d8f030",
+            "created": "2024-03-26T19:34:37.304Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "sophos_android_apt_spyware",
+                    "description": "Kohli, P. (2021, November 23). Android APT spyware, targeting Middle East victims, enhances evasiveness. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231208015605/https:/news.sophos.com/en-us/2021/11/23/android-apt-spyware-targeting-middle-east-victims-improves-its-capabilities/"
+                },
+                {
+                    "source_name": "threatpost AndroidSpyware 2020",
+                    "description": "O'Donnell, L. (2020, September 30). Android Spyware Variant Snoops on WhatsApp, Telegram Messages. Retrieved January 10, 2025.",
+                    "url": "https://threatpost.com/new-android-spyware-whatsapp-telegram/159694/"
+                },
+                {
+                    "source_name": "welivesecurity_apt-c-23",
+                    "description": "Stefanko, L. (2020, September 30). APT\u2011C\u201123 group evolves its Android spyware. Retrieved March 4, 2024.",
+                    "url": "https://web.archive.org/web/20201123042131/www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:13.968Z",
+            "description": "[SpyC23](https://attack.mitre.org/software/S1195) can read and exfiltrate SMS messages.(Citation: welivesecurity_apt-c-23)(Citation: sophos_android_apt_spyware)(Citation: threatpost AndroidSpyware 2020)",
+            "relationship_type": "uses",
+            "source_ref": "malware--95811c0a-abe0-4e7f-a0cc-b0662ced5807",
+            "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e5922453-d9b1-472b-b947-b1eaa426a32e.json b/mobile-attack/relationship/relationship--e5922453-d9b1-472b-b947-b1eaa426a32e.json
index 299e47548a..2c8cab26cc 100644
--- a/mobile-attack/relationship/relationship--e5922453-d9b1-472b-b947-b1eaa426a32e.json
+++ b/mobile-attack/relationship/relationship--e5922453-d9b1-472b-b947-b1eaa426a32e.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--6e1ea66e-7c20-483e-969f-a7e29bbedcc3",
+    "id": "bundle--8677fd27-9729-4f11-bcdc-3f8a63429a2d",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--e5922453-d9b1-472b-b947-b1eaa426a32e",
             "created": "2024-02-20T23:46:46.698Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:46:46.698Z",
+            "modified": "2025-04-16T21:52:14.159Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has gathered device metadata, including model, manufacturer, SD card size, disk usage, memory, CPU, and serial number.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e5ccc5c7-11ee-4357-8dd4-bf23ce2111bb.json b/mobile-attack/relationship/relationship--e5ccc5c7-11ee-4357-8dd4-bf23ce2111bb.json
index 612fa1571a..8911b0a5a3 100644
--- a/mobile-attack/relationship/relationship--e5ccc5c7-11ee-4357-8dd4-bf23ce2111bb.json
+++ b/mobile-attack/relationship/relationship--e5ccc5c7-11ee-4357-8dd4-bf23ce2111bb.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f6d1af39-bce2-47ef-86d3-305b221cafc0",
+    "id": "bundle--3c252304-4c32-467f-8b21-64321fb04c2c",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:41:54.548Z",
+            "modified": "2025-04-16T21:52:14.397Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has collected call logs.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e5e4567e-05a3-4d79-beab-191efc336473.json b/mobile-attack/relationship/relationship--e5e4567e-05a3-4d79-beab-191efc336473.json
index b286ef65db..607dc600fc 100644
--- a/mobile-attack/relationship/relationship--e5e4567e-05a3-4d79-beab-191efc336473.json
+++ b/mobile-attack/relationship/relationship--e5e4567e-05a3-4d79-beab-191efc336473.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--609d6fa9-bfb0-490c-b0b4-6b4f460969dc",
+    "id": "bundle--d4fa1573-f33d-469e-bdf8-cd1c670698a8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--e5e4567e-05a3-4d79-beab-191efc336473",
             "type": "relationship",
+            "id": "relationship--e5e4567e-05a3-4d79-beab-191efc336473",
             "created": "2020-01-27T17:05:58.333Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Trend Micro Bouncing Golf 2019",
                     "description": "E. Xu, G. Guo. (2019, June 28).  Mobile Cyberespionage Campaign \u2018Bouncing Golf\u2019 Affects Middle East. Retrieved January 27, 2020.",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/",
-                    "source_name": "Trend Micro Bouncing Golf 2019"
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/"
                 }
             ],
-            "modified": "2020-03-26T20:50:07.266Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:14.593Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) encrypts data using a simple XOR operation with a pre-configured key prior to exfiltration.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--e3b936a4-6321-4172-9114-038a866362ec",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e682fd05-a55e-447c-9de1-788cf061ba70.json b/mobile-attack/relationship/relationship--e682fd05-a55e-447c-9de1-788cf061ba70.json
new file mode 100644
index 0000000000..26b6f56767
--- /dev/null
+++ b/mobile-attack/relationship/relationship--e682fd05-a55e-447c-9de1-788cf061ba70.json
@@ -0,0 +1,42 @@
+{
+    "type": "bundle",
+    "id": "bundle--39be0d0c-af86-47a1-8051-61a95de83a90",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--e682fd05-a55e-447c-9de1-788cf061ba70",
+            "created": "2025-03-24T20:08:36.103Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:14.802Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has sent and deleted SMS messages.(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e723d78f-b6c3-4ba5-8946-b44e651834e3.json b/mobile-attack/relationship/relationship--e723d78f-b6c3-4ba5-8946-b44e651834e3.json
index 0bc26ee9d7..dc879ee3e6 100644
--- a/mobile-attack/relationship/relationship--e723d78f-b6c3-4ba5-8946-b44e651834e3.json
+++ b/mobile-attack/relationship/relationship--e723d78f-b6c3-4ba5-8946-b44e651834e3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6b89ac8f-3d33-41fb-b222-83e257374cb2",
+    "id": "bundle--8b6a7fa6-3736-4b05-a2e0-68e4d78de643",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-10T21:06:58.988Z",
+            "modified": "2025-04-16T21:52:15.008Z",
             "description": "Android applications using the `RECORD_AUDIO` permission and iOS applications using `RequestRecordPermission` should be carefully reviewed and monitored. If the `CAPTURE_AUDIO_OUTPUT` permission is found in a third-party Android application, the application should be heavily scrutinized.\n\nIn both Android (6.0 and up) and iOS, the user can review which applications have the permission to access the microphone through the device settings screen and revoke permissions as necessary. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e767fc9e-5211-4e7c-b628-5dd03a24af39.json b/mobile-attack/relationship/relationship--e767fc9e-5211-4e7c-b628-5dd03a24af39.json
index 43c2dab3e9..e97059ac42 100644
--- a/mobile-attack/relationship/relationship--e767fc9e-5211-4e7c-b628-5dd03a24af39.json
+++ b/mobile-attack/relationship/relationship--e767fc9e-5211-4e7c-b628-5dd03a24af39.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--28716aa3-905f-4363-a4d2-cee7feaee496",
+    "id": "bundle--87b3353d-d90b-4486-991f-b9b7099cee45",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:32:42.890Z",
+            "modified": "2025-04-16T21:52:15.255Z",
             "description": "[Asacub](https://attack.mitre.org/software/S0540) can collect SMS messages as they are received.(Citation: Securelist Asacub)",
             "relationship_type": "uses",
             "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208.json b/mobile-attack/relationship/relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208.json
index 3e90bdd449..d2b2a91be8 100644
--- a/mobile-attack/relationship/relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208.json
+++ b/mobile-attack/relationship/relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--eaaa5ea6-bd02-40f0-ab5f-f192e786209c",
+    "id": "bundle--bf612698-3a2a-4cb9-a25f-8f5414f30add",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208",
             "type": "relationship",
+            "id": "relationship--e78b2cd9-ef73-45d9-9477-e2e95454e208",
             "created": "2020-07-20T13:27:33.546Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos-WolfRAT",
-                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html",
-                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020."
+                    "description": "W. Mercer, P. Rascagneres, V. Ventura. (2020, May 19).  The wolf is back... . Retrieved July 20, 2020.",
+                    "url": "https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html"
                 }
             ],
-            "modified": "2020-08-10T21:57:54.537Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:15.445Z",
             "description": "[WolfRAT](https://attack.mitre.org/software/S0489) can receive system notifications.(Citation: Talos-WolfRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--dfdac962-9461-47f0-a212-36dfce2a97e6",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e7af5be1-721f-40c5-b647-659243a0a14b.json b/mobile-attack/relationship/relationship--e7af5be1-721f-40c5-b647-659243a0a14b.json
index 4cf3063e54..6442b3f085 100644
--- a/mobile-attack/relationship/relationship--e7af5be1-721f-40c5-b647-659243a0a14b.json
+++ b/mobile-attack/relationship/relationship--e7af5be1-721f-40c5-b647-659243a0a14b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8bde02da-5caf-4217-8b42-8150ba88dbe5",
+    "id": "bundle--7a883503-2337-4f65-87f0-963bd036789b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-09-25T15:03:05.114Z",
+            "modified": "2025-04-16T21:52:15.666Z",
             "description": "[Anubis](https://attack.mitre.org/software/S0422) can record phone calls and audio.(Citation: Cofense Anubis)",
             "relationship_type": "uses",
             "source_ref": "malware--a3c59d82-2c7c-44e5-a869-68e0a3e5935e",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e7b33eb5-6c2e-4743-ac8d-c27d5e7121ac.json b/mobile-attack/relationship/relationship--e7b33eb5-6c2e-4743-ac8d-c27d5e7121ac.json
index 0595f9d52e..15fd34a897 100644
--- a/mobile-attack/relationship/relationship--e7b33eb5-6c2e-4743-ac8d-c27d5e7121ac.json
+++ b/mobile-attack/relationship/relationship--e7b33eb5-6c2e-4743-ac8d-c27d5e7121ac.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--f83c8dbb-206e-460a-b0d9-c45237b5e316",
+    "id": "bundle--f4ebb5f1-c423-4975-a69c-a3e92da9cd45",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:35:13.005Z",
+            "modified": "2025-04-16T21:52:15.864Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) can uninstall itself from a device on command.(Citation: Threat Fabric Cerberus)",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e7b7e813-4867-46fe-bf86-6f367553d765.json b/mobile-attack/relationship/relationship--e7b7e813-4867-46fe-bf86-6f367553d765.json
index 30f44dedb3..f43627782d 100644
--- a/mobile-attack/relationship/relationship--e7b7e813-4867-46fe-bf86-6f367553d765.json
+++ b/mobile-attack/relationship/relationship--e7b7e813-4867-46fe-bf86-6f367553d765.json
@@ -1,35 +1,35 @@
 {
     "type": "bundle",
-    "id": "bundle--9b24e093-6436-4402-bcce-89ab8f5768bb",
+    "id": "bundle--abccd7ee-185e-442c-aec3-d1e93fa9b877",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--e7b7e813-4867-46fe-bf86-6f367553d765",
             "type": "relationship",
+            "id": "relationship--e7b7e813-4867-46fe-bf86-6f367553d765",
             "created": "2019-11-21T16:42:48.456Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "SecureList - ViceLeaker 2019",
                     "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.",
-                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
-                    "source_name": "SecureList - ViceLeaker 2019"
+                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"
                 },
                 {
                     "source_name": "Bitdefender - Triout 2018",
-                    "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/",
-                    "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020."
+                    "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.",
+                    "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/"
                 }
             ],
-            "modified": "2020-01-21T14:20:50.455Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:16.052Z",
             "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can copy arbitrary files from the device to the C2 server, can exfiltrate browsing history, can exfiltrate the SD card structure, and can exfiltrate pictures as the user takes them.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56.json b/mobile-attack/relationship/relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56.json
index 5dd8835647..12bc56fb3b 100644
--- a/mobile-attack/relationship/relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56.json
+++ b/mobile-attack/relationship/relationship--e84ad4b0-9f7a-48a5-89ae-33804b11eb56.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--710b5fec-07af-4154-a8c1-14beb1231c25",
+    "id": "bundle--bde68c4c-7518-4994-8038-3628a756acbe",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:12:22.002Z",
+            "modified": "2025-04-16T21:52:16.270Z",
             "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses contact list information.(Citation: Lookout-PegasusAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e8768455-4d0c-4e3c-a901-1fc871227745.json b/mobile-attack/relationship/relationship--e8768455-4d0c-4e3c-a901-1fc871227745.json
index d131d0411d..1ba4b2448d 100644
--- a/mobile-attack/relationship/relationship--e8768455-4d0c-4e3c-a901-1fc871227745.json
+++ b/mobile-attack/relationship/relationship--e8768455-4d0c-4e3c-a901-1fc871227745.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--bdb19b32-7336-489a-863f-4cd7a3ac1474",
+    "id": "bundle--6c07290f-2821-4eee-9c00-ec73590159f5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--e8768455-4d0c-4e3c-a901-1fc871227745",
             "created": "2022-03-30T17:54:56.603Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:16.476Z",
             "description": "",
-            "modified": "2022-03-30T17:54:56.603Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--786f488c-cb1f-4602-89c5-86d982ee326b",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2.json b/mobile-attack/relationship/relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2.json
index 98f85e26a7..6e324de35b 100644
--- a/mobile-attack/relationship/relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2.json
+++ b/mobile-attack/relationship/relationship--e87aa0d6-241f-4f72-bdb6-54e8d5584ae2.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--fa3ecaeb-f822-4194-8d3e-a327ccb139b3",
+    "id": "bundle--030957f3-2d35-4b05-a10e-f9ba27b3dd1d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:42:14.121Z",
+            "modified": "2025-04-16T21:52:16.688Z",
             "description": "[Adups](https://attack.mitre.org/software/S0309) transmitted call logs.(Citation: NYTimes-BackDoor)",
             "relationship_type": "uses",
             "source_ref": "malware--f6ac21b6-2592-400c-8472-10d0e2f1bfaf",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e889782a-f66b-448e-a466-e55b1bce7b64.json b/mobile-attack/relationship/relationship--e889782a-f66b-448e-a466-e55b1bce7b64.json
index 98b014cad1..af6b695023 100644
--- a/mobile-attack/relationship/relationship--e889782a-f66b-448e-a466-e55b1bce7b64.json
+++ b/mobile-attack/relationship/relationship--e889782a-f66b-448e-a466-e55b1bce7b64.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--9d3bbbfa-a83d-4550-8b9b-9e756265ff01",
+    "id": "bundle--6ba8e371-b59f-4a86-a78f-c2ff952ae5df",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--e889782a-f66b-448e-a466-e55b1bce7b64",
             "created": "2023-02-28T20:38:25.598Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-28T20:38:25.598Z",
+            "modified": "2025-04-16T21:52:16.873Z",
             "description": "[FluBot](https://attack.mitre.org/software/S1067) has encrypted C2 message bodies with RSA and encoded them in base64.(Citation: proofpoint_flubot_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
             "target_ref": "attack-pattern--16d73b64-5681-4ea0-9af4-4ad86f7c96e8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e8c77126-5279-4c39-ad84-87e4ab8ce37f.json b/mobile-attack/relationship/relationship--e8c77126-5279-4c39-ad84-87e4ab8ce37f.json
index 65d92bd747..037bdbb97c 100644
--- a/mobile-attack/relationship/relationship--e8c77126-5279-4c39-ad84-87e4ab8ce37f.json
+++ b/mobile-attack/relationship/relationship--e8c77126-5279-4c39-ad84-87e4ab8ce37f.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--8796802c-d2e1-4ba2-bc6e-573d9286a9f4",
+    "id": "bundle--dcf55349-af57-42af-a173-d80944a06921",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--e8c77126-5279-4c39-ad84-87e4ab8ce37f",
             "created": "2024-02-20T23:46:03.419Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-20T23:46:03.419Z",
-            "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect network information, such as IP address, SIM card info, and Wi-Fi info.(Citation: lookout_bouldspy_0423)",
+            "modified": "2025-04-16T21:52:17.073Z",
+            "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can collect network information, such as IP address, SIM card information, and Wi-Fi information.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--45a5fe76-eda3-4d40-8f22-c186efd6278d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e8c833ee-4c7d-45a2-b29b-187fe3661c0d.json b/mobile-attack/relationship/relationship--e8c833ee-4c7d-45a2-b29b-187fe3661c0d.json
index b3cfef209d..2636078a3b 100644
--- a/mobile-attack/relationship/relationship--e8c833ee-4c7d-45a2-b29b-187fe3661c0d.json
+++ b/mobile-attack/relationship/relationship--e8c833ee-4c7d-45a2-b29b-187fe3661c0d.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ddc0b63b-f315-40ae-af3d-f2dfc0989840",
+    "id": "bundle--bd44c4bc-db4f-41bd-bb75-58f6dcfc7a60",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:55:35.453Z",
+            "modified": "2025-04-16T21:52:17.283Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) can access the device\u2019s contact list.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e928c0ce-2b98-4af5-a990-f690f4306681.json b/mobile-attack/relationship/relationship--e928c0ce-2b98-4af5-a990-f690f4306681.json
index 1d5d049347..7bf08dbf99 100644
--- a/mobile-attack/relationship/relationship--e928c0ce-2b98-4af5-a990-f690f4306681.json
+++ b/mobile-attack/relationship/relationship--e928c0ce-2b98-4af5-a990-f690f4306681.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--71f1c4dc-3fb8-4e23-ab43-f97dc448cd47",
+    "id": "bundle--f89baad3-fd89-4167-baf2-d831af8f034d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T14:56:32.077Z",
+            "modified": "2025-04-16T21:52:17.470Z",
             "description": "Application vetting services can detect which broadcast intents an application registers for and which permissions it requests. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e95ac47c-8822-4ce5-bd65-f61ca873854b.json b/mobile-attack/relationship/relationship--e95ac47c-8822-4ce5-bd65-f61ca873854b.json
index 50d7a25ca1..69d507d859 100644
--- a/mobile-attack/relationship/relationship--e95ac47c-8822-4ce5-bd65-f61ca873854b.json
+++ b/mobile-attack/relationship/relationship--e95ac47c-8822-4ce5-bd65-f61ca873854b.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--316a33d4-a063-4ad8-b939-3d93ccf68064",
+    "id": "bundle--0e81a917-f2d7-4471-8388-c2e20307c604",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--e95ac47c-8822-4ce5-bd65-f61ca873854b",
             "created": "2023-09-28T17:21:15.893Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:21:15.893Z",
+            "modified": "2025-04-16T21:52:17.682Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can collect application keylogs.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7.json b/mobile-attack/relationship/relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7.json
index 7de233c6fd..839c7294a3 100644
--- a/mobile-attack/relationship/relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7.json
+++ b/mobile-attack/relationship/relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--743134da-9191-4c24-b7c5-6789d9ee714f",
+    "id": "bundle--c43ea51f-3192-4802-97ae-844e7a2c508e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7",
             "type": "relationship",
+            "id": "relationship--e9607e4f-5743-4bbb-b7d4-5554d66c8be7",
             "created": "2019-08-07T15:57:13.388Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Kaspersky Riltok June 2019",
-                    "url": "https://securelist.com/mobile-banker-riltok/91374/",
-                    "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019."
+                    "description": "Tatyana Shishkova. (2019, June 25). Riltok mobile Trojan: A banker with global reach. Retrieved August 7, 2019.",
+                    "url": "https://securelist.com/mobile-banker-riltok/91374/"
                 }
             ],
-            "modified": "2019-09-18T13:44:13.453Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:17.876Z",
             "description": "[Riltok](https://attack.mitre.org/software/S0403) injects input to set itself as the default SMS handler by clicking the appropriate places on the screen. It can also close or minimize targeted antivirus applications and the device security settings screen.(Citation: Kaspersky Riltok June 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c0efbaae-9e7d-4716-a92d-68373aac7424",
             "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb.json b/mobile-attack/relationship/relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb.json
index c821058cd4..00db91e368 100644
--- a/mobile-attack/relationship/relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb.json
+++ b/mobile-attack/relationship/relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--2b1be971-5ce3-474a-a925-ae557216544e",
+    "id": "bundle--384ab40c-b5c2-4f0c-9a52-59c5362fcd2d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb",
             "type": "relationship",
+            "id": "relationship--e99fd1c9-441f-41bc-83a1-e7bed8f2d7fb",
             "created": "2020-12-17T20:15:22.444Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Palo Alto HenBox",
-                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/",
-                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019."
+                    "description": "A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.",
+                    "url": "https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/"
                 }
             ],
-            "modified": "2020-12-17T20:15:22.444Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:18.071Z",
             "description": "[HenBox](https://attack.mitre.org/software/S0544) can load additional Dalvik code while running.(Citation: Palo Alto HenBox)",
             "relationship_type": "uses",
             "source_ref": "malware--aef537ba-10c2-40ed-a57a-80b8508aada4",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e9b262ba-1c32-40b3-8622-121b30d6df50.json b/mobile-attack/relationship/relationship--e9b262ba-1c32-40b3-8622-121b30d6df50.json
index 4da21a0b2b..82a4a91ef6 100644
--- a/mobile-attack/relationship/relationship--e9b262ba-1c32-40b3-8622-121b30d6df50.json
+++ b/mobile-attack/relationship/relationship--e9b262ba-1c32-40b3-8622-121b30d6df50.json
@@ -1,30 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--cc4338f7-6a92-4a03-9055-c9606ca5d5b6",
+    "id": "bundle--39f5909a-3411-4228-84fd-3cf30c25793b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--e9b262ba-1c32-40b3-8622-121b30d6df50",
             "type": "relationship",
+            "id": "relationship--e9b262ba-1c32-40b3-8622-121b30d6df50",
             "created": "2019-10-10T15:14:57.378Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
-            "modified": "2019-10-10T15:14:57.378Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:18.275Z",
             "description": "[Exodus](https://attack.mitre.org/software/S0405) Two can extract information on pictures from the Gallery, Chrome and SBrowser bookmarks, and the connected WiFi network's password.(Citation: SWB Exodus March 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e.json b/mobile-attack/relationship/relationship--e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e.json
index 2f60fedcde..25c51b9cde 100644
--- a/mobile-attack/relationship/relationship--e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e.json
+++ b/mobile-attack/relationship/relationship--e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--5f66be1f-bde6-4836-8ea0-5848756f7614",
+    "id": "bundle--57d624b0-5df7-4799-85b0-e052a553299c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e",
             "type": "relationship",
+            "id": "relationship--e9c5deb9-30d4-4bc3-98ca-6089d4b74b1e",
             "created": "2020-12-24T21:55:56.745Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T21:55:56.745Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:18.502Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed the list of installed apps.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7.json b/mobile-attack/relationship/relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7.json
index 0ca9380654..dd0f8a55da 100644
--- a/mobile-attack/relationship/relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7.json
+++ b/mobile-attack/relationship/relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7.json
@@ -1,30 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--259e62ba-c5c1-4eb7-8ecd-a8392f24f016",
+    "id": "bundle--e588b74f-f824-4127-a67a-1fd36f972369",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7",
+            "created": "2018-10-17T00:14:20.652Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Wandera-RedDrop",
+                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"
+                }
+            ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--e9cbc901-38cb-4895-9dfb-7a4fe10ba6d7",
-            "type": "relationship",
-            "created": "2018-10-17T00:14:20.652Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "url": "https://www.wandera.com/reddrop-malware/",
-                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
-                    "source_name": "Wandera-RedDrop"
-                }
-            ],
-            "modified": "2019-10-15T19:56:13.162Z",
+            "modified": "2025-04-16T21:52:18.719Z",
             "description": "[RedDrop](https://attack.mitre.org/software/S0326) exfiltrates details of the victim device operating system and manufacturer.(Citation: Wandera-RedDrop)",
             "relationship_type": "uses",
             "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--e9d5992e-04ef-4835-87df-cf6434dcabbc.json b/mobile-attack/relationship/relationship--e9d5992e-04ef-4835-87df-cf6434dcabbc.json
index dc10cacadd..1eb31b8ce5 100644
--- a/mobile-attack/relationship/relationship--e9d5992e-04ef-4835-87df-cf6434dcabbc.json
+++ b/mobile-attack/relationship/relationship--e9d5992e-04ef-4835-87df-cf6434dcabbc.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--43037d51-2621-4c45-a6cf-2af1465020c7",
+    "id": "bundle--7b792347-4c1a-44f7-8081-7defb134d2be",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T15:51:08.240Z",
+            "modified": "2025-04-16T21:52:18.914Z",
             "description": "Application vetting services may be able to detect known privilege escalation exploits contained within applications, as well as searching application packages for strings that correlate to known password store locations.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--8605a0ec-b44a-4e98-a7fc-87d4bd3acb66",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7.json b/mobile-attack/relationship/relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7.json
index 652b0e3f6b..ac518562dd 100644
--- a/mobile-attack/relationship/relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7.json
+++ b/mobile-attack/relationship/relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a54eceb8-4fea-4c81-aad4-b86cb2156bc8",
+    "id": "bundle--f47eb11f-bd78-4bc9-aa2d-d77803840c38",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7",
             "type": "relationship",
+            "id": "relationship--ea2ad242-4365-4868-8beb-4a634f3ba6b7",
             "created": "2020-11-24T17:55:12.822Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Talos GPlayed",
-                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html",
-                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."
+                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.",
+                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"
                 }
             ],
-            "modified": "2020-11-24T17:55:12.822Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:19.114Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) can request the device\u2019s location.(Citation: Talos GPlayed)",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eb052029-e1c9-4f24-8594-299aaec7f1df.json b/mobile-attack/relationship/relationship--eb052029-e1c9-4f24-8594-299aaec7f1df.json
index 4ec1059811..7ac7aa3043 100644
--- a/mobile-attack/relationship/relationship--eb052029-e1c9-4f24-8594-299aaec7f1df.json
+++ b/mobile-attack/relationship/relationship--eb052029-e1c9-4f24-8594-299aaec7f1df.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6e092654-7b50-4d53-8e73-f8aadbe33f7e",
+    "id": "bundle--8f08a54c-b249-475f-abe3-58e3bbcafc06",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:42:46.952Z",
+            "modified": "2025-04-16T21:52:19.328Z",
             "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can collect the device\u2019s call log.(Citation: Sophos Red Alert 2.0)",
             "relationship_type": "uses",
             "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
             "target_ref": "attack-pattern--1d1b1558-c833-482e-aabb-d07ef6eae63d",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93.json b/mobile-attack/relationship/relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93.json
index aa7488eb29..77a0fef95a 100644
--- a/mobile-attack/relationship/relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93.json
+++ b/mobile-attack/relationship/relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--7f146596-f80f-441a-b9e8-91882b226b3a",
+    "id": "bundle--55f3f206-1b52-40d3-90f9-afd89c27c078",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93",
             "type": "relationship",
+            "id": "relationship--eb1eeb37-37a8-47b6-aff8-9703735a4d93",
             "created": "2020-09-11T15:50:18.937Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "ThreatFabric Ginp",
                     "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.",
-                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
-                    "source_name": "ThreatFabric Ginp"
+                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"
                 }
             ],
-            "modified": "2020-09-11T15:50:18.937Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:19.530Z",
             "description": "[Ginp](https://attack.mitre.org/software/S0423) can send SMS messages.(Citation: ThreatFabric Ginp)",
             "relationship_type": "uses",
             "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e.json b/mobile-attack/relationship/relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e.json
index 609f145b71..f16c00a860 100644
--- a/mobile-attack/relationship/relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e.json
+++ b/mobile-attack/relationship/relationship--eb27258f-6bb9-49b5-928e-b66f37f8f16e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e329c981-0969-4f46-91ab-695d4e409b4d",
+    "id": "bundle--e8f73dd9-95d9-4cea-ada0-81a052dd8a20",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:24:55.047Z",
+            "modified": "2025-04-16T21:52:19.725Z",
             "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) requests Android Device Administrator access.(Citation: TrendMicro-XLoader)",
             "relationship_type": "uses",
             "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
             "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eb58117c-5803-4f72-a499-5fa888a9a7a5.json b/mobile-attack/relationship/relationship--eb58117c-5803-4f72-a499-5fa888a9a7a5.json
index 8f603e6671..6210fc57f8 100644
--- a/mobile-attack/relationship/relationship--eb58117c-5803-4f72-a499-5fa888a9a7a5.json
+++ b/mobile-attack/relationship/relationship--eb58117c-5803-4f72-a499-5fa888a9a7a5.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--7c3c5bbf-d311-4e85-9543-dc8a0c698414",
+    "id": "bundle--dc5bae1e-40cf-47a6-a0f1-37504031034e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--eb58117c-5803-4f72-a499-5fa888a9a7a5",
             "created": "2022-04-06T15:47:06.163Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:19.918Z",
             "description": "",
-            "modified": "2022-04-06T15:47:06.163Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--939808a7-121d-467a-b028-4441ee8b7cee",
             "target_ref": "attack-pattern--c6a146ae-9c63-4606-97ff-e261e76e8380",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eb69d3c1-aa16-429e-9b72-c1a993e584fa.json b/mobile-attack/relationship/relationship--eb69d3c1-aa16-429e-9b72-c1a993e584fa.json
index af8496be43..1143819775 100644
--- a/mobile-attack/relationship/relationship--eb69d3c1-aa16-429e-9b72-c1a993e584fa.json
+++ b/mobile-attack/relationship/relationship--eb69d3c1-aa16-429e-9b72-c1a993e584fa.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--1cf5bce1-27ea-43e5-aadb-e376b8d2f0d8",
+    "id": "bundle--dbc81e07-dc10-4940-bbd0-979f8973a005",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--eb69d3c1-aa16-429e-9b72-c1a993e584fa",
             "created": "2023-07-14T19:11:45.176Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-14T19:11:45.176Z",
+            "modified": "2025-04-16T21:52:20.122Z",
             "description": "Unexpected behavior from an application could be an indicator of masquerading.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041.json b/mobile-attack/relationship/relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041.json
index 862977a33b..1374c0508e 100644
--- a/mobile-attack/relationship/relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041.json
+++ b/mobile-attack/relationship/relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041.json
@@ -1,23 +1,23 @@
 {
     "type": "bundle",
-    "id": "bundle--6c67e195-545d-445f-a892-beddb034bb9d",
+    "id": "bundle--f25ca316-30cb-406f-b342-badb9ec5e074",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041",
+            "created": "2017-10-25T14:48:53.742Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--eb6dbe2a-6f76-4bce-ab37-66ec67148041",
-            "type": "relationship",
-            "created": "2017-10-25T14:48:53.742Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2020-06-24T15:08:18.481Z",
+            "modified": "2025-04-16T21:52:20.326Z",
             "description": "Enterprise policies should prevent enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development).",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eb784dcf-4188-47e2-9217-837b262acfb9.json b/mobile-attack/relationship/relationship--eb784dcf-4188-47e2-9217-837b262acfb9.json
index 894a817f08..1a9ea1452f 100644
--- a/mobile-attack/relationship/relationship--eb784dcf-4188-47e2-9217-837b262acfb9.json
+++ b/mobile-attack/relationship/relationship--eb784dcf-4188-47e2-9217-837b262acfb9.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--850307d4-0435-425f-bae8-5ba4ce3a56f9",
+    "id": "bundle--910741f8-cd5b-4f3e-ac7e-1cc8afbe1823",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--eb784dcf-4188-47e2-9217-837b262acfb9",
             "created": "2022-04-01T18:43:01.860Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:20.523Z",
             "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.",
-            "modified": "2022-04-01T18:43:01.860Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--20b0931a-8952-42ca-975f-775bad295f1a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eba4b561-84c9-4d49-a8b8-1842c3ed94f3.json b/mobile-attack/relationship/relationship--eba4b561-84c9-4d49-a8b8-1842c3ed94f3.json
index 2dc9e3ea6f..cb1fabca5f 100644
--- a/mobile-attack/relationship/relationship--eba4b561-84c9-4d49-a8b8-1842c3ed94f3.json
+++ b/mobile-attack/relationship/relationship--eba4b561-84c9-4d49-a8b8-1842c3ed94f3.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--28b7e324-6c85-43c1-8565-f9590ee90390",
+    "id": "bundle--e563b273-f612-4ea4-b869-178b758d2e1d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T17:25:11.903Z",
+            "modified": "2025-04-16T21:52:20.729Z",
             "description": "[AbstractEmu](https://attack.mitre.org/software/S1061) can grant itself contact list access.(Citation: lookout_abstractemu_1021)",
             "relationship_type": "uses",
             "source_ref": "malware--2aec175b-4429-4048-8e09-3ef6cbecfc64",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ec30f169-9cf3-45c3-9a02-cda318107ba9.json b/mobile-attack/relationship/relationship--ec30f169-9cf3-45c3-9a02-cda318107ba9.json
new file mode 100644
index 0000000000..22ab996b62
--- /dev/null
+++ b/mobile-attack/relationship/relationship--ec30f169-9cf3-45c3-9a02-cda318107ba9.json
@@ -0,0 +1,47 @@
+{
+    "type": "bundle",
+    "id": "bundle--fd54e3fe-15b5-4e40-89fe-82810c13b956",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--ec30f169-9cf3-45c3-9a02-cda318107ba9",
+            "created": "2025-03-24T20:12:48.858Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:20.920Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed a list of installed applications.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ec6ec329-a758-4259-a5f8-789cfef78a53.json b/mobile-attack/relationship/relationship--ec6ec329-a758-4259-a5f8-789cfef78a53.json
new file mode 100644
index 0000000000..4c5c1de8f1
--- /dev/null
+++ b/mobile-attack/relationship/relationship--ec6ec329-a758-4259-a5f8-789cfef78a53.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--57a48c67-6ffb-4c2b-85e6-478ad03b290f",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--ec6ec329-a758-4259-a5f8-789cfef78a53",
+            "created": "2025-03-28T14:35:59.141Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:21.112Z",
+            "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has collected and sent information on the device\u2019s IMEI, MEID, serial number and other device information.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f",
+            "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ec734b52-a823-495c-9684-c4649269723e.json b/mobile-attack/relationship/relationship--ec734b52-a823-495c-9684-c4649269723e.json
index 49342cb0be..42f0f95c54 100644
--- a/mobile-attack/relationship/relationship--ec734b52-a823-495c-9684-c4649269723e.json
+++ b/mobile-attack/relationship/relationship--ec734b52-a823-495c-9684-c4649269723e.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--db6e2ae8-76d9-4848-b597-8baa9d2b73cd",
+    "id": "bundle--a50c7b31-46fc-476e-b462-5bdf431aa908",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--ec734b52-a823-495c-9684-c4649269723e",
             "created": "2023-09-28T17:22:03.028Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:22:03.028Z",
+            "modified": "2025-04-16T21:52:21.341Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can uninstall itself and other applications.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ec74ab89-4a60-4ab2-a92f-4c5c3b7552a4.json b/mobile-attack/relationship/relationship--ec74ab89-4a60-4ab2-a92f-4c5c3b7552a4.json
new file mode 100644
index 0000000000..d83e5a8b21
--- /dev/null
+++ b/mobile-attack/relationship/relationship--ec74ab89-4a60-4ab2-a92f-4c5c3b7552a4.json
@@ -0,0 +1,25 @@
+{
+    "type": "bundle",
+    "id": "bundle--bc5f1ea3-3bcb-43d6-97b4-7b1cda258734",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--ec74ab89-4a60-4ab2-a92f-4c5c3b7552a4",
+            "created": "2025-03-14T17:57:47.876Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:21.545Z",
+            "description": "Users should be encouraged to only install apps from authorized app stores, which are less likely to contain malicious applications.  ",
+            "relationship_type": "mitigates",
+            "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
+            "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ec819008-396a-4ca3-b8d3-fda7f28128d0.json b/mobile-attack/relationship/relationship--ec819008-396a-4ca3-b8d3-fda7f28128d0.json
index 3d815ccbc0..9f3d67ea68 100644
--- a/mobile-attack/relationship/relationship--ec819008-396a-4ca3-b8d3-fda7f28128d0.json
+++ b/mobile-attack/relationship/relationship--ec819008-396a-4ca3-b8d3-fda7f28128d0.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--7c9a139b-e05d-400e-86e7-d8e7d272da9e",
+    "id": "bundle--6c1b431a-7761-436d-a669-43b791b57f1c",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--ec819008-396a-4ca3-b8d3-fda7f28128d0",
             "created": "2023-08-14T16:33:56.635Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:33:56.635Z",
+            "modified": "2025-04-16T21:52:21.762Z",
             "description": "Many properly configured firewalls may naturally block command and control traffic.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
             "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42.json b/mobile-attack/relationship/relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42.json
index 6eb37740a1..575f8bbd62 100644
--- a/mobile-attack/relationship/relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42.json
+++ b/mobile-attack/relationship/relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--92524594-aac6-41d3-9c19-b97d0c69ffc1",
+    "id": "bundle--289788a6-2bc4-4afd-af40-651802856809",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42",
             "type": "relationship",
+            "id": "relationship--eca02e5c-f8de-4436-a7dd-0f656c759a42",
             "created": "2021-10-01T14:42:48.913Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList BusyGasper",
-                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/",
-                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021."
+                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.",
+                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"
                 }
             ],
-            "modified": "2021-10-06T15:32:46.477Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:21.955Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can use its keylogger module to take screenshots of the area of the screen that the user tapped.(Citation: SecureList BusyGasper)",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d.json b/mobile-attack/relationship/relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d.json
index a7e62ee24e..47e97e4290 100644
--- a/mobile-attack/relationship/relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d.json
+++ b/mobile-attack/relationship/relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ee64a540-550d-4d95-a64f-89dbce0c836f",
+    "id": "bundle--d81ee256-95c6-482d-ba15-2e552acfa13d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d",
             "type": "relationship",
+            "id": "relationship--eca69d9c-7c27-4147-ad7a-a1c30317df1d",
             "created": "2019-08-09T18:06:11.672Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf",
+                    "source_name": "Lookout Dark Caracal Jan 2018",
                     "description": "Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.",
-                    "source_name": "Lookout Dark Caracal Jan 2018"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf"
                 }
             ],
-            "modified": "2019-08-09T18:06:11.672Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:22.161Z",
             "description": "[Pallas](https://attack.mitre.org/software/S0399) can take pictures with both the front and rear-facing cameras.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ece70dca-803c-4209-8792-7e56e9901288.json b/mobile-attack/relationship/relationship--ece70dca-803c-4209-8792-7e56e9901288.json
index 18117133a3..0158ebfaf0 100644
--- a/mobile-attack/relationship/relationship--ece70dca-803c-4209-8792-7e56e9901288.json
+++ b/mobile-attack/relationship/relationship--ece70dca-803c-4209-8792-7e56e9901288.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a964ab7f-60f9-4779-b1ec-900b24004c51",
+    "id": "bundle--98a0dcda-de89-4935-b382-328525d30848",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:38:15.470Z",
+            "modified": "2025-04-16T21:52:22.374Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can delete all data from an infected device.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a.json b/mobile-attack/relationship/relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a.json
index 03e69fb00c..50ec6bbae7 100644
--- a/mobile-attack/relationship/relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a.json
+++ b/mobile-attack/relationship/relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--f69b14cf-645e-4948-9851-38178dc8aa72",
+    "id": "bundle--78ffd093-03d5-4540-8fd8-a08aaf36e07a",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a",
             "type": "relationship",
+            "id": "relationship--eceeb39e-887c-4a9b-a93b-a6fd768e455a",
             "created": "2020-07-15T20:20:59.186Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "modified": "2020-07-15T20:20:59.186Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:22.572Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access device configuration information and status, including Android version, battery level, device model, country, and SIM operator.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ed3293cf-de4f-4a73-98af-24325e8187c9.json b/mobile-attack/relationship/relationship--ed3293cf-de4f-4a73-98af-24325e8187c9.json
index 7eeb196395..f2fcb252f0 100644
--- a/mobile-attack/relationship/relationship--ed3293cf-de4f-4a73-98af-24325e8187c9.json
+++ b/mobile-attack/relationship/relationship--ed3293cf-de4f-4a73-98af-24325e8187c9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--95b493f9-479b-4bce-b575-240eff0897aa",
+    "id": "bundle--5f2ba7b1-14fc-4918-9166-9c302a2ff625",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:51:43.135Z",
+            "modified": "2025-04-16T21:52:22.777Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) can detect if it is running on a rooted device or an emulator.(Citation: SecurityIntelligence TrickMo)",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--6ffad4be-bfe0-424f-abde-4d9a84a800ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ed48a86f-e55f-4abf-8f18-98591b756399.json b/mobile-attack/relationship/relationship--ed48a86f-e55f-4abf-8f18-98591b756399.json
index ac48c25dbd..3e9196748f 100644
--- a/mobile-attack/relationship/relationship--ed48a86f-e55f-4abf-8f18-98591b756399.json
+++ b/mobile-attack/relationship/relationship--ed48a86f-e55f-4abf-8f18-98591b756399.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--0aee2017-28dc-49ac-bb64-d2e393bc56dc",
+    "id": "bundle--565adf77-b089-4cd6-b839-b0f1cc9543a9",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--ed48a86f-e55f-4abf-8f18-98591b756399",
             "created": "2023-03-03T16:19:30.443Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-03T16:19:30.443Z",
+            "modified": "2025-04-16T21:52:22.973Z",
             "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has hidden the app icon from iOS springboard.(Citation: paloalto_yispecter_1015)",
             "relationship_type": "uses",
             "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ed6ebdd2-0095-4241-b3fc-7fc22366ec0d.json b/mobile-attack/relationship/relationship--ed6ebdd2-0095-4241-b3fc-7fc22366ec0d.json
index eebecefce8..3e15a2e4c7 100644
--- a/mobile-attack/relationship/relationship--ed6ebdd2-0095-4241-b3fc-7fc22366ec0d.json
+++ b/mobile-attack/relationship/relationship--ed6ebdd2-0095-4241-b3fc-7fc22366ec0d.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--b7634c61-ac85-4ec4-9994-b9a4cd3b6f32",
+    "id": "bundle--8a514eea-412a-4fdd-8cfd-ec2d7e344327",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--ed6ebdd2-0095-4241-b3fc-7fc22366ec0d",
             "created": "2024-04-02T19:24:58.885Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
                     "source_name": "fb_arid_viper",
-                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved March 4, 2024.",
-                    "url": "https://web.archive.org/web/20231126111812/https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
+                    "description": "Flossman, M., Scott, M. (2021, April). Technical Paper // Taking Action Against Arid Viper. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20231126111812/https:/about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-02T19:24:58.885Z",
+            "modified": "2025-04-16T21:52:23.164Z",
             "description": "[Phenakite](https://attack.mitre.org/software/S1126) has included exploits for jailbreaking infected devices.(Citation: fb_arid_viper)",
             "relationship_type": "uses",
             "source_ref": "malware--f97e2718-af50-41df-811f-215ebab45691",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ed7e9368-004c-484f-9eed-03b158325564.json b/mobile-attack/relationship/relationship--ed7e9368-004c-484f-9eed-03b158325564.json
index c43b06fd3e..492f2496c9 100644
--- a/mobile-attack/relationship/relationship--ed7e9368-004c-484f-9eed-03b158325564.json
+++ b/mobile-attack/relationship/relationship--ed7e9368-004c-484f-9eed-03b158325564.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5c684a9c-25fa-4c0e-9174-f7b9e0a5b730",
+    "id": "bundle--eb3f468e-1fd5-4b5f-80f0-13c3154de426",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T14:39:38.390Z",
+            "modified": "2025-04-16T21:52:23.379Z",
             "description": "Application vetting services could look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because as legitimate software may use packing techniques to reduce binary size or to protect proprietary code.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--51636761-2e35-44bf-9e56-e337adf97174",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ed9bf71f-4367-4106-9b80-07b126edd3f6.json b/mobile-attack/relationship/relationship--ed9bf71f-4367-4106-9b80-07b126edd3f6.json
new file mode 100644
index 0000000000..03a730d621
--- /dev/null
+++ b/mobile-attack/relationship/relationship--ed9bf71f-4367-4106-9b80-07b126edd3f6.json
@@ -0,0 +1,25 @@
+{
+    "type": "bundle",
+    "id": "bundle--973c8d1e-a9d4-4bdd-bf0c-e333c8be173f",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--ed9bf71f-4367-4106-9b80-07b126edd3f6",
+            "created": "2025-03-14T17:58:15.093Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:23.576Z",
+            "description": "Monitor for API calls that are related to GooglePlayServices. ",
+            "relationship_type": "detects",
+            "source_ref": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+            "target_ref": "attack-pattern--8e097ec5-1755-41d6-807c-3882442b818a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6.json b/mobile-attack/relationship/relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6.json
index d4bf7eaa6c..8b14a2eba0 100644
--- a/mobile-attack/relationship/relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6.json
+++ b/mobile-attack/relationship/relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--8d4497b4-8be6-4f68-8188-73556adc7845",
+    "id": "bundle--1c89a015-d790-4c2f-850d-d89c43c117d3",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--eda3c5c4-d062-48d3-a78e-051f0c9d62f6",
             "created": "2023-02-28T20:31:55.191Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-02-28T20:31:55.191Z",
+            "modified": "2025-04-16T21:52:23.780Z",
             "description": "[FluBot](https://attack.mitre.org/software/S1067) can access app notifications.(Citation: proofpoint_flubot_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ede5c314-5988-4151-bb30-b6a6983d02c0.json b/mobile-attack/relationship/relationship--ede5c314-5988-4151-bb30-b6a6983d02c0.json
index a56b5e7cb4..d5d226d1e0 100644
--- a/mobile-attack/relationship/relationship--ede5c314-5988-4151-bb30-b6a6983d02c0.json
+++ b/mobile-attack/relationship/relationship--ede5c314-5988-4151-bb30-b6a6983d02c0.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--02b8838e-e5fa-444f-ace6-ac5981ccf423",
+    "id": "bundle--06261c7c-f7ad-4d25-b378-0a04a4043d17",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--ede5c314-5988-4151-bb30-b6a6983d02c0",
             "created": "2020-12-31T18:25:05.164Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "CYBERWARCON CHEMISTGAMES",
-                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w",
-                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020."
+                    "description": "B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.",
+                    "url": "https://www.youtube.com/watch?v=xoNSbm1aX_w"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:23.974Z",
             "description": "[CHEMISTGAMES](https://attack.mitre.org/software/S0555) has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.(Citation: CYBERWARCON CHEMISTGAMES)",
-            "modified": "2022-04-15T15:16:53.317Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--a0d774e4-bafc-4292-8651-3ec899391341",
             "target_ref": "attack-pattern--9558a84e-2d5e-4872-918e-d847494a8ffc",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--edfb68d0-5efd-4fb5-93f9-c432535686cb.json b/mobile-attack/relationship/relationship--edfb68d0-5efd-4fb5-93f9-c432535686cb.json
index 8330c0ce3e..51049220da 100644
--- a/mobile-attack/relationship/relationship--edfb68d0-5efd-4fb5-93f9-c432535686cb.json
+++ b/mobile-attack/relationship/relationship--edfb68d0-5efd-4fb5-93f9-c432535686cb.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2be184f5-7928-4f22-b1b0-dea5fd3e6bc9",
+    "id": "bundle--4d6e1bbc-79fb-4049-88f0-a7218f307768",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:56:00.761Z",
+            "modified": "2025-04-16T21:52:24.172Z",
             "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) can collect device contacts.(Citation: CyberMerchants-FlexiSpy)",
             "relationship_type": "uses",
             "source_ref": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ee095f20-eef5-4dcc-a537-70b387592c2c.json b/mobile-attack/relationship/relationship--ee095f20-eef5-4dcc-a537-70b387592c2c.json
index 598b9e8444..8651e15e45 100644
--- a/mobile-attack/relationship/relationship--ee095f20-eef5-4dcc-a537-70b387592c2c.json
+++ b/mobile-attack/relationship/relationship--ee095f20-eef5-4dcc-a537-70b387592c2c.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--34d0177a-08c1-4437-8928-7c6acfb19d35",
+    "id": "bundle--e7d44a15-e554-4607-b647-86352eb29d82",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-31T22:15:20.089Z",
+            "modified": "2025-04-16T21:52:24.379Z",
             "description": "[FluBot](https://attack.mitre.org/software/S1067) can use Accessibility Services to make removal of the malicious app difficult.(Citation: bitdefender_flubot_0524)",
             "relationship_type": "uses",
             "source_ref": "malware--f5ff006c-702f-4ded-8e60-ca6c540d91bc",
             "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ee92911e-e2a2-4b40-916d-ce01b6e897f9.json b/mobile-attack/relationship/relationship--ee92911e-e2a2-4b40-916d-ce01b6e897f9.json
index 572fa0ff51..d34f356e39 100644
--- a/mobile-attack/relationship/relationship--ee92911e-e2a2-4b40-916d-ce01b6e897f9.json
+++ b/mobile-attack/relationship/relationship--ee92911e-e2a2-4b40-916d-ce01b6e897f9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--65632b86-deaf-496e-9127-623481dcce53",
+    "id": "bundle--a75f3515-2887-4845-8cf4-a0b8c63b0bb0",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:56:18.859Z",
+            "modified": "2025-04-16T21:52:24.580Z",
             "description": "[FakeSpy](https://attack.mitre.org/software/S0509) can collect the device\u2019s contact list.(Citation: Cybereason FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f.json b/mobile-attack/relationship/relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f.json
index 459b79eef7..6bd76f5625 100644
--- a/mobile-attack/relationship/relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f.json
+++ b/mobile-attack/relationship/relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4c24fa40-dc12-4320-ae97-a25c0e161b1d",
+    "id": "bundle--4de655da-8719-4f05-af93-907dc1f3e5e2",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f",
             "type": "relationship",
+            "id": "relationship--ee9c1a8c-5f84-4571-8518-300a6412df0f",
             "created": "2019-09-23T13:36:08.448Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "securelist rotexy 2018",
                     "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
-                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
-                    "source_name": "securelist rotexy 2018"
+                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"
                 }
             ],
-            "modified": "2019-10-15T19:56:50.651Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:24.778Z",
             "description": "[Rotexy](https://attack.mitre.org/software/S0411) collects information about the compromised device, including phone number, network operator, OS version, device model, and the device registration country.(Citation: securelist rotexy 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eee008fa-a46f-4542-93e3-8fe5f949130f.json b/mobile-attack/relationship/relationship--eee008fa-a46f-4542-93e3-8fe5f949130f.json
index eca8362934..c0d2f8b86f 100644
--- a/mobile-attack/relationship/relationship--eee008fa-a46f-4542-93e3-8fe5f949130f.json
+++ b/mobile-attack/relationship/relationship--eee008fa-a46f-4542-93e3-8fe5f949130f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e39f896e-295a-434c-ad9a-bcd486e08502",
+    "id": "bundle--41e9697e-9dcd-47ff-8f42-84da609e4856",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T21:08:51.234Z",
+            "modified": "2025-04-16T21:52:24.983Z",
             "description": "[TianySpy](https://attack.mitre.org/software/S1056) can check to see if Wi-Fi is enabled.(Citation: trendmicro_tianyspy_0122) ",
             "relationship_type": "uses",
             "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eef4ffb7-892d-4d3f-826c-0b78d1f22671.json b/mobile-attack/relationship/relationship--eef4ffb7-892d-4d3f-826c-0b78d1f22671.json
index 661094cd9b..4f89ad161a 100644
--- a/mobile-attack/relationship/relationship--eef4ffb7-892d-4d3f-826c-0b78d1f22671.json
+++ b/mobile-attack/relationship/relationship--eef4ffb7-892d-4d3f-826c-0b78d1f22671.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--875a5858-4830-4370-9012-6441e3d79844",
+    "id": "bundle--9a5cb3ab-4ee0-4969-88fb-019b09c040f5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--eef4ffb7-892d-4d3f-826c-0b78d1f22671",
             "created": "2021-02-08T16:36:20.709Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "BlackBerry Bahamut",
-                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf",
-                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."
+                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.",
+                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:25.183Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has encrypted C2 communications using AES in CBC mode during Operation BULL and Operation ROCK.(Citation: BlackBerry Bahamut)",
-            "modified": "2022-04-18T16:07:26.671Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f.json b/mobile-attack/relationship/relationship--eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f.json
index ac36dab5ff..33f81cb307 100644
--- a/mobile-attack/relationship/relationship--eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f.json
+++ b/mobile-attack/relationship/relationship--eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f.json
@@ -1,38 +1,37 @@
 {
     "type": "bundle",
-    "id": "bundle--64fbd29d-0fae-4e93-b2b5-94c5eb8d4f33",
+    "id": "bundle--dd95c557-7fca-42ef-ac09-fd29c0d4c9ef",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--eef8fb1f-3e8c-44d7-b0d1-1fbad81e392f",
             "created": "2019-07-16T14:33:12.107Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Kaspersky Triada June 2016",
-                    "url": "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/",
-                    "description": "Kivva, A. (2016, June 6). Everyone sees not what they want to see. Retrieved July 16, 2019."
+                    "description": "Kivva, A. (2016, June 6). Everyone sees not what they want to see. Retrieved July 16, 2019.",
+                    "url": "https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/"
                 },
                 {
                     "source_name": "Google Triada June 2019",
-                    "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html",
-                    "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019."
+                    "description": "Lukasz Siewierski. (2019, June 6). PHA Family Highlights: Triada. Retrieved July 16, 2019.",
+                    "url": "https://security.googleblog.com/2019/06/pha-family-highlights-triada.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:25.404Z",
             "description": "[Triada](https://attack.mitre.org/software/S0424) can redirect ad banner URLs on websites visited by the user to specific ad URLs.(Citation: Google Triada June 2019)(Citation: Kaspersky Triada June 2016) ",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--f082fc59-0317-49cf-971f-a1b6296ebb52",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ef792cb5-cb1f-4871-a2ef-20e6150d4005.json b/mobile-attack/relationship/relationship--ef792cb5-cb1f-4871-a2ef-20e6150d4005.json
index 0463e82ab7..5e1eb22334 100644
--- a/mobile-attack/relationship/relationship--ef792cb5-cb1f-4871-a2ef-20e6150d4005.json
+++ b/mobile-attack/relationship/relationship--ef792cb5-cb1f-4871-a2ef-20e6150d4005.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--27da2b4a-9b13-4f7c-80ec-a8d4b07c3057",
+    "id": "bundle--e4b0d8ea-bd95-4f2d-a328-1582d5709e7d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:57.735Z",
+            "modified": "2025-04-16T21:52:25.602Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has been embedded into trojanized versions of applications such as Voxer, TalkBox, and Amaq News.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--efd35b6f-7a61-4998-97ff-608547e40f66.json b/mobile-attack/relationship/relationship--efd35b6f-7a61-4998-97ff-608547e40f66.json
index 990fc93df4..e32620a00d 100644
--- a/mobile-attack/relationship/relationship--efd35b6f-7a61-4998-97ff-608547e40f66.json
+++ b/mobile-attack/relationship/relationship--efd35b6f-7a61-4998-97ff-608547e40f66.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--22ecfb1a-6622-4d7b-aaa6-4c5b398bd7cd",
+    "id": "bundle--6fbf5201-4b2f-4ecb-aec8-d16e85e6eb1c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--efd35b6f-7a61-4998-97ff-608547e40f66",
             "created": "2019-10-01T14:23:44.054Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "securelist rotexy 2018",
-                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/",
-                    "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019."
+                    "description": "T. Shishkova, L. Pikman. (2018, November 22).  The Rotexy mobile Trojan \u2013 banker and ransomware. Retrieved September 23, 2019.",
+                    "url": "https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:25.810Z",
             "description": " [Rotexy](https://attack.mitre.org/software/S0411) encrypts JSON HTTP payloads with AES.(Citation: securelist rotexy 2018) ",
-            "modified": "2022-04-18T16:07:57.631Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--0626c181-93cb-4860-9cb0-dff3b1c13063",
             "target_ref": "attack-pattern--bb4387ab-7a51-468b-bf5f-a9a8612f0303",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f012feab-5612-429f-81bd-ff75d6ffd04e.json b/mobile-attack/relationship/relationship--f012feab-5612-429f-81bd-ff75d6ffd04e.json
index 6f95ebcaf1..8e45e3fdf0 100644
--- a/mobile-attack/relationship/relationship--f012feab-5612-429f-81bd-ff75d6ffd04e.json
+++ b/mobile-attack/relationship/relationship--f012feab-5612-429f-81bd-ff75d6ffd04e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--8508cfb7-e9c8-4247-88f9-d1eba4798c20",
+    "id": "bundle--49a8a34d-1be0-4e91-81aa-51df18f3c2a0",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--f012feab-5612-429f-81bd-ff75d6ffd04e",
             "created": "2022-04-05T17:03:34.941Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:26.007Z",
             "description": "",
-            "modified": "2022-04-05T17:03:34.941Z",
             "relationship_type": "subtechnique-of",
             "source_ref": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f051c943-998c-4db2-9dbc-d4755057bcf0.json b/mobile-attack/relationship/relationship--f051c943-998c-4db2-9dbc-d4755057bcf0.json
index 7d878b126d..736e32c427 100644
--- a/mobile-attack/relationship/relationship--f051c943-998c-4db2-9dbc-d4755057bcf0.json
+++ b/mobile-attack/relationship/relationship--f051c943-998c-4db2-9dbc-d4755057bcf0.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--eab9cf85-3f3a-43fe-8f5a-4e51222911c9",
+    "id": "bundle--9cc50618-ddf5-4471-93dc-ee10897cc255",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--f051c943-998c-4db2-9dbc-d4755057bcf0",
             "created": "2022-04-05T19:49:06.417Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:26.231Z",
             "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.",
-            "modified": "2022-04-05T19:49:06.417Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f062ebc5-bad0-4b19-8c97-bf3915d687bd.json b/mobile-attack/relationship/relationship--f062ebc5-bad0-4b19-8c97-bf3915d687bd.json
index ee2598709a..866fc5e8d7 100644
--- a/mobile-attack/relationship/relationship--f062ebc5-bad0-4b19-8c97-bf3915d687bd.json
+++ b/mobile-attack/relationship/relationship--f062ebc5-bad0-4b19-8c97-bf3915d687bd.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--480e88a4-9d65-4b66-83d7-3cf74a3130dd",
+    "id": "bundle--d5ad666b-d4a6-42c8-88e7-a61660b4024e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:23:02.162Z",
+            "modified": "2025-04-16T21:52:26.424Z",
             "description": "Application vetting reports may show network communications performed by the application, including hosts, ports, protocols, and URLs. Further detection would most likely be at the enterprise level, through packet and/or netflow inspection. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
             "target_ref": "attack-pattern--948a447c-d783-4ba0-8516-a64140fcacd5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f0851531-e554-4658-920c-f2342632c19a.json b/mobile-attack/relationship/relationship--f0851531-e554-4658-920c-f2342632c19a.json
index 29f2b0052e..c3eb2edb8b 100644
--- a/mobile-attack/relationship/relationship--f0851531-e554-4658-920c-f2342632c19a.json
+++ b/mobile-attack/relationship/relationship--f0851531-e554-4658-920c-f2342632c19a.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--3e6a86f2-77f9-46ea-93a7-b8f8bea6b294",
+    "id": "bundle--6680091f-d2d7-4975-9487-2a5707160c61",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f0851531-e554-4658-920c-f2342632c19a",
             "type": "relationship",
+            "id": "relationship--f0851531-e554-4658-920c-f2342632c19a",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2015/11/04/trojanized-adware/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:26.625Z",
             "description": "[ShiftyBug](https://attack.mitre.org/software/S0294) is packed with at least eight publicly available exploits that can perform rooting.(Citation: Lookout-Adware)",
             "relationship_type": "uses",
             "source_ref": "malware--c80a6bef-b3ce-44d0-b113-946e93124898",
             "target_ref": "attack-pattern--351c0927-2fc1-4a2c-ad84-cbbee7eb8172",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1.json b/mobile-attack/relationship/relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1.json
index c380dc7a27..55d0b54d74 100644
--- a/mobile-attack/relationship/relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1.json
+++ b/mobile-attack/relationship/relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e9f627d2-c294-47f5-9b2f-c6c42e11d566",
+    "id": "bundle--1e4a13e8-490f-49c2-8323-8db3dffd45d8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1",
             "type": "relationship",
+            "id": "relationship--f0a0005e-cc38-4f7a-ba49-21a4c48ae1a1",
             "created": "2020-07-15T20:20:59.284Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Bitdefender Mandrake",
-                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf",
-                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020."
+                    "description": "R. Gevers, M. Tivadar, R. Bleotu, A. M. Barbatei, et al.. (2020, May 14). Uprooting Mandrake: The Story of an Advanced Android Spyware Framework That Went Undetected for 4 Years. Retrieved July 15, 2020.",
+                    "url": "https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf"
                 }
             ],
-            "modified": "2020-07-15T20:20:59.284Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:26.827Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can install attacker-specified components or applications.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--2bb20118-e6c0-41dc-a07c-283ea4dd0fb8",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f0e39856-4d2d-45c5-bf16-f683ee993010.json b/mobile-attack/relationship/relationship--f0e39856-4d2d-45c5-bf16-f683ee993010.json
index 957929c541..719de666dd 100644
--- a/mobile-attack/relationship/relationship--f0e39856-4d2d-45c5-bf16-f683ee993010.json
+++ b/mobile-attack/relationship/relationship--f0e39856-4d2d-45c5-bf16-f683ee993010.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--3af92c40-8a4f-4d70-a0cd-a7404ca3158f",
+    "id": "bundle--5faed67e-76c3-4de4-9f51-6b8d821e701e",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--f0e39856-4d2d-45c5-bf16-f683ee993010",
             "created": "2022-03-30T18:18:15.915Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:27.026Z",
             "description": "",
-            "modified": "2022-03-30T18:18:15.915Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--cde2cb84-455e-410c-8aa9-086f2788bcd2",
             "target_ref": "attack-pattern--fcb11f06-ce0e-490b-bcc1-04a1623579f0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f1130c77-3d20-4c41-9e75-1953bf9b8abc.json b/mobile-attack/relationship/relationship--f1130c77-3d20-4c41-9e75-1953bf9b8abc.json
index ede9af76bd..5298de9270 100644
--- a/mobile-attack/relationship/relationship--f1130c77-3d20-4c41-9e75-1953bf9b8abc.json
+++ b/mobile-attack/relationship/relationship--f1130c77-3d20-4c41-9e75-1953bf9b8abc.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e376ab91-4c14-428a-acef-69e1280f9bc1",
+    "id": "bundle--b34d4f00-09a6-47d3-85d3-5c0281b918e2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:40:48.237Z",
+            "modified": "2025-04-16T21:52:27.237Z",
             "description": "[eSurv](https://attack.mitre.org/software/S0507) has exfiltrated data using HTTP PUT requests.(Citation: Lookout eSurv)",
             "relationship_type": "uses",
             "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f1208f2a-f2e2-48bd-8fdc-d56b9442f185.json b/mobile-attack/relationship/relationship--f1208f2a-f2e2-48bd-8fdc-d56b9442f185.json
new file mode 100644
index 0000000000..7a85da4bee
--- /dev/null
+++ b/mobile-attack/relationship/relationship--f1208f2a-f2e2-48bd-8fdc-d56b9442f185.json
@@ -0,0 +1,47 @@
+{
+    "type": "bundle",
+    "id": "bundle--8ff11f03-70a9-42fe-be18-124fc7e76270",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--f1208f2a-f2e2-48bd-8fdc-d56b9442f185",
+            "created": "2025-03-24T20:08:17.941Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:27.430Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has accessed SMS messages.(Citation: MelikovBlackBerry LightSpy 2024)(Citation: Threatfabric LightSpy 2023)(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f157970b-4782-46d0-abdd-000ae6eea14b.json b/mobile-attack/relationship/relationship--f157970b-4782-46d0-abdd-000ae6eea14b.json
index b659ad154e..502694dd50 100644
--- a/mobile-attack/relationship/relationship--f157970b-4782-46d0-abdd-000ae6eea14b.json
+++ b/mobile-attack/relationship/relationship--f157970b-4782-46d0-abdd-000ae6eea14b.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--35f64968-097c-4ea5-b15a-43b716033588",
+    "id": "bundle--087186c8-5dcf-43be-a55b-150d1c6081e3",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--f157970b-4782-46d0-abdd-000ae6eea14b",
             "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "",
-            "modified": "2022-04-06T15:41:33.832Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:27.624Z",
+            "description": "",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--b765efd1-02e6-4e67-aebf-0fef5c37e54b",
             "target_ref": "attack-pattern--d9db3d46-66ca-44b4-9daa-1ef97cb7465a",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f1c06c38-0f58-4789-9758-1e321394e03f.json b/mobile-attack/relationship/relationship--f1c06c38-0f58-4789-9758-1e321394e03f.json
new file mode 100644
index 0000000000..add3d4f43f
--- /dev/null
+++ b/mobile-attack/relationship/relationship--f1c06c38-0f58-4789-9758-1e321394e03f.json
@@ -0,0 +1,47 @@
+{
+    "type": "bundle",
+    "id": "bundle--0ede9d62-d577-4840-8dfe-3ca1a6ff7bb9",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--f1c06c38-0f58-4789-9758-1e321394e03f",
+            "created": "2025-03-24T17:49:09.480Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "MelikovBlackBerry LightSpy 2024",
+                    "description": "Melikov, D. (2024, April 11). LightSpy Returns: Renewed Espionage Campaign Targets Southern Asia, Possibly India. Retrieved January 14, 2025.",
+                    "url": "https://blogs.blackberry.com/en/2024/04/lightspy-returns-renewed-espionage-campaign-targets-southern-asia-possibly-india"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2023",
+                    "description": "ThreatFabric. (2023, October 2). LightSpy mAPT Mobile Payment System Attack. Retrieved January 17, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-mapt-mobile-payment-system-attack"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:27.810Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185)'s main executable and modules use native libraries to execute targeted functionality.(Citation: Threatfabric LightSpy 2023)(Citation: MelikovBlackBerry LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)(Citation: Threatfabric LightSpy 2024) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--52eff1c7-dd30-4121-b762-24ae6fa61bbb",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150.json b/mobile-attack/relationship/relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150.json
index c2ff2adcd4..30beaec654 100644
--- a/mobile-attack/relationship/relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150.json
+++ b/mobile-attack/relationship/relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--9eb4499f-12e1-44a0-b63e-4134184b3fe6",
+    "id": "bundle--d6477187-99c2-4c8d-9db6-f350c927592c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150",
             "type": "relationship",
+            "id": "relationship--f240e06c-3a5b-4a34-a69c-5fccb4c94150",
             "created": "2020-05-11T16:37:36.673Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "ThreatFabric Ginp",
                     "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.",
-                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
-                    "source_name": "ThreatFabric Ginp"
+                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"
                 }
             ],
-            "modified": "2020-05-11T16:37:36.673Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:28.014Z",
             "description": " [Ginp](https://attack.mitre.org/software/S0423) can download device logs.(Citation: ThreatFabric Ginp) ",
             "relationship_type": "uses",
             "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f259b5a8-bf2f-48c9-ae1b-b20d53daf665.json b/mobile-attack/relationship/relationship--f259b5a8-bf2f-48c9-ae1b-b20d53daf665.json
index fe75c77f3e..7ddadaf8b6 100644
--- a/mobile-attack/relationship/relationship--f259b5a8-bf2f-48c9-ae1b-b20d53daf665.json
+++ b/mobile-attack/relationship/relationship--f259b5a8-bf2f-48c9-ae1b-b20d53daf665.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--e006990d-6e8f-4488-85bd-b836dbb0ef18",
+    "id": "bundle--549b5c69-b214-422f-9e1e-cf9b8c47fd53",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--f259b5a8-bf2f-48c9-ae1b-b20d53daf665",
             "created": "2023-07-21T19:39:51.044Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:39:51.044Z",
+            "modified": "2025-04-16T21:52:28.237Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can exfiltrate data when the user boots the app, or on device boot.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f28a2873-281f-405b-bad0-4a93dac8a5ee.json b/mobile-attack/relationship/relationship--f28a2873-281f-405b-bad0-4a93dac8a5ee.json
index 68881fe47c..6279cd0abf 100644
--- a/mobile-attack/relationship/relationship--f28a2873-281f-405b-bad0-4a93dac8a5ee.json
+++ b/mobile-attack/relationship/relationship--f28a2873-281f-405b-bad0-4a93dac8a5ee.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--34c20b64-0ae5-440d-841f-448ce724b488",
+    "id": "bundle--961c6676-4ae4-4657-8182-97006a59f2f5",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--f28a2873-281f-405b-bad0-4a93dac8a5ee",
             "created": "2020-11-24T17:55:12.895Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Talos GPlayed",
-                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html",
-                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020."
+                    "description": "V. Ventura. (2018, October 11).  GPlayed Trojan - .Net playing with Google Market . Retrieved November 24, 2020.",
+                    "url": "https://blog.talosintelligence.com/2018/10/gplayedtrojan.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:28.453Z",
             "description": "[GPlayed](https://attack.mitre.org/software/S0536) can show a phishing WebView pretending to be a Google service that collects credit card information.(Citation: Talos GPlayed)",
-            "modified": "2022-04-12T10:01:44.682Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--a993495c-9813-4372-b9ec-d168c7f7ec0a",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f2d05b16-3565-453e-9fbb-1c02146e17e1.json b/mobile-attack/relationship/relationship--f2d05b16-3565-453e-9fbb-1c02146e17e1.json
index 2a2ac58e38..fa71a84308 100644
--- a/mobile-attack/relationship/relationship--f2d05b16-3565-453e-9fbb-1c02146e17e1.json
+++ b/mobile-attack/relationship/relationship--f2d05b16-3565-453e-9fbb-1c02146e17e1.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--f2fab8b4-4256-457d-89f5-da655f1661ab",
+    "id": "bundle--d74fb7e4-5585-4341-8246-b81862055256",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--f2d05b16-3565-453e-9fbb-1c02146e17e1",
             "created": "2020-06-26T15:32:25.002Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Threat Fabric Cerberus",
-                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
-                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
+                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:28.639Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) can record keystrokes.(Citation: Threat Fabric Cerberus)",
-            "modified": "2022-04-15T17:33:17.868Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--b1c95426-2550-4621-8028-ceebf28b3a47",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f2e75022-ff16-44a8-8fcc-18c785406fb5.json b/mobile-attack/relationship/relationship--f2e75022-ff16-44a8-8fcc-18c785406fb5.json
new file mode 100644
index 0000000000..2c66db3bcb
--- /dev/null
+++ b/mobile-attack/relationship/relationship--f2e75022-ff16-44a8-8fcc-18c785406fb5.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--a87ad791-bba4-44d1-b20a-167e443ce1fc",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--f2e75022-ff16-44a8-8fcc-18c785406fb5",
+            "created": "2025-03-27T22:49:20.862Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 23Oct2023",
+                    "description": "Kucherin, G., et al. (2023, October 23). The outstanding stealth of Operation Triangulation. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangulation-validators-modules/110847/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:28.828Z",
+            "description": "[Binary Validator](https://attack.mitre.org/software/S1215) has exfiltrated collected data to the C2 server.(Citation: SecureList OpTriangulation 23Oct2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--b0a243dd-8075-42f9-86f6-64989600ed20",
+            "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6.json b/mobile-attack/relationship/relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6.json
index e7df5a60e3..5676386394 100644
--- a/mobile-attack/relationship/relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6.json
+++ b/mobile-attack/relationship/relationship--f31490e8-ef81-40d5-bba9-24ca580d2ee6.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ce973756-a74d-460a-be1f-a315492cdc09",
+    "id": "bundle--82c3efb5-1369-4c29-8e03-3b06607b7a67",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:46:20.857Z",
+            "modified": "2025-04-16T21:52:29.038Z",
             "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) includes code to hide its icon, but the function does not appear to be called in an analyzed version of the software.(Citation: Bitdefender - Triout 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "target_ref": "attack-pattern--f05fc151-aa62-47e3-ae57-2d1b23d64bf6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f3599919-c4d1-4f2e-92d4-b34a04e33132.json b/mobile-attack/relationship/relationship--f3599919-c4d1-4f2e-92d4-b34a04e33132.json
index af20d1e9ad..6a01c67466 100644
--- a/mobile-attack/relationship/relationship--f3599919-c4d1-4f2e-92d4-b34a04e33132.json
+++ b/mobile-attack/relationship/relationship--f3599919-c4d1-4f2e-92d4-b34a04e33132.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--03bcabbe-f2a3-4293-bfee-60f0458a8355",
+    "id": "bundle--5ad51603-acd2-419b-a370-e5236500ead2",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--f3599919-c4d1-4f2e-92d4-b34a04e33132",
             "created": "2022-03-30T14:06:26.530Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:29.254Z",
             "description": "Mobile security products can typically detect jailbroken or rooted devices. ",
-            "modified": "2022-03-30T14:06:26.530Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--cf2cccb1-cab8-431a-8ecf-f7874d05f433",
             "target_ref": "attack-pattern--693cdbff-ea73-49c6-ac3f-91e7285c31d1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f372697e-b661-4995-9920-4ec0a9060ebb.json b/mobile-attack/relationship/relationship--f372697e-b661-4995-9920-4ec0a9060ebb.json
index 7b072fcd6e..337ac91957 100644
--- a/mobile-attack/relationship/relationship--f372697e-b661-4995-9920-4ec0a9060ebb.json
+++ b/mobile-attack/relationship/relationship--f372697e-b661-4995-9920-4ec0a9060ebb.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5d63ab19-86bc-4cd1-9d2e-97173ce98874",
+    "id": "bundle--4af27f5d-3559-4e91-bfc0-28b8aebe1513",
     "spec_version": "2.0",
     "objects": [
         {
@@ -24,15 +24,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-28T18:35:45.577Z",
+            "modified": "2025-04-16T21:52:29.456Z",
             "description": "(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)",
             "relationship_type": "attributed-to",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "intrusion-set--efed95ba-d7e8-47ff-8c53-99c42426ee7c",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f390ee16-a7c8-4ef2-b6f4-28940a8f0d81.json b/mobile-attack/relationship/relationship--f390ee16-a7c8-4ef2-b6f4-28940a8f0d81.json
index f65a459c46..c29003249a 100644
--- a/mobile-attack/relationship/relationship--f390ee16-a7c8-4ef2-b6f4-28940a8f0d81.json
+++ b/mobile-attack/relationship/relationship--f390ee16-a7c8-4ef2-b6f4-28940a8f0d81.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--b5761a93-b8ca-4ef5-ba8d-c45a464fdc56",
+    "id": "bundle--ddcd6683-6ceb-4867-9a39-785e716dd6ae",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T15:40:17.754Z",
+            "modified": "2025-04-16T21:52:29.665Z",
             "description": "Mobile security products can potentially detect jailbroken devices.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
             "target_ref": "attack-pattern--cc6e0637-76d2-4af3-a604-9d8d3ff8a6b3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f3ddf0be-ca7d-4984-b8e2-4e5958a2c83a.json b/mobile-attack/relationship/relationship--f3ddf0be-ca7d-4984-b8e2-4e5958a2c83a.json
index c1a3aa45f7..3344c422fc 100644
--- a/mobile-attack/relationship/relationship--f3ddf0be-ca7d-4984-b8e2-4e5958a2c83a.json
+++ b/mobile-attack/relationship/relationship--f3ddf0be-ca7d-4984-b8e2-4e5958a2c83a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5f16ee7c-20ff-4ff1-a990-3dffc34d59d1",
+    "id": "bundle--ec7fcd97-a46f-42a1-88e9-673b468ded86",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-03-19T18:32:39.116Z",
+            "modified": "2025-04-16T21:52:29.857Z",
             "description": "[FlixOnline](https://attack.mitre.org/software/S1103) requests access to the `NotificationListenerService`, which can allow it to manipulate a device's notifications.(Citation: checkpoint_flixonline_0421)",
             "relationship_type": "uses",
             "source_ref": "malware--0ec9593f-3221-49b1-b597-37f307c19f13",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f3e902fe-7eea-4b85-9067-25d29fd01dc5.json b/mobile-attack/relationship/relationship--f3e902fe-7eea-4b85-9067-25d29fd01dc5.json
index 75d58a5216..8eb609e2ce 100644
--- a/mobile-attack/relationship/relationship--f3e902fe-7eea-4b85-9067-25d29fd01dc5.json
+++ b/mobile-attack/relationship/relationship--f3e902fe-7eea-4b85-9067-25d29fd01dc5.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--1977e687-4806-4786-b7af-90bef6ce1739",
+    "id": "bundle--c8d98ede-bf6d-4cbd-9b61-68d863de9ba3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T17:20:13.644Z",
+            "modified": "2025-04-16T21:52:30.051Z",
             "description": "Integrity checking mechanisms can potentially detect unauthorized hardware modifications.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
             "target_ref": "attack-pattern--c08366bb-8d11-4921-853f-f0a3b6a2a1da",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f458166e-7cf8-42ed-afe3-38cbd30d5607.json b/mobile-attack/relationship/relationship--f458166e-7cf8-42ed-afe3-38cbd30d5607.json
index b66f8dc2db..e483c2279d 100644
--- a/mobile-attack/relationship/relationship--f458166e-7cf8-42ed-afe3-38cbd30d5607.json
+++ b/mobile-attack/relationship/relationship--f458166e-7cf8-42ed-afe3-38cbd30d5607.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--3f93215e-2159-4f8f-b6a3-130d183603d8",
+    "id": "bundle--91a8cc2d-3a1e-4dd0-bb2a-19bfd327731c",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--f458166e-7cf8-42ed-afe3-38cbd30d5607",
             "created": "2024-02-21T21:05:56.876Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
                     "source_name": "Wandera-RedDrop",
-                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
-                    "url": "https://www.wandera.com/reddrop-malware/"
+                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"
                 }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T21:05:56.876Z",
+            "modified": "2025-04-16T21:52:30.276Z",
             "description": "[RedDrop](https://attack.mitre.org/software/S0326) collects and exfiltrates information including IMEI, IMSI, MNC, MCC, nearby Wi-Fi networks, and other device and SIM-related info.(Citation: Wandera-RedDrop)",
             "relationship_type": "uses",
             "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
             "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f4aeacef-035c-4308-9e85-997703e27809.json b/mobile-attack/relationship/relationship--f4aeacef-035c-4308-9e85-997703e27809.json
index 4ce67996f5..2cf401c3e3 100644
--- a/mobile-attack/relationship/relationship--f4aeacef-035c-4308-9e85-997703e27809.json
+++ b/mobile-attack/relationship/relationship--f4aeacef-035c-4308-9e85-997703e27809.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4ac46fb7-ae1a-4a84-9930-2c9c9ecda9ee",
+    "id": "bundle--599a1090-311b-43ec-8943-655bb8a5e214",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:27:33.906Z",
+            "modified": "2025-04-16T21:52:30.473Z",
             "description": "[GolfSpy](https://attack.mitre.org/software/S0421) can delete arbitrary files on the device.(Citation: Trend Micro Bouncing Golf 2019)",
             "relationship_type": "uses",
             "source_ref": "malware--c19cfc89-5ac6-4d2d-a236-70d2b32e007c",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012.json b/mobile-attack/relationship/relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012.json
index cb4ca86ea4..0bb06561c3 100644
--- a/mobile-attack/relationship/relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012.json
+++ b/mobile-attack/relationship/relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--814149ea-c934-4c24-8f2f-be5232be84b5",
+    "id": "bundle--57ef0488-8dd1-4e76-b6e8-0d82234d3575",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012",
             "type": "relationship",
+            "id": "relationship--f4cc3b3a-284d-4a2d-9ab8-e7fa916c4012",
             "created": "2020-12-14T14:52:03.218Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Sophos Red Alert 2.0",
-                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/",
-                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020."
+                    "description": "J. Chandraiah. (2018, July 23). Red Alert 2.0: Android Trojan targets security-seekers. Retrieved December 14, 2020.",
+                    "url": "https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/"
                 }
             ],
-            "modified": "2020-12-14T14:52:03.218Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:30.695Z",
             "description": "[Red Alert 2.0](https://attack.mitre.org/software/S0539) can obtain the running application.(Citation: Sophos Red Alert 2.0)",
             "relationship_type": "uses",
             "source_ref": "malware--6e282bbf-5f32-476a-b879-ba77eec463c8",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1.json b/mobile-attack/relationship/relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1.json
index 5854e6a5ad..fb6fa80db7 100644
--- a/mobile-attack/relationship/relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1.json
+++ b/mobile-attack/relationship/relationship--f4d5e619-7c83-4845-aecd-de62c33cc0a1.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--75061e6e-06fd-44f8-83e5-41fd955c87c2",
+    "id": "bundle--2f39e77a-657c-4b76-820c-9508f7d836ac",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:32:57.154Z",
+            "modified": "2025-04-16T21:52:30.888Z",
             "description": "[Pallas](https://attack.mitre.org/software/S0399) captures and exfiltrates all SMS messages, including future messages as they are received.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828.json b/mobile-attack/relationship/relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828.json
index c1b89f7b54..76de5a0d15 100644
--- a/mobile-attack/relationship/relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828.json
+++ b/mobile-attack/relationship/relationship--f4e4c3ae-4c4d-4eba-8330-022464cbf828.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6264a392-0aba-46bb-931d-34379a7dba50",
+    "id": "bundle--83d5de69-0584-40ac-8a79-af92a1fdae93",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:33:12.082Z",
+            "modified": "2025-04-16T21:52:31.090Z",
             "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests SMS and MMS messages from victims.(Citation: PaloAlto-SpyDealer)",
             "relationship_type": "uses",
             "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f4f4660c-6324-4da4-be2f-ac87fda85a45.json b/mobile-attack/relationship/relationship--f4f4660c-6324-4da4-be2f-ac87fda85a45.json
index 295f1db312..dc137f644d 100644
--- a/mobile-attack/relationship/relationship--f4f4660c-6324-4da4-be2f-ac87fda85a45.json
+++ b/mobile-attack/relationship/relationship--f4f4660c-6324-4da4-be2f-ac87fda85a45.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--49f55a94-2679-4d6c-979b-e4d64c192e99",
+    "id": "bundle--50047860-afe0-47bf-91d6-c1d38154d02d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--f4f4660c-6324-4da4-be2f-ac87fda85a45",
             "created": "2019-09-15T15:32:17.580Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Android Notification Listeners",
-                    "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setPermittedCrossProfileNotificationListeners(android.content.ComponentName,%20java.util.List%3Cjava.lang.String%3E)",
-                    "description": "Android. (n.d.).  DevicePolicyManager. Retrieved September 15, 2019."
+                    "description": "Android. (n.d.).  DevicePolicyManager. Retrieved September 15, 2019.",
+                    "url": "https://developer.android.com/reference/android/app/admin/DevicePolicyManager#setPermittedCrossProfileNotificationListeners(android.content.ComponentName,%20java.util.List%3Cjava.lang.String%3E)"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:31.312Z",
             "description": "On Android devices with a work profile, the `DevicePolicyManager.setPermittedCrossProfileNotificationListeners` method can be used to manage the list of applications running within the personal profile that can access notifications generated within the work profile. This policy would not affect notifications generated by the rest of the device. The `DevicePolicyManager.setApplicationHidden` method can be used to disable notification access for unwanted applications, but this method would also block that entire application from running.(Citation: Android Notification Listeners) ",
-            "modified": "2022-04-01T14:50:28.686Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f517a7ce-dfdc-4f42-84c1-fef136e2ea19.json b/mobile-attack/relationship/relationship--f517a7ce-dfdc-4f42-84c1-fef136e2ea19.json
index 079f051605..f78a258452 100644
--- a/mobile-attack/relationship/relationship--f517a7ce-dfdc-4f42-84c1-fef136e2ea19.json
+++ b/mobile-attack/relationship/relationship--f517a7ce-dfdc-4f42-84c1-fef136e2ea19.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--66cb9163-0295-416e-90b6-215989269b77",
+    "id": "bundle--40d77ec4-9cd0-4565-9cb5-c231657d0980",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:41:01.468Z",
+            "modified": "2025-04-16T21:52:31.510Z",
             "description": "[XLoader for iOS](https://attack.mitre.org/software/S0490) has exfiltrated data using HTTP requests.(Citation: TrendMicro-XLoader-FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--29944858-da52-4d3d-b428-f8a6eb8dde6f",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f5196775-2c99-4dc5-b173-6a10af503c6e.json b/mobile-attack/relationship/relationship--f5196775-2c99-4dc5-b173-6a10af503c6e.json
index bf9b8e9090..af32afd242 100644
--- a/mobile-attack/relationship/relationship--f5196775-2c99-4dc5-b173-6a10af503c6e.json
+++ b/mobile-attack/relationship/relationship--f5196775-2c99-4dc5-b173-6a10af503c6e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--0b99a2c4-f763-490d-84ef-21c2fa2288ab",
+    "id": "bundle--c934b795-4b12-4731-8fe8-be138b43f53a",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--f5196775-2c99-4dc5-b173-6a10af503c6e",
             "created": "2023-09-25T19:55:13.827Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-25T19:55:13.827Z",
+            "modified": "2025-04-16T21:52:31.725Z",
             "description": "Users should be encouraged to be very careful with granting dangerous permissions, such as device administrator or access to device accessibility.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--0b761f2b-197a-40f2-b100-8152cb957c0c",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f524f2d9-cdf7-403b-af0f-96c1c60b32a8.json b/mobile-attack/relationship/relationship--f524f2d9-cdf7-403b-af0f-96c1c60b32a8.json
new file mode 100644
index 0000000000..00de451230
--- /dev/null
+++ b/mobile-attack/relationship/relationship--f524f2d9-cdf7-403b-af0f-96c1c60b32a8.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--21356253-4ca6-483d-a476-cb5ba9e1d14b",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--f524f2d9-cdf7-403b-af0f-96c1c60b32a8",
+            "created": "2025-03-24T14:52:59.139Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "McAfee MoqHao 2019",
+                    "description": "Pak, C. (2019, August 7). MoqHao Related Android Spyware Targeting Japan and Korea Found on Google Play. Retrieved November 13, 2024.",
+                    "url": "https://www.mcafee.com/blogs/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:31.922Z",
+            "description": "[Android/SpyAgent](https://attack.mitre.org/software/S1214) has used the Tencent packer to hide its malicious payload.(Citation: McAfee MoqHao 2019) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--f082d7dd-20a9-4157-93c0-75e7aea09e42",
+            "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d.json b/mobile-attack/relationship/relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d.json
index d52b272366..067c9558b1 100644
--- a/mobile-attack/relationship/relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d.json
+++ b/mobile-attack/relationship/relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--e12e32c1-200c-43ee-89f4-bc1faab0647d",
+    "id": "bundle--0fa8ae20-05c6-4ece-a360-e1127f7c9455",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d",
             "type": "relationship",
+            "id": "relationship--f552ee2f-5e6a-47a1-b6a5-d5e5594feb0d",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
+                    "source_name": "Lookout-StealthMango",
                     "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
-                    "source_name": "Lookout-StealthMango"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
                 }
             ],
-            "modified": "2019-08-09T17:59:49.112Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:32.113Z",
             "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads information about installed packages.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f56b8307-80e3-4d73-869f-1e8b9538dbc4.json b/mobile-attack/relationship/relationship--f56b8307-80e3-4d73-869f-1e8b9538dbc4.json
index abc1e9fe5c..6539f32717 100644
--- a/mobile-attack/relationship/relationship--f56b8307-80e3-4d73-869f-1e8b9538dbc4.json
+++ b/mobile-attack/relationship/relationship--f56b8307-80e3-4d73-869f-1e8b9538dbc4.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--76934b6b-af90-4dcd-b206-5a6d170e3a80",
+    "id": "bundle--65264195-cfd5-4197-9f82-e93e5d6adb57",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2022-09-30T18:45:10.156Z",
+            "modified": "2025-04-16T21:52:32.332Z",
             "description": "During [Operation Dust Storm](https://attack.mitre.org/campaigns/C0016), the threat actors used Android backdoors to continually forward all SMS messages and call information back to their C2 servers.(Citation: Cylance Dust Storm)",
             "relationship_type": "uses",
             "source_ref": "campaign--4603cf2f-06d0-4970-9c5d-5071b08c817f",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f58d3fc4-e0a2-4924-884d-85d7c8f00b8a.json b/mobile-attack/relationship/relationship--f58d3fc4-e0a2-4924-884d-85d7c8f00b8a.json
index 6de0025400..57f953af32 100644
--- a/mobile-attack/relationship/relationship--f58d3fc4-e0a2-4924-884d-85d7c8f00b8a.json
+++ b/mobile-attack/relationship/relationship--f58d3fc4-e0a2-4924-884d-85d7c8f00b8a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--e45601b0-1864-459c-be7e-7d17bbc3a657",
+    "id": "bundle--48c19add-ff3c-4df5-85f1-f3b126eb5032",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T17:14:24.009Z",
+            "modified": "2025-04-16T21:52:32.521Z",
             "description": "The user can view a list of device administrators in device settings and revoke permission where appropriate. Applications that request device administrator permissions should be scrutinized further for malicious behavior.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
             "target_ref": "attack-pattern--acf8fd2a-dc98-43b4-8d37-64e10728e591",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f5acd046-2943-48bf-836a-2109c4f1a5c4.json b/mobile-attack/relationship/relationship--f5acd046-2943-48bf-836a-2109c4f1a5c4.json
index 3713cba591..13e61c2878 100644
--- a/mobile-attack/relationship/relationship--f5acd046-2943-48bf-836a-2109c4f1a5c4.json
+++ b/mobile-attack/relationship/relationship--f5acd046-2943-48bf-836a-2109c4f1a5c4.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--1975e8eb-c4ca-4312-b951-cd0776c9e6bb",
+    "id": "bundle--a8cde89b-7b49-4298-896c-ce2d8947b208",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--f5acd046-2943-48bf-836a-2109c4f1a5c4",
             "created": "2023-09-28T17:20:50.748Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:20:50.748Z",
+            "modified": "2025-04-16T21:52:32.721Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can record audio from the device\u2019s microphone.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f5d24a31-53d2-4e84-9110-2da0582132cb.json b/mobile-attack/relationship/relationship--f5d24a31-53d2-4e84-9110-2da0582132cb.json
index 79e71858cf..73b5e7495a 100644
--- a/mobile-attack/relationship/relationship--f5d24a31-53d2-4e84-9110-2da0582132cb.json
+++ b/mobile-attack/relationship/relationship--f5d24a31-53d2-4e84-9110-2da0582132cb.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--4d2c3b2f-975b-4925-8fa2-a436d5b42eeb",
+    "id": "bundle--dfd84474-47de-4761-a5e0-2207c7b210fa",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--f5d24a31-53d2-4e84-9110-2da0582132cb",
             "created": "2020-05-07T15:33:32.936Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "CheckPoint Agent Smith",
-                    "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/",
-                    "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020."
+                    "description": "A. Hazum, F. He, I. Marom, B. Melnykov, A. Polkovnichenko. (2019, July 10). Agent Smith: A New Species of Mobile Malware. Retrieved May 7, 2020.",
+                    "url": "https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:32.925Z",
             "description": "[Agent Smith](https://attack.mitre.org/software/S0440)\u2019s core malware is disguised as a JPG file, and encrypted with an XOR cipher.(Citation: CheckPoint Agent Smith)",
-            "modified": "2022-04-15T16:44:17.145Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--a6228601-03f6-4949-ae22-c1087627a637",
             "target_ref": "attack-pattern--fa801609-ca8e-415e-815e-65f3826ff4df",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f5e9afdc-1aeb-472f-b267-46e7978f9d78.json b/mobile-attack/relationship/relationship--f5e9afdc-1aeb-472f-b267-46e7978f9d78.json
index 6c1a4d8b1c..2408917545 100644
--- a/mobile-attack/relationship/relationship--f5e9afdc-1aeb-472f-b267-46e7978f9d78.json
+++ b/mobile-attack/relationship/relationship--f5e9afdc-1aeb-472f-b267-46e7978f9d78.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--4d592339-0534-4556-8bc0-fe1723027d11",
+    "id": "bundle--03a4b4fe-e415-49b1-9eae-bcd5f7697e40",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T15:58:57.985Z",
+            "modified": "2025-04-16T21:52:33.150Z",
             "description": "On Android, users may be presented with a popup to select the appropriate application to open a URI in. If the user sees an application they do not recognize, they can remove it.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
             "target_ref": "attack-pattern--233fe2c0-cb41-4765-b454-e0087597fbce",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3.json b/mobile-attack/relationship/relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3.json
index b1c622561b..7d30cbcc77 100644
--- a/mobile-attack/relationship/relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3.json
+++ b/mobile-attack/relationship/relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--27ad254d-3451-4996-a66f-2a115e8b3e4e",
+    "id": "bundle--42dbc8cd-e389-447b-b27d-7ffb77b6cc2c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3",
             "type": "relationship",
+            "id": "relationship--f5fab17b-43e7-46ff-bdea-eb8c52a0c6c3",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
                 }
             ],
-            "modified": "2019-08-09T17:52:31.854Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:33.369Z",
             "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) accesses the list of installed applications.(Citation: Lookout-PegasusAndroid)",
             "relationship_type": "uses",
             "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f6098dca-3a9e-4991-8d51-1310b12161b6.json b/mobile-attack/relationship/relationship--f6098dca-3a9e-4991-8d51-1310b12161b6.json
index 1ed4c3d001..300e9412ff 100644
--- a/mobile-attack/relationship/relationship--f6098dca-3a9e-4991-8d51-1310b12161b6.json
+++ b/mobile-attack/relationship/relationship--f6098dca-3a9e-4991-8d51-1310b12161b6.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--cb6cb42e-26e5-41c6-a980-a4f712c2dd56",
+    "id": "bundle--a9c86a6d-98aa-4e48-8da0-7954ca157487",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--f6098dca-3a9e-4991-8d51-1310b12161b6",
             "created": "2017-12-14T16:46:06.044Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Lookout-PegasusAndroid",
-                    "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/",
-                    "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017."
+                    "description": "Mike Murray. (2017, April 3). Pegasus for Android: the other side of the story emerges. Retrieved April 16, 2017.",
+                    "url": "https://blog.lookout.com/blog/2017/04/03/pegasus-android/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:33.564Z",
             "description": "[Pegasus for Android](https://attack.mitre.org/software/S0316) uses SMS for command and control.(Citation: Lookout-PegasusAndroid)",
-            "modified": "2022-04-19T14:25:41.669Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "uses",
             "source_ref": "malware--93799a9d-3537-43d8-b6f4-17215de1657c",
             "target_ref": "attack-pattern--ec4c4baa-026f-43e8-8f56-58c36f3162dd",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f622a267-7a58-4082-a3f5-10e9bb549a5e.json b/mobile-attack/relationship/relationship--f622a267-7a58-4082-a3f5-10e9bb549a5e.json
index 3c2c7646fc..b9ff66cc5c 100644
--- a/mobile-attack/relationship/relationship--f622a267-7a58-4082-a3f5-10e9bb549a5e.json
+++ b/mobile-attack/relationship/relationship--f622a267-7a58-4082-a3f5-10e9bb549a5e.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--d0da475e-c192-4b5e-b0a6-f7edf3b2614a",
+    "id": "bundle--17695f44-13e9-41b8-a20f-a1cc3a7069ca",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--f622a267-7a58-4082-a3f5-10e9bb549a5e",
             "created": "2022-03-30T20:43:31.249Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:33.782Z",
             "description": "",
-            "modified": "2022-03-30T20:43:31.249Z",
             "relationship_type": "revoked-by",
             "source_ref": "attack-pattern--8197f026-64da-4700-93b9-b55ba55f3b31",
             "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f62e0aaf-e52f-40b9-a059-001f298a0660.json b/mobile-attack/relationship/relationship--f62e0aaf-e52f-40b9-a059-001f298a0660.json
index 3e201125c6..5cc97659a4 100644
--- a/mobile-attack/relationship/relationship--f62e0aaf-e52f-40b9-a059-001f298a0660.json
+++ b/mobile-attack/relationship/relationship--f62e0aaf-e52f-40b9-a059-001f298a0660.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--2c56a557-22a2-4299-8f96-afc16e86c9c4",
+    "id": "bundle--195a1a79-5513-431c-a4f8-edce50905749",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:19:00.168Z",
+            "modified": "2025-04-16T21:52:33.975Z",
             "description": "[Skygofree](https://attack.mitre.org/software/S0327) can be controlled via HTTP, XMPP, FirebaseCloudMessaging, or GoogleCloudMessaging in older versions.(Citation: Kaspersky-Skygofree)",
             "relationship_type": "uses",
             "source_ref": "malware--3a913bac-4fae-4d0e-bca8-cae452f1599b",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794.json b/mobile-attack/relationship/relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794.json
index 379929af63..e2a46dca63 100644
--- a/mobile-attack/relationship/relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794.json
+++ b/mobile-attack/relationship/relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794.json
@@ -1,35 +1,35 @@
 {
     "type": "bundle",
-    "id": "bundle--0b11425f-7c89-486d-9c5c-9abaaa5031e9",
+    "id": "bundle--eeb96a4a-0437-44cb-a41a-d02705436301",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794",
             "type": "relationship",
+            "id": "relationship--f632b0bb-69ce-4678-bc3c-9ddff5a38794",
             "created": "2019-11-21T16:42:48.488Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "SecureList - ViceLeaker 2019",
                     "description": "GReAT. (2019, June 26).  ViceLeaker Operation: mobile espionage targeting Middle East. Retrieved November 21, 2019.",
-                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/",
-                    "source_name": "SecureList - ViceLeaker 2019"
+                    "url": "https://securelist.com/fanning-the-flames-viceleaker-operation/90877/"
                 },
                 {
                     "source_name": "Bitdefender - Triout 2018",
-                    "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/",
-                    "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020."
+                    "description": "L. Arsene, C. Ochinca. (2018, August 20). Triout \u2013 Spyware Framework for Android with Extensive Surveillance Capabilities. Retrieved January 21, 2020.",
+                    "url": "https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/"
                 }
             ],
-            "modified": "2020-01-21T14:20:50.474Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:34.180Z",
             "description": "[ViceLeaker](https://attack.mitre.org/software/S0418) can record audio from the device\u2019s microphone and can record phone calls together with the caller ID.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--6fcaf9b0-b509-4644-9f93-556222c81ed2",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f6417788-0c6e-4172-9010-f20870ec2278.json b/mobile-attack/relationship/relationship--f6417788-0c6e-4172-9010-f20870ec2278.json
index 0207dfcbf0..14b15ed552 100644
--- a/mobile-attack/relationship/relationship--f6417788-0c6e-4172-9010-f20870ec2278.json
+++ b/mobile-attack/relationship/relationship--f6417788-0c6e-4172-9010-f20870ec2278.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--44ef0b32-2355-44c2-b78d-33c288d1d3d9",
+    "id": "bundle--d4b8dd22-735a-4416-addd-6523bf66dc5c",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--f6417788-0c6e-4172-9010-f20870ec2278",
             "created": "2023-06-09T19:16:07.193Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-06-09T19:16:07.193Z",
+            "modified": "2025-04-16T21:52:34.383Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can request device administrator privileges.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f65087b4-adf2-4292-a711-7ae829e91397.json b/mobile-attack/relationship/relationship--f65087b4-adf2-4292-a711-7ae829e91397.json
index fd4cbf39ca..1be403ce30 100644
--- a/mobile-attack/relationship/relationship--f65087b4-adf2-4292-a711-7ae829e91397.json
+++ b/mobile-attack/relationship/relationship--f65087b4-adf2-4292-a711-7ae829e91397.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--2de9c500-51d0-4428-b967-25a9a3620364",
+    "id": "bundle--a7fcd2ba-b6ec-49ea-bc0f-75f4d792aea3",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f65087b4-adf2-4292-a711-7ae829e91397",
             "type": "relationship",
+            "id": "relationship--f65087b4-adf2-4292-a711-7ae829e91397",
             "created": "2019-09-04T14:28:16.385Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
+                    "source_name": "Lookout-Monokle",
                     "description": "Bauer A., Kumar A., Hebeisen C., et al. (2019, July). Monokle: The Mobile Surveillance Tooling of the Special Technology Center. Retrieved September 4, 2019.",
-                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf",
-                    "source_name": "Lookout-Monokle"
+                    "url": "https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf"
                 }
             ],
-            "modified": "2019-09-04T14:32:12.877Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:34.570Z",
             "description": "[Monokle](https://attack.mitre.org/software/S0407) can list applications installed on the device.(Citation: Lookout-Monokle)",
             "relationship_type": "uses",
             "source_ref": "malware--6a7aaab1-3e0a-48bb-ba66-bbf7665c0a65",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047.json b/mobile-attack/relationship/relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047.json
index 597f45b041..cfabd98cc0 100644
--- a/mobile-attack/relationship/relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047.json
+++ b/mobile-attack/relationship/relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--740310f9-73d8-4cb2-aff4-5d4ffd201f89",
+    "id": "bundle--2886cfe3-dce3-4ce2-99d4-da7de50a41aa",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047",
             "type": "relationship",
+            "id": "relationship--f6770c26-ae93-468d-acaa-ab4ffea0e047",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
+                    "source_name": "PaloAlto-SpyDealer",
                     "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
-                    "source_name": "PaloAlto-SpyDealer"
+                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
                 }
             ],
-            "modified": "2019-08-09T17:56:05.682Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:34.782Z",
             "description": "[SpyDealer](https://attack.mitre.org/software/S0324) can record phone calls and surrounding audio.(Citation: PaloAlto-SpyDealer)",
             "relationship_type": "uses",
             "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f69ff81e-22e4-450c-b3dd-7f3f66610663.json b/mobile-attack/relationship/relationship--f69ff81e-22e4-450c-b3dd-7f3f66610663.json
index 0efc74c4a5..3691973d42 100644
--- a/mobile-attack/relationship/relationship--f69ff81e-22e4-450c-b3dd-7f3f66610663.json
+++ b/mobile-attack/relationship/relationship--f69ff81e-22e4-450c-b3dd-7f3f66610663.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--b4f2602c-94d7-499d-8040-4c80f302528f",
+    "id": "bundle--a12465c8-c37e-4b0b-925b-6709bc04de2d",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--f69ff81e-22e4-450c-b3dd-7f3f66610663",
             "created": "2023-08-16T16:39:10.564Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-16T16:39:10.564Z",
+            "modified": "2025-04-16T21:52:34.977Z",
             "description": "[Chameleon](https://attack.mitre.org/software/S1083) can disable Google Play Protect.(Citation: cyble_chameleon_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--2cf00c5a-857d-4cb6-8f03-82f15bee0f6f",
             "target_ref": "attack-pattern--2aa78dfd-cb6f-4c70-9408-137cfd96be49",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f6a451e8-2125-4bbe-be52-e682523cd169.json b/mobile-attack/relationship/relationship--f6a451e8-2125-4bbe-be52-e682523cd169.json
index f661f3d98c..eb080c9ef5 100644
--- a/mobile-attack/relationship/relationship--f6a451e8-2125-4bbe-be52-e682523cd169.json
+++ b/mobile-attack/relationship/relationship--f6a451e8-2125-4bbe-be52-e682523cd169.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--335ed8e8-af57-41c8-a6f4-0e216480162b",
+    "id": "bundle--c2a361e7-0bc5-494b-9791-f7d87ef17265",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f6a451e8-2125-4bbe-be52-e682523cd169",
             "type": "relationship",
+            "id": "relationship--f6a451e8-2125-4bbe-be52-e682523cd169",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
+                    "source_name": "PaloAlto-SpyDealer",
                     "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
-                    "source_name": "PaloAlto-SpyDealer"
+                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
                 }
             ],
-            "modified": "2019-10-15T19:37:21.273Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:35.165Z",
             "description": "[SpyDealer](https://attack.mitre.org/software/S0324) harvests the device phone number, IMEI, and IMSI.(Citation: PaloAlto-SpyDealer)",
             "relationship_type": "uses",
             "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f6f21954-c592-40d8-b7a0-75f332c42eaa.json b/mobile-attack/relationship/relationship--f6f21954-c592-40d8-b7a0-75f332c42eaa.json
index 3f6023eedd..313208e220 100644
--- a/mobile-attack/relationship/relationship--f6f21954-c592-40d8-b7a0-75f332c42eaa.json
+++ b/mobile-attack/relationship/relationship--f6f21954-c592-40d8-b7a0-75f332c42eaa.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--40293b4e-ec39-4615-8224-cbe0f360a642",
+    "id": "bundle--54a331ac-3d77-44a6-91c0-071f4c5a74c6",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:00:38.611Z",
+            "modified": "2025-04-16T21:52:35.366Z",
             "description": "[CarbonSteal](https://attack.mitre.org/software/S0529) has deleted call log entries coming from known C2 sources.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--007ebf84-4e14-44c7-a5aa-151d5de85320",
             "target_ref": "attack-pattern--ab7400b7-3476-4776-9545-ef3fa373de63",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1.json b/mobile-attack/relationship/relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1.json
index 609b187b20..14b9d7b755 100644
--- a/mobile-attack/relationship/relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1.json
+++ b/mobile-attack/relationship/relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--5bc8bc09-5fe5-43f4-981c-725b9c2bce97",
+    "id": "bundle--7e5d5c4c-dcec-4619-9b6c-0b992674cecc",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1",
             "type": "relationship",
+            "id": "relationship--f7039142-dbdc-4ffc-a54f-136ad57a6ac1",
             "created": "2020-07-20T13:49:03.693Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "TrendMicro-XLoader-FakeSpy",
-                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/",
-                    "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020."
+                    "description": "Hiroaki, H., Wu, L., Wu, L.. (2019, April 2). XLoader Disguises as Android Apps, Has FakeSpy Links. Retrieved July 20, 2020.",
+                    "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/"
                 }
             ],
-            "modified": "2020-09-24T15:12:24.242Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:35.569Z",
             "description": "[XLoader for Android](https://attack.mitre.org/software/S0318) collects the device\u2019s IMSI and ICCID.(Citation: TrendMicro-XLoader-FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--2740eaf6-2db2-4a40-a63f-f5b166c7059c",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f709a4a5-2d7f-4fa8-bad8-a536fd3cc7fc.json b/mobile-attack/relationship/relationship--f709a4a5-2d7f-4fa8-bad8-a536fd3cc7fc.json
index 3773423d43..6c7508797e 100644
--- a/mobile-attack/relationship/relationship--f709a4a5-2d7f-4fa8-bad8-a536fd3cc7fc.json
+++ b/mobile-attack/relationship/relationship--f709a4a5-2d7f-4fa8-bad8-a536fd3cc7fc.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--b1ea2306-52c8-4e39-afff-718bf091cbba",
+    "id": "bundle--ac109ca0-c991-4641-a1ac-9609167bede2",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--f709a4a5-2d7f-4fa8-bad8-a536fd3cc7fc",
             "created": "2022-04-01T13:18:40.460Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:35.778Z",
             "description": "Contact list access is an uncommonly needed permission, so users should be instructed to use extra scrutiny when granting access to their contact list. ",
-            "modified": "2022-04-01T13:18:40.460Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f747ccb7-32c0-45fc-9842-bfb160a9db22.json b/mobile-attack/relationship/relationship--f747ccb7-32c0-45fc-9842-bfb160a9db22.json
index 018cdc50d1..cd4334bbbc 100644
--- a/mobile-attack/relationship/relationship--f747ccb7-32c0-45fc-9842-bfb160a9db22.json
+++ b/mobile-attack/relationship/relationship--f747ccb7-32c0-45fc-9842-bfb160a9db22.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--2ec1b8de-69b6-4c17-ad2f-25cd46e45af6",
+    "id": "bundle--16f163f9-0c7d-4321-8ad2-09b1f4d36012",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--f747ccb7-32c0-45fc-9842-bfb160a9db22",
             "created": "2023-07-21T19:39:20.054Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:39:20.054Z",
+            "modified": "2025-04-16T21:52:35.978Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) uses a background service that can restart itself when the parent activity is stopped.(Citation: lookout_bouldspy_0423)     ",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--d446b9f0-06a9-4a8d-97ee-298cfee84f14",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f776a4da-0fa6-414c-a705-e9e8b419e056.json b/mobile-attack/relationship/relationship--f776a4da-0fa6-414c-a705-e9e8b419e056.json
index e21e3d91fd..d76941fcaf 100644
--- a/mobile-attack/relationship/relationship--f776a4da-0fa6-414c-a705-e9e8b419e056.json
+++ b/mobile-attack/relationship/relationship--f776a4da-0fa6-414c-a705-e9e8b419e056.json
@@ -1,35 +1,35 @@
 {
     "type": "bundle",
-    "id": "bundle--e46c543a-a1fa-45eb-ac24-aec5b27baa86",
+    "id": "bundle--d3d6243e-ae0b-4263-a44c-1e3225b76c16",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f776a4da-0fa6-414c-a705-e9e8b419e056",
             "type": "relationship",
+            "id": "relationship--f776a4da-0fa6-414c-a705-e9e8b419e056",
             "created": "2020-06-26T15:32:25.058Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Threat Fabric Cerberus",
-                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html",
-                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020."
+                    "description": "Threat Fabric. (2019, August). Cerberus - A new banking Trojan from the underworld. Retrieved June 26, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html"
                 },
                 {
                     "source_name": "CheckPoint Cerberus",
-                    "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/",
-                    "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020."
+                    "description": "A. Hazum, B. Melnykov, C. Efrati, D. Golubenko, I. Wernik, L. Kuperman, O. Mana. (2020, April 29). First seen in the wild \u2013 Malware uses Corporate MDM as attack vector. Retrieved June 26, 2020.",
+                    "url": "https://research.checkpoint.com/2020/mobile-as-attack-vector-using-mdm/"
                 }
             ],
-            "modified": "2020-06-26T15:32:25.058Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:36.171Z",
             "description": "[Cerberus](https://attack.mitre.org/software/S0480) can inject input to grant itself additional permissions without user interaction and to prevent application removal.(Citation: Threat Fabric Cerberus)(Citation: CheckPoint Cerberus)",
             "relationship_type": "uses",
             "source_ref": "malware--037f44f0-0c07-4c7f-b40e-0325b5b228a9",
             "target_ref": "attack-pattern--d1f1337e-aea7-454c-86bd-482a98ffaf62",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f781fd2c-209f-43f1-b55a-fb175187415f.json b/mobile-attack/relationship/relationship--f781fd2c-209f-43f1-b55a-fb175187415f.json
index 4ff4413607..243e0385d0 100644
--- a/mobile-attack/relationship/relationship--f781fd2c-209f-43f1-b55a-fb175187415f.json
+++ b/mobile-attack/relationship/relationship--f781fd2c-209f-43f1-b55a-fb175187415f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--3fbffe48-cd57-48bb-90ef-aed5112dbe6d",
+    "id": "bundle--72c55bb6-5676-43bd-a718-4772cebda40a",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-04-15T21:40:34.141Z",
+            "modified": "2025-04-16T21:52:36.378Z",
             "description": "During [C0033](https://attack.mitre.org/campaigns/C0033), [PROMETHIUM](https://attack.mitre.org/groups/G0056) used [StrongPity](https://attack.mitre.org/software/S0491) to collect the device\u2019s contact list.(Citation: welivesec_strongpity) ",
             "relationship_type": "uses",
             "source_ref": "campaign--a82bc5ad-5f95-4c6a-9f25-aaf6f476a3c4",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f78e0c04-1946-4a0f-9ecb-324373f97e8a.json b/mobile-attack/relationship/relationship--f78e0c04-1946-4a0f-9ecb-324373f97e8a.json
new file mode 100644
index 0000000000..830fd28b93
--- /dev/null
+++ b/mobile-attack/relationship/relationship--f78e0c04-1946-4a0f-9ecb-324373f97e8a.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--35db3a34-a865-417e-81cc-7b8122d321f3",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--f78e0c04-1946-4a0f-9ecb-324373f97e8a",
+            "created": "2025-03-24T20:14:35.755Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:36.575Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has masqueraded a Mach-O executable as a png file.(Citation: Threatfabric LightSpy 2024)(Citation: LinkedIn Dmitry LightSpy 2025)",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--f856eaab-e84a-4265-a8a2-7bf37e5dc2fc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f7bebe78-2e21-466d-878b-f70be6c0e94a.json b/mobile-attack/relationship/relationship--f7bebe78-2e21-466d-878b-f70be6c0e94a.json
index eb538097d9..30b6b9142d 100644
--- a/mobile-attack/relationship/relationship--f7bebe78-2e21-466d-878b-f70be6c0e94a.json
+++ b/mobile-attack/relationship/relationship--f7bebe78-2e21-466d-878b-f70be6c0e94a.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--6125b03f-fe98-4b5b-a375-e6b270437674",
+    "id": "bundle--c0ab25c6-f112-4824-88cd-2a61c8c401e3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T19:56:32.861Z",
+            "modified": "2025-04-16T21:52:36.778Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can access the device's contact list.(Citation: Zscaler TikTok Spyware) ",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff.json b/mobile-attack/relationship/relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff.json
index afbd2322f2..9fda5875d6 100644
--- a/mobile-attack/relationship/relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff.json
+++ b/mobile-attack/relationship/relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--742c9a59-558f-462f-bb20-0df5e0233a5d",
+    "id": "bundle--7053dd5a-ec54-42e4-968a-487804fe9c7b",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff",
             "type": "relationship",
+            "id": "relationship--f7c5c344-4310-4e2a-a5aa-133f3d132fff",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
+                    "source_name": "Lookout-StealthMango",
                     "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
-                    "source_name": "Lookout-StealthMango"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
                 }
             ],
-            "modified": "2019-08-09T17:59:49.021Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:36.978Z",
             "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) can perform GPS location tracking as well as capturing coordinates as when an SMS message or call is received.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f7c95641-a685-4d0b-8516-9f0c7498efc9.json b/mobile-attack/relationship/relationship--f7c95641-a685-4d0b-8516-9f0c7498efc9.json
new file mode 100644
index 0000000000..9de55e85dd
--- /dev/null
+++ b/mobile-attack/relationship/relationship--f7c95641-a685-4d0b-8516-9f0c7498efc9.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--551bd2b0-584b-46d8-bd3c-138d285ab064",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--f7c95641-a685-4d0b-8516-9f0c7498efc9",
+            "created": "2025-02-12T15:21:45.954Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Krebs LAPUSS Mar2022",
+                    "description": "Krebs, B. (2022, March 23). A Closer Look at the LAPSUS$ Data Extortion Group. Retrieved January 27, 2025.",
+                    "url": "https://krebsonsecurity.com/2022/03/a-closer-look-at-the-lapsus-data-extortion-group/"
+                },
+                {
+                    "source_name": "Microsoft DEV-0537 Mar2022",
+                    "description": "Microsoft Incident Response, Microsoft Threat Intelligence . (2022, March 22). DEV-0537 criminal actor targeting organizations for data exfiltration and destruction. Retrieved January 27, 2025.",
+                    "url": "https://www.microsoft.com/en-us/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:37.182Z",
+            "description": "[LAPSUS$](https://attack.mitre.org/groups/G1004) has used SIM swapping to gain access to victims\u2019 mobile devices.(Citation: Krebs LAPUSS Mar2022)(Citation: Microsoft DEV-0537 Mar2022) ",
+            "relationship_type": "uses",
+            "source_ref": "intrusion-set--d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7",
+            "target_ref": "attack-pattern--a64a820a-cb21-471f-920c-506a2ff04fa5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f8151852-5a56-4c91-a691-1e50387a291d.json b/mobile-attack/relationship/relationship--f8151852-5a56-4c91-a691-1e50387a291d.json
index b180ef9752..8db0c6eef8 100644
--- a/mobile-attack/relationship/relationship--f8151852-5a56-4c91-a691-1e50387a291d.json
+++ b/mobile-attack/relationship/relationship--f8151852-5a56-4c91-a691-1e50387a291d.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--4b6e20b1-3c2e-4aac-aa43-a600225cb344",
+    "id": "bundle--63254746-cc19-4006-8ede-9906dba3ecd8",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--f8151852-5a56-4c91-a691-1e50387a291d",
             "created": "2023-09-28T17:39:14.900Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:39:14.900Z",
+            "modified": "2025-04-16T21:52:37.376Z",
             "description": "[FlyTrap](https://attack.mitre.org/software/S1093) can collect IP address and network configuration information.(Citation: Trend Micro FlyTrap)",
             "relationship_type": "uses",
             "source_ref": "malware--8338393c-cb2e-4ee6-b944-34672499c785",
             "target_ref": "attack-pattern--d4536441-1bcc-49fa-80ae-a596ed3f7ffd",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f84355c2-b829-4324-821a-b5148734bb6b.json b/mobile-attack/relationship/relationship--f84355c2-b829-4324-821a-b5148734bb6b.json
index 082b84aac6..3c70894edd 100644
--- a/mobile-attack/relationship/relationship--f84355c2-b829-4324-821a-b5148734bb6b.json
+++ b/mobile-attack/relationship/relationship--f84355c2-b829-4324-821a-b5148734bb6b.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--087d6e50-7a9e-4ccb-a9b7-1ac80dd0f899",
+    "id": "bundle--662b7067-9e52-4f48-a3ed-589235405f69",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--f84355c2-b829-4324-821a-b5148734bb6b",
             "created": "2022-04-01T15:21:35.655Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:37.592Z",
             "description": "Users should be wary of granting applications dangerous or privacy-intrusive permissions, such as access to microphone or audio output. ",
-            "modified": "2022-04-01T15:21:35.655Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--653492e3-27be-4a0e-b08c-938dd2b7e0e1",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f857935b-653a-4b9a-a2dc-59c042059a39.json b/mobile-attack/relationship/relationship--f857935b-653a-4b9a-a2dc-59c042059a39.json
index 4f101cd902..2cd9757582 100644
--- a/mobile-attack/relationship/relationship--f857935b-653a-4b9a-a2dc-59c042059a39.json
+++ b/mobile-attack/relationship/relationship--f857935b-653a-4b9a-a2dc-59c042059a39.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ea664155-7ff6-43b2-8b3c-2574224336ac",
+    "id": "bundle--054bf852-1152-4343-9bbb-1280e34d0ee3",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-14T16:28:45.049Z",
+            "modified": "2025-04-16T21:52:37.798Z",
             "description": "Application vetting services may provide a list of connections made or received by an application, or a list of domains contacted by the application. ",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
             "target_ref": "attack-pattern--986f80f7-ff0e-4f48-87bd-0394814bbce5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c.json b/mobile-attack/relationship/relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c.json
index c2bb1b634c..214a48f335 100644
--- a/mobile-attack/relationship/relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c.json
+++ b/mobile-attack/relationship/relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--cf100a9b-c1b9-4123-b2af-f3ca31194ae9",
+    "id": "bundle--3b434eaa-0cb6-457c-87e0-e681fc0a073d",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c",
             "type": "relationship",
+            "id": "relationship--f87bb2d2-e7fd-44ce-b537-e7e01086731c",
             "created": "2020-12-18T20:14:47.371Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "WhiteOps TERRACOTTA",
-                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study",
-                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020."
+                    "description": "Satori Threat Intelligence and Research Team. (2020, August). TERRACOTTA Android Malware: A Technical Study. Retrieved December 18, 2020.",
+                    "url": "https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study"
                 }
             ],
-            "modified": "2020-12-18T21:00:05.246Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:37.991Z",
             "description": "[TERRACOTTA](https://attack.mitre.org/software/S0545) can send SMS messages.(Citation: WhiteOps TERRACOTTA)",
             "relationship_type": "uses",
             "source_ref": "malware--e296b110-46d3-4f7a-894c-cc71ea50168c",
             "target_ref": "attack-pattern--b327a9c0-e709-495c-aa6e-00b042136e2b",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57.json b/mobile-attack/relationship/relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57.json
index 41f7a0fe11..dd0be4c610 100644
--- a/mobile-attack/relationship/relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57.json
+++ b/mobile-attack/relationship/relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--2a8cc332-50a0-46d9-8f19-ea8dab152e8a",
+    "id": "bundle--95ad0811-b0b7-4a7c-ba42-556f9e6f0648",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57",
             "type": "relationship",
+            "id": "relationship--f88cbb0c-ca34-4a87-82fa-e0e567ee8d57",
             "created": "2020-04-08T15:51:25.120Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "ThreatFabric Ginp",
-                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html",
-                    "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020."
+                    "description": "ThreatFabric. (2019, November). Ginp - A malware patchwork borrowing from Anubis. Retrieved April 8, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html"
                 }
             ],
-            "modified": "2020-04-08T15:51:25.120Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:38.192Z",
             "description": "[Ginp](https://attack.mitre.org/software/S0423) obfuscates its payload, code, and strings.(Citation: ThreatFabric Ginp)",
             "relationship_type": "uses",
             "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f92fe9dd-7296-42f6-904e-e245c438376e.json b/mobile-attack/relationship/relationship--f92fe9dd-7296-42f6-904e-e245c438376e.json
index 343c9472c2..2ec771308c 100644
--- a/mobile-attack/relationship/relationship--f92fe9dd-7296-42f6-904e-e245c438376e.json
+++ b/mobile-attack/relationship/relationship--f92fe9dd-7296-42f6-904e-e245c438376e.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--fde6de91-bfe3-4518-8293-491cb6364bd8",
+    "id": "bundle--7fee0c84-0a90-4abd-b7f7-79126c9d4f5b",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T21:25:06.012Z",
+            "modified": "2025-04-16T21:52:38.397Z",
             "description": "[Asacub](https://attack.mitre.org/software/S0540) can request device administrator permissions.(Citation: Securelist Asacub)",
             "relationship_type": "uses",
             "source_ref": "malware--a76b837b-93cc-417d-bf28-c47a6a284fa4",
             "target_ref": "attack-pattern--9c049d7b-c92a-4733-9381-27e2bd2ccadc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f9456868-aa4c-4aa3-9465-c5a18cbcfd23.json b/mobile-attack/relationship/relationship--f9456868-aa4c-4aa3-9465-c5a18cbcfd23.json
index 7c49fcbdb0..d042185967 100644
--- a/mobile-attack/relationship/relationship--f9456868-aa4c-4aa3-9465-c5a18cbcfd23.json
+++ b/mobile-attack/relationship/relationship--f9456868-aa4c-4aa3-9465-c5a18cbcfd23.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--8587391e-4b5a-4acc-8fcd-d01d897701ba",
+    "id": "bundle--bbd1039d-dc0e-4f12-800e-ebe83e716c72",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T20:52:10.329Z",
+            "modified": "2025-04-16T21:52:38.590Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can collect a device's phone number and IMEI, and can check to see if Wi-Fi is enabled.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667.json b/mobile-attack/relationship/relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667.json
index 2fcd790e7e..00996b60f1 100644
--- a/mobile-attack/relationship/relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667.json
+++ b/mobile-attack/relationship/relationship--f947d845-4d70-41f3-ae3c-18ea8b44e667.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--eb7aea9a-6fdb-4269-a2cc-91ed66ed6094",
+    "id": "bundle--a8855539-b571-4895-a382-78095d164cd5",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-21T18:51:23.251Z",
+            "modified": "2025-04-16T21:52:38.824Z",
             "description": "[HummingBad](https://attack.mitre.org/software/S0322) can create fraudulent statistics inside the official Google Play Store, and has generated revenue from installing fraudulent apps and displaying malicious advertisements.(Citation: ArsTechnica-HummingBad)",
             "relationship_type": "uses",
             "source_ref": "malware--c8770c81-c29f-40d2-a140-38544206b2b4",
             "target_ref": "attack-pattern--a8e971b8-8dc7-4514-8249-ae95427ec467",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f.json b/mobile-attack/relationship/relationship--f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f.json
index 7296ef03e0..abdf24da4f 100644
--- a/mobile-attack/relationship/relationship--f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f.json
+++ b/mobile-attack/relationship/relationship--f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--ef7c366a-a8a9-476c-9c5e-447bb71e4024",
+    "id": "bundle--6508da02-15ee-46c0-a553-6fbc08aba606",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--f95fec2e-f5cf-49c9-8e0b-1c6c5fd15d8f",
             "created": "2019-10-18T14:50:57.494Z",
-            "x_mitre_version": "1.0",
-            "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Security updates often contain patches for vulnerabilities.",
-            "modified": "2022-04-11T14:26:44.192Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:39.023Z",
+            "description": "Security updates often contain patches for vulnerabilities.",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--bcecd036-f40e-4916-9f8e-fd0ccf0ece8d",
             "target_ref": "attack-pattern--667e5707-3843-4da8-bd34-88b922526f0d",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f989562f-41a8-46d3-94ba-fca7269ae592.json b/mobile-attack/relationship/relationship--f989562f-41a8-46d3-94ba-fca7269ae592.json
index 4cdc9cc5c0..0b40600051 100644
--- a/mobile-attack/relationship/relationship--f989562f-41a8-46d3-94ba-fca7269ae592.json
+++ b/mobile-attack/relationship/relationship--f989562f-41a8-46d3-94ba-fca7269ae592.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--045b0afc-a2ed-4117-bbb0-972b5f83996b",
+    "id": "bundle--f47dce62-ee6b-4e1d-8671-c9a469bcad4c",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f989562f-41a8-46d3-94ba-fca7269ae592",
             "type": "relationship",
+            "id": "relationship--f989562f-41a8-46d3-94ba-fca7269ae592",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
+                    "source_name": "Lookout-StealthMango",
                     "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
-                    "source_name": "Lookout-StealthMango"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
                 }
             ],
-            "modified": "2019-08-09T17:59:49.072Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:39.239Z",
             "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) is delivered via a a watering hole website that mimics the third-party Android app store APKMonk. In at least one case, the watering hole URL was distributed through Facebook Messenger.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
             "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f9b3a640-fd24-45f0-845b-22a7bf3e0d2b.json b/mobile-attack/relationship/relationship--f9b3a640-fd24-45f0-845b-22a7bf3e0d2b.json
index 0ec85160d4..a0bcef037d 100644
--- a/mobile-attack/relationship/relationship--f9b3a640-fd24-45f0-845b-22a7bf3e0d2b.json
+++ b/mobile-attack/relationship/relationship--f9b3a640-fd24-45f0-845b-22a7bf3e0d2b.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--d143dafc-865c-432b-8632-67a5552090d1",
+    "id": "bundle--7ba90e5b-584a-45b7-8422-2c6fe73e69fb",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--f9b3a640-fd24-45f0-845b-22a7bf3e0d2b",
             "created": "2024-02-21T21:09:05.676Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2024-02-21T21:09:05.676Z",
+            "modified": "2025-04-16T21:52:39.433Z",
             "description": "[TianySpy](https://attack.mitre.org/software/S1056) can check to see if Wi-Fi is enabled.(Citation: trendmicro_tianyspy_0122) ",
             "relationship_type": "uses",
             "source_ref": "malware--fd6d56b2-d84e-4d2a-b37d-d4678d3e08a6",
             "target_ref": "attack-pattern--be63612f-a48f-44f2-a7a6-1763509fcf80",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f9d0cfb5-aeda-4de4-9c72-7098297555ae.json b/mobile-attack/relationship/relationship--f9d0cfb5-aeda-4de4-9c72-7098297555ae.json
index ca57c930f1..492a62ed40 100644
--- a/mobile-attack/relationship/relationship--f9d0cfb5-aeda-4de4-9c72-7098297555ae.json
+++ b/mobile-attack/relationship/relationship--f9d0cfb5-aeda-4de4-9c72-7098297555ae.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--25c4f0f9-d7d2-4aef-b31e-5ffa504d8562",
+    "id": "bundle--a655d045-06df-4c5e-9e90-8ac3ff3adca8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--f9d0cfb5-aeda-4de4-9c72-7098297555ae",
             "created": "2019-09-04T20:01:42.753Z",
-            "x_mitre_version": "1.0",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Nightwatch screencap April 2016",
-                    "url": "https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/",
-                    "description": "Nightwatch Cybersecurity. (2016, April 13). Research: Securing Android Applications from Screen Capture (FLAG_SECURE). Retrieved November 5, 2019."
+                    "description": "Nightwatch Cybersecurity. (2016, April 13). Research: Securing Android Applications from Screen Capture (FLAG_SECURE). Retrieved November 5, 2019.",
+                    "url": "https://wwws.nightwatchcybersecurity.com/2016/04/13/research-securing-android-applications-from-screen-capture/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:39.628Z",
             "description": "Application developers can apply the `FLAG_SECURE` property to sensitive screens within their apps to make it more difficult for the screen contents to be captured.(Citation: Nightwatch screencap April 2016) ",
-            "modified": "2022-04-01T13:31:59.712Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--25dc1ce8-eb55-4333-ae30-a7cb4f5894a1",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--f9de9819-b131-459e-948b-bdf3fe6f1ef0.json b/mobile-attack/relationship/relationship--f9de9819-b131-459e-948b-bdf3fe6f1ef0.json
index e7852a9c7f..4da983be94 100644
--- a/mobile-attack/relationship/relationship--f9de9819-b131-459e-948b-bdf3fe6f1ef0.json
+++ b/mobile-attack/relationship/relationship--f9de9819-b131-459e-948b-bdf3fe6f1ef0.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--8600377b-0a61-4598-adb9-251ebe000f29",
+    "id": "bundle--02b47ed2-5c66-4d9b-98ce-f035296827fb",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--f9de9819-b131-459e-948b-bdf3fe6f1ef0",
             "type": "relationship",
+            "id": "relationship--f9de9819-b131-459e-948b-bdf3fe6f1ef0",
             "created": "2020-12-24T21:55:56.686Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T21:55:56.686Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:39.842Z",
             "description": "[DoubleAgent](https://attack.mitre.org/software/S0550) has accessed common system information.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--3d6c4389-3489-40a3-beda-c56e650b6f68",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fa13936f-9b9d-4b48-a33f-81044f6cdedb.json b/mobile-attack/relationship/relationship--fa13936f-9b9d-4b48-a33f-81044f6cdedb.json
index 1db7aec2fa..ed2937b097 100644
--- a/mobile-attack/relationship/relationship--fa13936f-9b9d-4b48-a33f-81044f6cdedb.json
+++ b/mobile-attack/relationship/relationship--fa13936f-9b9d-4b48-a33f-81044f6cdedb.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--7eaf138b-928a-4d50-9b79-7de243d68a37",
+    "id": "bundle--0eeb1c80-d185-4163-8921-52de2056fa9e",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:17:07.033Z",
+            "modified": "2025-04-16T21:52:40.037Z",
             "description": "[FakeSpy](https://attack.mitre.org/software/S0509) exfiltrates data using HTTP requests.(Citation: Cybereason FakeSpy)",
             "relationship_type": "uses",
             "source_ref": "malware--838f647e-8ff8-48bd-bbd5-613cee7736cb",
             "target_ref": "attack-pattern--2282a98b-5049-4f61-9381-55baca7c1add",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fa1da6db-da32-45d2-98a8-6bbe153166da.json b/mobile-attack/relationship/relationship--fa1da6db-da32-45d2-98a8-6bbe153166da.json
index 2d1e64de46..41eb9d62fe 100644
--- a/mobile-attack/relationship/relationship--fa1da6db-da32-45d2-98a8-6bbe153166da.json
+++ b/mobile-attack/relationship/relationship--fa1da6db-da32-45d2-98a8-6bbe153166da.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--af411c2c-1192-410a-b55a-0944922d3189",
+    "id": "bundle--c4b7c58b-1760-4c1e-b4eb-a83efc841170",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--fa1da6db-da32-45d2-98a8-6bbe153166da",
             "type": "relationship",
+            "id": "relationship--fa1da6db-da32-45d2-98a8-6bbe153166da",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2016/05/25/spoofed-apps/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:40.294Z",
             "description": "[AndroRAT](https://attack.mitre.org/software/S0292) tracks the device location.(Citation: Lookout-EnterpriseApps)",
             "relationship_type": "uses",
             "source_ref": "malware--a3dad2be-ce62-4440-953b-00fbce7aba93",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fa222de8-ba3a-45c1-a7eb-d7502843cc2d.json b/mobile-attack/relationship/relationship--fa222de8-ba3a-45c1-a7eb-d7502843cc2d.json
index b1b5b2e848..bb2c769cb7 100644
--- a/mobile-attack/relationship/relationship--fa222de8-ba3a-45c1-a7eb-d7502843cc2d.json
+++ b/mobile-attack/relationship/relationship--fa222de8-ba3a-45c1-a7eb-d7502843cc2d.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--d1ea7195-f8b9-42f6-9fb7-19e135390e03",
+    "id": "bundle--0057c1d5-ad25-4336-b574-3b28ec56af64",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--fa222de8-ba3a-45c1-a7eb-d7502843cc2d",
             "type": "relationship",
+            "id": "relationship--fa222de8-ba3a-45c1-a7eb-d7502843cc2d",
             "created": "2021-01-05T20:16:20.417Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Zscaler TikTok Spyware",
-                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware",
-                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021."
+                    "description": "S. Desai. (2020, September 8). TikTok Spyware. Retrieved January 5, 2021.",
+                    "url": "https://www.zscaler.com/blogs/security-research/tiktok-spyware"
                 }
             ],
-            "modified": "2021-01-05T20:16:20.417Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:40.494Z",
             "description": "[Tiktok Pro](https://attack.mitre.org/software/S0558) can capture photos and videos from the device\u2019s camera.(Citation: Zscaler TikTok Spyware)",
             "relationship_type": "uses",
             "source_ref": "malware--c6abcaf8-1765-41f8-9fe5-03d42fd0f6c0",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fa5f3aea-2131-4690-8833-dc428fae2b22.json b/mobile-attack/relationship/relationship--fa5f3aea-2131-4690-8833-dc428fae2b22.json
index b146a2d2f6..995ba6be86 100644
--- a/mobile-attack/relationship/relationship--fa5f3aea-2131-4690-8833-dc428fae2b22.json
+++ b/mobile-attack/relationship/relationship--fa5f3aea-2131-4690-8833-dc428fae2b22.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--131ecc81-4d3a-47f7-a528-05e52c675546",
+    "id": "bundle--f18bb92d-e570-43a4-b249-d1da0efecf1d",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-27T18:57:53.504Z",
+            "modified": "2025-04-16T21:52:40.713Z",
             "description": "[SharkBot](https://attack.mitre.org/software/S1055) can intercept notifications to send to the C2 server and take advantage of the Direct Reply feature.(Citation: nccgroup_sharkbot_0322)",
             "relationship_type": "uses",
             "source_ref": "malware--9cd72f5c-bec0-4f7e-bb6d-296937116291",
             "target_ref": "attack-pattern--39dd7871-f59b-495f-a9a5-3cb8cc50c9b2",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fada5ba5-7449-4878-b555-82f225473c8b.json b/mobile-attack/relationship/relationship--fada5ba5-7449-4878-b555-82f225473c8b.json
index 5ba567e644..dd22fe2974 100644
--- a/mobile-attack/relationship/relationship--fada5ba5-7449-4878-b555-82f225473c8b.json
+++ b/mobile-attack/relationship/relationship--fada5ba5-7449-4878-b555-82f225473c8b.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--d1550e56-bb38-43f6-ad4c-70ed5f9d5aa6",
+    "id": "bundle--85d38c7b-44a1-45e8-b277-2c89558ae0ea",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--fada5ba5-7449-4878-b555-82f225473c8b",
             "created": "2022-03-30T19:28:42.179Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:40.906Z",
             "description": "Attestation can detect unauthorized modifications to devices. Mobile security software can then use this information and take appropriate mitigation action. ",
-            "modified": "2022-03-30T19:28:42.179Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
             "target_ref": "attack-pattern--0d4e3bbb-7af5-4c88-a215-0c0906bc1e8d",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fadd27ec-56ac-4834-af40-76c9e8764eb9.json b/mobile-attack/relationship/relationship--fadd27ec-56ac-4834-af40-76c9e8764eb9.json
index a7f0bd97e6..de10624cf4 100644
--- a/mobile-attack/relationship/relationship--fadd27ec-56ac-4834-af40-76c9e8764eb9.json
+++ b/mobile-attack/relationship/relationship--fadd27ec-56ac-4834-af40-76c9e8764eb9.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--3255c701-f8fe-4c0a-9c08-f9fbcb3f7aa3",
+    "id": "bundle--e60e7721-1488-4a4b-8fde-2a8dcdecadbe",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--fadd27ec-56ac-4834-af40-76c9e8764eb9",
             "created": "2023-07-21T19:34:53.934Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-07-21T19:34:53.934Z",
+            "modified": "2025-04-16T21:52:41.096Z",
             "description": "[BOULDSPY](https://attack.mitre.org/software/S1079) can get a device\u2019s location using GPS or network.(Citation: lookout_bouldspy_0423)",
             "relationship_type": "uses",
             "source_ref": "malware--a2ee7d2d-fb45-44f3-8f67-9921c7810db1",
             "target_ref": "attack-pattern--99e6295e-741b-4857-b6e5-64989eb039b4",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--faf3396c-3a53-478c-b15c-7ff44ef4a5f5.json b/mobile-attack/relationship/relationship--faf3396c-3a53-478c-b15c-7ff44ef4a5f5.json
index 915d10bcd8..f0700d1bb0 100644
--- a/mobile-attack/relationship/relationship--faf3396c-3a53-478c-b15c-7ff44ef4a5f5.json
+++ b/mobile-attack/relationship/relationship--faf3396c-3a53-478c-b15c-7ff44ef4a5f5.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--aae70c1b-11ec-4b41-b0b7-ff6c88c1b85e",
+    "id": "bundle--9f22b2d1-698d-4e42-ac0c-384ef6dfc50d",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--faf3396c-3a53-478c-b15c-7ff44ef4a5f5",
             "created": "2023-06-09T19:16:53.458Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-06-09T19:16:53.458Z",
+            "modified": "2025-04-16T21:52:41.323Z",
             "description": "[Hornbill](https://attack.mitre.org/software/S1077) can access a device\u2019s camera and take photos.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--15d78a95-af6a-4b06-8dae-76bedb0ec5a1",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--faff9f9c-9064-4b3a-bdf9-bbeced2447a6.json b/mobile-attack/relationship/relationship--faff9f9c-9064-4b3a-bdf9-bbeced2447a6.json
index 7046d2313f..7729323d1d 100644
--- a/mobile-attack/relationship/relationship--faff9f9c-9064-4b3a-bdf9-bbeced2447a6.json
+++ b/mobile-attack/relationship/relationship--faff9f9c-9064-4b3a-bdf9-bbeced2447a6.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--293a81f3-7188-4952-a1cb-2258eebbf741",
+    "id": "bundle--da9651cd-c698-4a4b-a82f-3ec36f00abc2",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:33:34.466Z",
+            "modified": "2025-04-16T21:52:41.524Z",
             "description": "[ViperRAT](https://attack.mitre.org/software/S0506) can collect SMS messages.(Citation: Lookout ViperRAT)",
             "relationship_type": "uses",
             "source_ref": "malware--f666e17c-b290-43b3-8947-b96bd5148fbb",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fb2a14c1-bed9-4c3f-a60b-8df384c18b68.json b/mobile-attack/relationship/relationship--fb2a14c1-bed9-4c3f-a60b-8df384c18b68.json
index 02f7030e32..bf607e8d35 100644
--- a/mobile-attack/relationship/relationship--fb2a14c1-bed9-4c3f-a60b-8df384c18b68.json
+++ b/mobile-attack/relationship/relationship--fb2a14c1-bed9-4c3f-a60b-8df384c18b68.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--affb23d2-65fc-47a4-a3c3-7ff00c21afb5",
+    "id": "bundle--a72e47ae-283b-4ba8-a337-f93cf7b05049",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--fb2a14c1-bed9-4c3f-a60b-8df384c18b68",
             "type": "relationship",
+            "id": "relationship--fb2a14c1-bed9-4c3f-a60b-8df384c18b68",
             "created": "2020-12-24T21:45:56.979Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2021-04-19T14:29:46.650Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:41.736Z",
             "description": "[SilkBean](https://attack.mitre.org/software/S0549) can retrieve files from external storage and can collect browser data.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--ddbe5657-e21e-4a89-8221-2f1362d397ec",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fb3b32a8-6422-4d44-91e3-27a58e569963.json b/mobile-attack/relationship/relationship--fb3b32a8-6422-4d44-91e3-27a58e569963.json
index 4e5e70a389..3d3abc7819 100644
--- a/mobile-attack/relationship/relationship--fb3b32a8-6422-4d44-91e3-27a58e569963.json
+++ b/mobile-attack/relationship/relationship--fb3b32a8-6422-4d44-91e3-27a58e569963.json
@@ -1,30 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--ae9c3935-68e5-40b7-8565-acd153fa9649",
+    "id": "bundle--6758fda7-36b8-432e-98a4-8eea10271fec",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--fb3b32a8-6422-4d44-91e3-27a58e569963",
             "type": "relationship",
+            "id": "relationship--fb3b32a8-6422-4d44-91e3-27a58e569963",
             "created": "2019-09-03T19:45:48.494Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
-            "modified": "2019-09-11T13:25:19.179Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:41.928Z",
             "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can take screenshots of any application in the foreground.(Citation: SWB Exodus March 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--73c26732-6422-4081-8b63-6d0ae93d449e",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fb51161a-ef2e-41a4-b5f9-bd1f64f95674.json b/mobile-attack/relationship/relationship--fb51161a-ef2e-41a4-b5f9-bd1f64f95674.json
index 497f11d6f2..bf3ce298a9 100644
--- a/mobile-attack/relationship/relationship--fb51161a-ef2e-41a4-b5f9-bd1f64f95674.json
+++ b/mobile-attack/relationship/relationship--fb51161a-ef2e-41a4-b5f9-bd1f64f95674.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--0a8b2680-3d49-4a4a-8603-058d9887da36",
+    "id": "bundle--4f061043-bbe5-4c72-ae59-8131c1ecf26f",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--fb51161a-ef2e-41a4-b5f9-bd1f64f95674",
             "type": "relationship",
+            "id": "relationship--fb51161a-ef2e-41a4-b5f9-bd1f64f95674",
             "created": "2020-12-24T22:04:28.025Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout Uyghur Campaign",
-                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf",
-                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020."
+                    "description": "A. Kumar, K. Del Rosso, J. Albrecht, C. Hebeisen. (2020, June 1). Mobile APT Surveillance Campaigns Targeting Uyghurs - A collection of long-running Android tooling connected to a Chinese mAPT actor. Retrieved November 10, 2020.",
+                    "url": "https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf"
                 }
             ],
-            "modified": "2020-12-24T22:04:28.025Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:42.131Z",
             "description": "[GoldenEagle](https://attack.mitre.org/software/S0551) has retrieved .doc, .txt, .gif, .apk, .jpg, .png, .mp3, and .db files from external storage.(Citation: Lookout Uyghur Campaign)",
             "relationship_type": "uses",
             "source_ref": "malware--0b9c5d11-651a-4378-b129-5c584d0242c5",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fb587f81-1300-438d-a33b-f8d08530788b.json b/mobile-attack/relationship/relationship--fb587f81-1300-438d-a33b-f8d08530788b.json
index 7e30259512..d5f0cb2e48 100644
--- a/mobile-attack/relationship/relationship--fb587f81-1300-438d-a33b-f8d08530788b.json
+++ b/mobile-attack/relationship/relationship--fb587f81-1300-438d-a33b-f8d08530788b.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--0e089ad7-3425-434f-b3ce-dd78632b1def",
+    "id": "bundle--4f16d706-1877-4c1a-8b68-85cf4913a6fe",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:41:13.182Z",
+            "modified": "2025-04-16T21:52:42.373Z",
             "description": "[Pallas](https://attack.mitre.org/software/S0399) exfiltrates data using HTTP.(Citation: Lookout Dark Caracal Jan 2018)",
             "relationship_type": "uses",
             "source_ref": "malware--c41a8b7c-3e42-4eee-b87d-ad8a100ee878",
             "target_ref": "attack-pattern--32063d7f-0a39-440d-a4a3-2694488f96cc",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b.json b/mobile-attack/relationship/relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b.json
index c2630b9656..427b12f59a 100644
--- a/mobile-attack/relationship/relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b.json
+++ b/mobile-attack/relationship/relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--ae51a11e-a94b-46aa-97f7-02260f815858",
+    "id": "bundle--448fb662-22ae-42af-85d4-bfb53250fafb",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b",
             "type": "relationship",
+            "id": "relationship--fb5c6c5e-53d4-4bb9-b9cf-74170058b19b",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf",
+                    "source_name": "Lookout-StealthMango",
                     "description": "Lookout. (n.d.). Stealth Mango & Tangelo. Retrieved September 27, 2018.",
-                    "source_name": "Lookout-StealthMango"
+                    "url": "https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf"
                 }
             ],
-            "modified": "2019-10-15T19:44:36.125Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:42.590Z",
             "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) collected and exfiltrated data from the device, including sensitive letters/documents, stored photos, and stored audio files.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
             "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fb62afa9-d593-44f8-840d-bd5c595a1228.json b/mobile-attack/relationship/relationship--fb62afa9-d593-44f8-840d-bd5c595a1228.json
index 42a01ee1ad..829b473c4e 100644
--- a/mobile-attack/relationship/relationship--fb62afa9-d593-44f8-840d-bd5c595a1228.json
+++ b/mobile-attack/relationship/relationship--fb62afa9-d593-44f8-840d-bd5c595a1228.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--1d36dc9f-0d71-4d2e-b034-e7335f892d09",
+    "id": "bundle--b8941dd1-72c3-4eb1-ada9-df1c4954b908",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--fb62afa9-d593-44f8-840d-bd5c595a1228",
             "created": "2022-04-01T18:44:46.780Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:42.822Z",
             "description": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.",
-            "modified": "2022-04-01T18:44:46.780Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--649f7268-4c12-483b-ac84-4b7bca9fe2ee",
             "target_ref": "attack-pattern--dc01774a-d1c1-45fb-b506-0a5d1d6593d9",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8.json b/mobile-attack/relationship/relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8.json
index 15c3a7825c..4d57b750df 100644
--- a/mobile-attack/relationship/relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8.json
+++ b/mobile-attack/relationship/relationship--fb6458b0-01b8-4c3f-b0f2-ef5d5bd9f6a8.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--d3f8e24c-57d5-4dc3-9291-0ab366a0de05",
+    "id": "bundle--4784d1f9-d4e8-4d73-b65d-d0e4a9a94de9",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T16:50:54.500Z",
+            "modified": "2025-04-16T21:52:43.028Z",
             "description": "[Stealth Mango](https://attack.mitre.org/software/S0328) uploads SMS messages.(Citation: Lookout-StealthMango)",
             "relationship_type": "uses",
             "source_ref": "malware--085eb36d-697d-4d9a-bac3-96eb879fe73c",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fbdbddd7-4980-4061-9192-24a887bc6bad.json b/mobile-attack/relationship/relationship--fbdbddd7-4980-4061-9192-24a887bc6bad.json
index ae618492f8..34eaeb5bf9 100644
--- a/mobile-attack/relationship/relationship--fbdbddd7-4980-4061-9192-24a887bc6bad.json
+++ b/mobile-attack/relationship/relationship--fbdbddd7-4980-4061-9192-24a887bc6bad.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--727c9f7f-f393-4cda-9890-8a890d5e7921",
+    "id": "bundle--461ac3c1-3116-4610-a45a-16dd1ad5fd63",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--fbdbddd7-4980-4061-9192-24a887bc6bad",
             "type": "relationship",
+            "id": "relationship--fbdbddd7-4980-4061-9192-24a887bc6bad",
             "created": "2020-12-07T14:28:32.141Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Threat Fabric Exobot",
-                    "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html",
-                    "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020."
+                    "description": "Threat Fabric. (2017, February). Exobot - Android banking Trojan on the rise. Retrieved October 29, 2020.",
+                    "url": "https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html"
                 }
             ],
-            "modified": "2020-12-07T14:28:32.141Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:43.233Z",
             "description": "[Exobot](https://attack.mitre.org/software/S0522) can open a SOCKS proxy connection through the compromised device.(Citation: Threat Fabric Exobot)",
             "relationship_type": "uses",
             "source_ref": "malware--c91cec55-634c-4670-ba10-2dc7ceb28e98",
             "target_ref": "attack-pattern--5ca3c7ec-55b2-4587-9376-cf6c96f8047a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fbeef07b-7aa1-461c-884a-d3c4f730d5f7.json b/mobile-attack/relationship/relationship--fbeef07b-7aa1-461c-884a-d3c4f730d5f7.json
index 6bd91cffe4..c4cf2f78ed 100644
--- a/mobile-attack/relationship/relationship--fbeef07b-7aa1-461c-884a-d3c4f730d5f7.json
+++ b/mobile-attack/relationship/relationship--fbeef07b-7aa1-461c-884a-d3c4f730d5f7.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--1dec9f37-0936-4a67-8312-5e6037588b7b",
+    "id": "bundle--a0bfda7f-763f-48df-92f3-65effeeddaf3",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--fbeef07b-7aa1-461c-884a-d3c4f730d5f7",
             "created": "2023-09-28T17:22:27.968Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-09-28T17:22:27.968Z",
+            "modified": "2025-04-16T21:52:43.417Z",
             "description": "[Escobar](https://attack.mitre.org/software/S1092) can collect credentials using phishing overlays.(Citation: Bleeipng Computer Escobar)",
             "relationship_type": "uses",
             "source_ref": "malware--ec13d292-6d8d-4c7a-b07c-a2bd2402569a",
             "target_ref": "attack-pattern--4c58b7c6-a839-4789-bda9-9de33e4d4512",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.2.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4.json b/mobile-attack/relationship/relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4.json
index bf60324f8e..b3d492fd14 100644
--- a/mobile-attack/relationship/relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4.json
+++ b/mobile-attack/relationship/relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4.json
@@ -1,30 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--760cdc2c-3db1-4c70-8e56-52943ca8b9ce",
+    "id": "bundle--004d09e4-901c-42c3-a024-70be697217a8",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4",
             "type": "relationship",
+            "id": "relationship--fc22c1f0-6888-43c0-ac7e-ee3d21feafc4",
             "created": "2019-09-03T19:45:48.485Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "SWB Exodus March 2019",
-                    "url": "https://securitywithoutborders.org/blog/2019/03/29/exodus.html",
-                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved September 3, 2019."
+                    "description": "Security Without Borders. (2019, March 29). Exodus: New Android Spyware Made in Italy. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20200314194610/https://securitywithoutborders.org/blog/2019/03/29/exodus.html"
                 }
             ],
-            "modified": "2019-09-11T13:25:19.117Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:43.623Z",
             "description": " [Exodus](https://attack.mitre.org/software/S0405) Two can obtain a list of installed applications.(Citation: SWB Exodus March 2019) ",
             "relationship_type": "uses",
             "source_ref": "malware--3049b2f2-e323-4cdb-91cb-13b37b904cbb",
             "target_ref": "attack-pattern--198ce408-1470-45ee-b47f-7056050d4fc2",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fc742401-a8cd-4a97-8c50-045807c47581.json b/mobile-attack/relationship/relationship--fc742401-a8cd-4a97-8c50-045807c47581.json
new file mode 100644
index 0000000000..546db34bee
--- /dev/null
+++ b/mobile-attack/relationship/relationship--fc742401-a8cd-4a97-8c50-045807c47581.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--a6a8cf36-78ad-4225-bd6b-8f6fcac5b59f",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--fc742401-a8cd-4a97-8c50-045807c47581",
+            "created": "2025-03-28T14:38:55.297Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "SecureList OpTriangulation 21Jun2023",
+                    "description": "Kucherin, G., et al. (2023, June 21). Dissecting TriangleDB, a Triangulation spyware implant. Retrieved April 18, 2024.",
+                    "url": "https://securelist.com/triangledb-triangulation-implant/110050/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:43.812Z",
+            "description": "[TriangleDB](https://attack.mitre.org/software/S1216) has collected and exfiltrated files.(Citation: SecureList OpTriangulation 21Jun2023) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--1393fb21-d09f-4ce8-96cf-1bcc9881765f",
+            "target_ref": "attack-pattern--e1c912a9-e305-434b-9172-8a6ce3ec9c4a",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55.json b/mobile-attack/relationship/relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55.json
index 95856a3dfd..39330ba7e8 100644
--- a/mobile-attack/relationship/relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55.json
+++ b/mobile-attack/relationship/relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--b40ebd4c-2256-41d0-b515-13e545dc05aa",
+    "id": "bundle--26d5398e-0f4c-424b-938e-561b522c54be",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--fc7639c8-0e52-4f6f-9cf3-7840be81ad55",
             "created": "2023-03-03T16:23:56.031Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-03-03T16:23:56.031Z",
+            "modified": "2025-04-16T21:52:44.005Z",
             "description": "[YiSpecter](https://attack.mitre.org/software/S0311) has collected the device UUID.(Citation: paloalto_yispecter_1015)",
             "relationship_type": "uses",
             "source_ref": "malware--a15c9357-2be0-4836-beec-594f28b9b4a9",
             "target_ref": "attack-pattern--e2ea7f6b-8d4f-49c3-819d-660530d12b77",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fc816ddc-199d-47b0-93af-c81305d0919f.json b/mobile-attack/relationship/relationship--fc816ddc-199d-47b0-93af-c81305d0919f.json
index 2fd04a43de..c869d0387c 100644
--- a/mobile-attack/relationship/relationship--fc816ddc-199d-47b0-93af-c81305d0919f.json
+++ b/mobile-attack/relationship/relationship--fc816ddc-199d-47b0-93af-c81305d0919f.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4b617ed9-54f0-46b6-bde5-f741a32b76b2",
+    "id": "bundle--a861cfff-a1a2-45f7-8e61-dc464600e573",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--fc816ddc-199d-47b0-93af-c81305d0919f",
             "type": "relationship",
+            "id": "relationship--fc816ddc-199d-47b0-93af-c81305d0919f",
             "created": "2020-06-02T14:32:31.767Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Volexity Insomnia",
-                    "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/",
-                    "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020."
+                    "description": "A. Case, D. Lassalle, M. Meltzer, S. Koessel, et al.. (2020, April 21). Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant. Retrieved June 2, 2020.",
+                    "url": "https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/"
                 }
             ],
-            "modified": "2020-06-02T14:32:31.767Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:44.225Z",
             "description": "[INSOMNIA](https://attack.mitre.org/software/S0463) has utilized malicious JavaScript and iframes to exploit WebKit running on vulnerable iOS 12 devices.(Citation: Volexity Insomnia)",
             "relationship_type": "uses",
             "source_ref": "malware--21b7e0b0-0dea-4ccc-8ad4-8da51fe3a901",
             "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fcb3a139-f644-45c9-8123-dfea0455143a.json b/mobile-attack/relationship/relationship--fcb3a139-f644-45c9-8123-dfea0455143a.json
index 1cdc9b6e1a..4b7b4b6e62 100644
--- a/mobile-attack/relationship/relationship--fcb3a139-f644-45c9-8123-dfea0455143a.json
+++ b/mobile-attack/relationship/relationship--fcb3a139-f644-45c9-8123-dfea0455143a.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--a9f12b1c-4954-49b7-b818-9658720610a8",
+    "id": "bundle--af5900c6-c052-4e7b-8033-90be61c63197",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--fcb3a139-f644-45c9-8123-dfea0455143a",
             "type": "relationship",
+            "id": "relationship--fcb3a139-f644-45c9-8123-dfea0455143a",
             "created": "2019-08-09T17:56:05.588Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/",
+                    "source_name": "PaloAlto-SpyDealer",
                     "description": "Wenjun Hu, Cong Zheng and Zhi Xu. (2017, July 6). SpyDealer: Android Trojan Spying on More Than 40 Apps. Retrieved September 18, 2018.",
-                    "source_name": "PaloAlto-SpyDealer"
+                    "url": "https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/"
                 }
             ],
-            "modified": "2019-08-09T17:56:05.588Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:44.436Z",
             "description": "[SpyDealer](https://attack.mitre.org/software/S0324) can record video and take photos via front and rear cameras.(Citation: PaloAlto-SpyDealer)",
             "relationship_type": "uses",
             "source_ref": "malware--86fc6f0c-86d9-473e-89f3-f50f3cb9319b",
             "target_ref": "attack-pattern--d8940e76-f9c1-4912-bea6-e21c251370b6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fcc42341-ec3a-4e24-a374-46bed72d061f.json b/mobile-attack/relationship/relationship--fcc42341-ec3a-4e24-a374-46bed72d061f.json
index 436f95ab2b..728f1155d5 100644
--- a/mobile-attack/relationship/relationship--fcc42341-ec3a-4e24-a374-46bed72d061f.json
+++ b/mobile-attack/relationship/relationship--fcc42341-ec3a-4e24-a374-46bed72d061f.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--149b7d2a-c3c4-4a6a-ba83-7cb4a3bf7a8f",
+    "id": "bundle--7f8fe08b-3529-476e-8fda-14f06cf37679",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--fcc42341-ec3a-4e24-a374-46bed72d061f",
             "type": "relationship",
+            "id": "relationship--fcc42341-ec3a-4e24-a374-46bed72d061f",
             "created": "2021-10-01T14:42:49.191Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecureList BusyGasper",
-                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/",
-                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021."
+                    "description": "Alexey Firsh. (2018, August 29). BusyGasper \u2013 the unfriendly spy. Retrieved October 1, 2021.",
+                    "url": "https://securelist.com/busygasper-the-unfriendly-spy/87627/"
                 }
             ],
-            "modified": "2021-10-01T14:42:49.191Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:44.632Z",
             "description": "[BusyGasper](https://attack.mitre.org/software/S0655) can collect data from messaging applications, including WhatsApp, Viber, and Facebook.(Citation: SecureList BusyGasper)",
             "relationship_type": "uses",
             "source_ref": "malware--e110f94a-e2c5-4f5f-ba78-9c2ab6d2d9e4",
             "target_ref": "attack-pattern--702055ac-4e54-4ae9-9527-e23a38e0b160",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd.json b/mobile-attack/relationship/relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd.json
index 2c7f87937a..835e5d6e92 100644
--- a/mobile-attack/relationship/relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd.json
+++ b/mobile-attack/relationship/relationship--fcda686d-0c3a-457a-a34d-6dcfb28f54bd.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--1547b395-de10-490b-9c84-b7915810866c",
+    "id": "bundle--b19c1973-361b-47ad-9311-d5b0f6531371",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:49:38.924Z",
+            "modified": "2025-04-16T21:52:44.827Z",
             "description": "[EventBot](https://attack.mitre.org/software/S0478) registers for the `BOOT_COMPLETED` intent to auto-start after the device boots.(Citation: Cybereason EventBot)",
             "relationship_type": "uses",
             "source_ref": "malware--aecc0097-c9f8-4786-9b39-e891ff173f54",
             "target_ref": "attack-pattern--3775a580-a1d1-46c4-8147-c614a715f2e9",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576.json b/mobile-attack/relationship/relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576.json
index e5f5a19144..3833e64389 100644
--- a/mobile-attack/relationship/relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576.json
+++ b/mobile-attack/relationship/relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--797ed2a3-6bc8-4575-8e32-defc45021575",
+    "id": "bundle--c62abf80-b0df-4e16-9ecb-a0b9177e1215",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576",
             "type": "relationship",
+            "id": "relationship--fcdc2f1f-9787-4faa-86bf-2ed73f15a576",
             "created": "2020-09-14T14:13:45.294Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "Lookout eSurv",
-                    "url": "https://blog.lookout.com/esurv-research",
-                    "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020."
+                    "description": "A. Bauer. (2019, April 8). Lookout discovers phishing sites distributing new iOS and Android surveillanceware. Retrieved September 11, 2020.",
+                    "url": "https://blog.lookout.com/esurv-research"
                 }
             ],
-            "modified": "2020-09-14T15:39:17.961Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:45.034Z",
             "description": "[eSurv](https://attack.mitre.org/software/S0507)\u2019s Android version is distributed in three stages: the dropper, the second stage payload, and the third stage payload which is [Exodus](https://attack.mitre.org/software/S0405).(Citation: Lookout eSurv)",
             "relationship_type": "uses",
             "source_ref": "malware--680f680c-eef9-4f8a-b5f5-f451bf47e403",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fd50cda0-66d4-4ae1-864e-9345d8124ce2.json b/mobile-attack/relationship/relationship--fd50cda0-66d4-4ae1-864e-9345d8124ce2.json
index 5b9937999e..d9d8c81bf5 100644
--- a/mobile-attack/relationship/relationship--fd50cda0-66d4-4ae1-864e-9345d8124ce2.json
+++ b/mobile-attack/relationship/relationship--fd50cda0-66d4-4ae1-864e-9345d8124ce2.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--7501a3d1-9aa8-4cdb-97f2-547f3f596383",
+    "id": "bundle--ea05ddaf-01a3-4731-bfe3-6b66ffc87c6a",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--fd50cda0-66d4-4ae1-864e-9345d8124ce2",
             "created": "2023-08-08T16:14:27.679Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-08T16:14:27.679Z",
+            "modified": "2025-04-16T21:52:45.246Z",
             "description": "Application vetting services may potentially determine if an application contains suspicious code and/or metadata.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901.json b/mobile-attack/relationship/relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901.json
index f3b0446b46..31eb993876 100644
--- a/mobile-attack/relationship/relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901.json
+++ b/mobile-attack/relationship/relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4bd4edf3-475b-4f46-bd0f-7ba9a1ac6aa9",
+    "id": "bundle--ca107e80-0be9-4304-aabc-569a94d0e5d2",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901",
             "type": "relationship",
+            "id": "relationship--fd5b3d4b-5d56-4d66-8b57-f858bc139901",
             "created": "2020-04-24T17:46:31.607Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "SecurityIntelligence TrickMo",
-                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/",
-                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020."
+                    "description": "P. Asinovsky. (2020, March 24). TrickBot Pushing a 2FA Bypass App to Bank Customers in Germany. Retrieved April 24, 2020.",
+                    "url": "https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/"
                 }
             ],
-            "modified": "2020-04-24T17:46:31.607Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:45.440Z",
             "description": "[TrickMo](https://attack.mitre.org/software/S0427) contains obfuscated function, class, and variable names, and encrypts its shared preferences using Java\u2019s `PBEWithMD5AndDES` algorithm.(Citation: SecurityIntelligence TrickMo)",
             "relationship_type": "uses",
             "source_ref": "malware--21170624-89db-4e99-bf27-58d26be07c3a",
             "target_ref": "attack-pattern--d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549.json b/mobile-attack/relationship/relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549.json
index efdd889245..5d5e7c380a 100644
--- a/mobile-attack/relationship/relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549.json
+++ b/mobile-attack/relationship/relationship--fd6c7f4b-ce0f-4770-8487-786e41b63549.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--ad6f4f0c-420a-429f-805f-939a800d5f87",
+    "id": "bundle--9d9bbd2f-1e99-49fa-8c51-23162dc77e46",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-07T17:12:07.475Z",
+            "modified": "2025-04-16T21:52:45.628Z",
             "description": "Mobile security products can often alert the user if their device is vulnerable to known exploits.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
             "target_ref": "attack-pattern--fd339382-bfec-4bf0-8d47-1caedc9e7e57",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394.json b/mobile-attack/relationship/relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394.json
index f0ff785999..396fee18d2 100644
--- a/mobile-attack/relationship/relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394.json
+++ b/mobile-attack/relationship/relationship--fd8a4b6d-0e7b-4105-ad7b-576836be6394.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--9c91c7cc-1938-4ddc-b169-d2bf1702932b",
+    "id": "bundle--60b134d2-3b99-4f5f-b9c5-f4d8c15960d9",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:07:15.780Z",
+            "modified": "2025-04-16T21:52:45.837Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has region-locked their malicious applications during their Operation BULL campaign.(Citation: BlackBerry Bahamut)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--e422b6fa-4739-46b9-992e-82f1b350c780",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1.json b/mobile-attack/relationship/relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1.json
index c3d73de2b5..31ecc78a1c 100644
--- a/mobile-attack/relationship/relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1.json
+++ b/mobile-attack/relationship/relationship--fda8fe32-6121-4b81-9aa0-4e9596db88b1.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--05836f73-8b4c-4d74-a81c-9cf82bad8ac1",
+    "id": "bundle--5aa01ad9-b5f5-4bab-8d3c-47e74c0f2ae0",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T20:33:57.748Z",
+            "modified": "2025-04-16T21:52:46.021Z",
             "description": "[Mandrake](https://attack.mitre.org/software/S0485) can access SMS messages.(Citation: Bitdefender Mandrake)",
             "relationship_type": "uses",
             "source_ref": "malware--52c994fa-b6c8-45a8-9586-a4275cf19307",
             "target_ref": "attack-pattern--c6421411-ae61-42bb-9098-73fddb315002",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea.json b/mobile-attack/relationship/relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea.json
index a38b9244e4..0e176fd447 100644
--- a/mobile-attack/relationship/relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea.json
+++ b/mobile-attack/relationship/relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea.json
@@ -1,26 +1,25 @@
 {
     "type": "bundle",
-    "id": "bundle--0200870d-426c-4e8e-8d3c-945283eb1586",
+    "id": "bundle--28c35b57-4c3d-4bc7-914b-a2e90d22dadb",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--fdf06a0b-08d2-4cac-9d49-b3f1454ec4ea",
             "created": "2022-03-30T19:32:43.015Z",
-            "x_mitre_version": "0.1",
-            "x_mitre_deprecated": false,
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:46.240Z",
             "description": "Attestation can detect rooted devices. Mobile security software can then use this information and take appropriate mitigation action. Attestation can detect rooted devices.",
-            "modified": "2022-03-30T19:32:43.015Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--ff4821f6-5afb-481b-8c0f-26c28c0d666c",
             "target_ref": "attack-pattern--0cdd66ad-26ac-4338-a764-4972a1e17ee3",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fe1e9775-0923-4b8f-87d9-976fd1d3910a.json b/mobile-attack/relationship/relationship--fe1e9775-0923-4b8f-87d9-976fd1d3910a.json
new file mode 100644
index 0000000000..9549b36349
--- /dev/null
+++ b/mobile-attack/relationship/relationship--fe1e9775-0923-4b8f-87d9-976fd1d3910a.json
@@ -0,0 +1,37 @@
+{
+    "type": "bundle",
+    "id": "bundle--01dbbf53-886a-4843-80e7-9618ff3ba93e",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--fe1e9775-0923-4b8f-87d9-976fd1d3910a",
+            "created": "2025-03-24T20:25:51.549Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "LinkedIn Dmitry LightSpy 2025",
+                    "description": "Dmitry Bestuzhev. (2025, April 7). The Coordinated Kill Switch: LightSpy's iOS Destructive Plugin Architecture Manages Device Disablement. Retrieved April 14, 2025.",
+                    "url": "https://www.linkedin.com/pulse/coordinated-kill-switch-lightspys-ios-destructive-plugin-bestuzhev-zhoye/"
+                },
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:46.438Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has deleted media files and messenger-related files on the device.(Citation: Threatfabric LightSpy 2024) Additionally, [LightSpy](https://attack.mitre.org/software/S1185) has used the AppDelete plugin to remove multiple messaging applications, such as WeChat, QQ, Telegram, Line and Whatsapp.(Citation: LinkedIn Dmitry LightSpy 2025) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--9ef14445-6f35-4ed0-a042-5024f13a9242",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fe794ba6-42be-4d42-a16f-a41473874331.json b/mobile-attack/relationship/relationship--fe794ba6-42be-4d42-a16f-a41473874331.json
index cba05a5aaa..af075ceb5b 100644
--- a/mobile-attack/relationship/relationship--fe794ba6-42be-4d42-a16f-a41473874331.json
+++ b/mobile-attack/relationship/relationship--fe794ba6-42be-4d42-a16f-a41473874331.json
@@ -1,33 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--1c133283-c62d-4e48-93fd-180f382c4b91",
+    "id": "bundle--f52b8f61-7d67-4e3f-a875-0bd1fdb769e9",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
             "type": "relationship",
             "id": "relationship--fe794ba6-42be-4d42-a16f-a41473874331",
             "created": "2022-03-30T15:08:13.679Z",
-            "x_mitre_version": "0.1",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "external_references": [
                 {
                     "source_name": "Android-VerifiedBoot",
-                    "url": "https://source.android.com/security/verifiedboot/",
-                    "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016."
+                    "description": "Android. (n.d.). Verified Boot. Retrieved December 21, 2016.",
+                    "url": "https://source.android.com/security/verifiedboot/"
                 }
             ],
-            "x_mitre_deprecated": false,
-            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:46.633Z",
             "description": "Android Verified Boot can detect unauthorized modifications made to the system partition, which could lead to execution flow hijacking.(Citation: Android-VerifiedBoot) ",
-            "modified": "2022-03-30T15:08:13.679Z",
             "relationship_type": "mitigates",
             "source_ref": "course-of-action--7b1cf46f-784b-405a-a8dd-4624c19d8321",
             "target_ref": "attack-pattern--c6e17ca2-08b5-4379-9786-89bd05241831",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fed0de7b-509f-445d-90b9-4b507214298b.json b/mobile-attack/relationship/relationship--fed0de7b-509f-445d-90b9-4b507214298b.json
new file mode 100644
index 0000000000..cd8e9f24c0
--- /dev/null
+++ b/mobile-attack/relationship/relationship--fed0de7b-509f-445d-90b9-4b507214298b.json
@@ -0,0 +1,32 @@
+{
+    "type": "bundle",
+    "id": "bundle--2338ff48-9dcd-4cbd-9ada-6de5015c2b9a",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "relationship",
+            "id": "relationship--fed0de7b-509f-445d-90b9-4b507214298b",
+            "created": "2025-03-24T20:21:48.189Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Threatfabric LightSpy 2024",
+                    "description": "ThreatFabric. (2024, October 29). LightSpy: Implant for iOS. Retrieved January 30, 2025.",
+                    "url": "https://www.threatfabric.com/blogs/lightspy-implant-for-ios"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:46.830Z",
+            "description": "[LightSpy](https://attack.mitre.org/software/S1185) has established auto-start execution during the system boot process.(Citation: Threatfabric LightSpy 2024) ",
+            "relationship_type": "uses",
+            "source_ref": "malware--5b5d1e6c-e7de-4b46-ab8f-8556e8745927",
+            "target_ref": "attack-pattern--46d818a5-67fa-4585-a7fc-ecf15376c8d5",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ff3aa49b-c054-44ec-89da-6c67d4995193.json b/mobile-attack/relationship/relationship--ff3aa49b-c054-44ec-89da-6c67d4995193.json
index 8f2e3609d1..6ef2703773 100644
--- a/mobile-attack/relationship/relationship--ff3aa49b-c054-44ec-89da-6c67d4995193.json
+++ b/mobile-attack/relationship/relationship--ff3aa49b-c054-44ec-89da-6c67d4995193.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--a8ed2715-26b6-48de-bce2-d92c0bf38b49",
+    "id": "bundle--25d4ef69-c2b9-44ec-9563-3f2ab199a547",
     "spec_version": "2.0",
     "objects": [
         {
@@ -12,15 +12,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-09T15:52:15.261Z",
+            "modified": "2025-04-16T21:52:47.028Z",
             "description": "Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay.",
             "relationship_type": "detects",
             "source_ref": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
             "target_ref": "attack-pattern--a8c31121-852b-46bd-9ba4-674ae5afe7ad",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ff410bea-7b23-4b0c-9979-b7ae3050d938.json b/mobile-attack/relationship/relationship--ff410bea-7b23-4b0c-9979-b7ae3050d938.json
index 0e4a427bd4..5325831689 100644
--- a/mobile-attack/relationship/relationship--ff410bea-7b23-4b0c-9979-b7ae3050d938.json
+++ b/mobile-attack/relationship/relationship--ff410bea-7b23-4b0c-9979-b7ae3050d938.json
@@ -1,12 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--ea4b1557-927c-4b60-930f-d63b6cd2096d",
+    "id": "bundle--56919cde-aa58-4291-b3ff-bfbca2c955b1",
     "spec_version": "2.0",
     "objects": [
         {
             "type": "relationship",
             "id": "relationship--ff410bea-7b23-4b0c-9979-b7ae3050d938",
             "created": "2023-08-04T18:34:26.118Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -18,16 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-08-04T18:34:26.118Z",
+            "modified": "2025-04-16T21:52:47.235Z",
             "description": "[Sunbird](https://attack.mitre.org/software/S1082) can exfiltrate calendar information.(Citation: lookout_hornbill_sunbird_0221)",
             "relationship_type": "uses",
             "source_ref": "malware--feae299d-e34f-4fc9-8545-486d0905bd41",
             "target_ref": "attack-pattern--a9fa0d30-a8ff-45bf-922e-7720da0b7922",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "0.1",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ff55feec-669d-4199-a05c-e8dfaebaaf8f.json b/mobile-attack/relationship/relationship--ff55feec-669d-4199-a05c-e8dfaebaaf8f.json
index 32b10ede9b..b5fa201233 100644
--- a/mobile-attack/relationship/relationship--ff55feec-669d-4199-a05c-e8dfaebaaf8f.json
+++ b/mobile-attack/relationship/relationship--ff55feec-669d-4199-a05c-e8dfaebaaf8f.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--47ecc32f-7ce1-4c47-8942-3a98618906f0",
+    "id": "bundle--94563830-6fb6-4809-b030-d8b5fbb31cea",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-10-10T15:33:57.463Z",
+            "modified": "2025-04-16T21:52:47.436Z",
             "description": "[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) has masqueraded as popular apps, cracked games, and video players. (Citation: Microsoft MalLockerB)",
             "relationship_type": "uses",
             "source_ref": "malware--9b86f8c3-33ab-44cf-a66d-c0fd6070e2ce",
             "target_ref": "attack-pattern--114fed8b-7eed-4136-8b9c-411c5c7fff4b",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ffc24804-42db-4be1-a418-7f5ab9de453c.json b/mobile-attack/relationship/relationship--ffc24804-42db-4be1-a418-7f5ab9de453c.json
index e8325fe634..cc8aecf7a0 100644
--- a/mobile-attack/relationship/relationship--ffc24804-42db-4be1-a418-7f5ab9de453c.json
+++ b/mobile-attack/relationship/relationship--ffc24804-42db-4be1-a418-7f5ab9de453c.json
@@ -1,14 +1,11 @@
 {
     "type": "bundle",
-    "id": "bundle--d2518ea0-17cb-49c1-aef3-8e980dc6ca26",
+    "id": "bundle--be08de75-2a7b-4c2a-827a-e19ed334f309",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--ffc24804-42db-4be1-a418-7f5ab9de453c",
             "type": "relationship",
+            "id": "relationship--ffc24804-42db-4be1-a418-7f5ab9de453c",
             "created": "2017-12-14T16:46:06.044Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
@@ -18,13 +15,16 @@
                     "url": "https://blog.lookout.com/blog/2014/11/19/notcompatible/"
                 }
             ],
-            "modified": "2018-10-17T00:14:20.652Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:47.666Z",
             "description": "[NotCompatible](https://attack.mitre.org/software/S0299) has the capability to exploit systems on an enterprise network.(Citation: Lookout-NotCompatible)",
             "relationship_type": "uses",
             "source_ref": "malware--23040c15-e7d8-47b5-8c16-8fd3e0e297fe",
             "target_ref": "attack-pattern--22379609-a99f-4a01-bd7e-70f3e105859d",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ffc82546-f4da-4f47-88ec-b215edb1d695.json b/mobile-attack/relationship/relationship--ffc82546-f4da-4f47-88ec-b215edb1d695.json
index 98a47f599d..c11c9ae5d7 100644
--- a/mobile-attack/relationship/relationship--ffc82546-f4da-4f47-88ec-b215edb1d695.json
+++ b/mobile-attack/relationship/relationship--ffc82546-f4da-4f47-88ec-b215edb1d695.json
@@ -1,30 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--49bd31af-517b-4d82-8073-399fdc90c3c3",
+    "id": "bundle--cd26495e-f8a4-410b-99bf-51442e74be30",
     "spec_version": "2.0",
     "objects": [
         {
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "relationship--ffc82546-f4da-4f47-88ec-b215edb1d695",
             "type": "relationship",
+            "id": "relationship--ffc82546-f4da-4f47-88ec-b215edb1d695",
             "created": "2021-02-08T16:36:20.799Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
                     "source_name": "BlackBerry Bahamut",
-                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf",
-                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."
+                    "description": "The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.",
+                    "url": "https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf"
                 }
             ],
-            "modified": "2021-05-24T13:16:56.589Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:52:47.869Z",
             "description": "[Windshift](https://attack.mitre.org/groups/G0112) has included malware functionality capable of downloading new DEX files at runtime during Operation BULL.(Citation: BlackBerry Bahamut)",
             "relationship_type": "uses",
             "source_ref": "intrusion-set--afec6dc3-a18e-4b62-b1a4-5510e1a498d1",
             "target_ref": "attack-pattern--6c49d50f-494d-4150-b774-a655022d20a6",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055.json b/mobile-attack/relationship/relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055.json
index a32d353dcf..b65e069252 100644
--- a/mobile-attack/relationship/relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055.json
+++ b/mobile-attack/relationship/relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055.json
@@ -1,30 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--6c29cc12-2718-4e85-91a9-8a5ad28781bb",
+    "id": "bundle--5d426796-0765-4370-8c84-aa3e373c8754",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "relationship",
+            "id": "relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055",
+            "created": "2018-10-17T00:14:20.652Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "Wandera-RedDrop",
+                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved November 17, 2024.",
+                    "url": "https://web.archive.org/web/20180618225805/https://www.wandera.com/reddrop-malware/"
+                }
+            ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "relationship--ffddcabb-0f03-46ae-abd6-7ab94e91b055",
-            "type": "relationship",
-            "created": "2018-10-17T00:14:20.652Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "url": "https://www.wandera.com/reddrop-malware/",
-                    "description": "Nell Campbell. (2018, February 27). RedDrop: the blackmailing mobile malware family lurking in app stores. Retrieved September 18, 2018.",
-                    "source_name": "Wandera-RedDrop"
-                }
-            ],
-            "modified": "2019-09-10T13:14:39.009Z",
+            "modified": "2025-04-16T21:52:48.076Z",
             "description": "[RedDrop](https://attack.mitre.org/software/S0326) captures live recordings of the device's surroundings.(Citation: Wandera-RedDrop)",
             "relationship_type": "uses",
             "source_ref": "malware--9ed10b5a-ff20-467f-bf2f-d3fbf763e381",
             "target_ref": "attack-pattern--6683aa0c-d98a-4f5b-ac57-ca7e9934a760",
-            "x_mitre_version": "1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/relationship/relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9.json b/mobile-attack/relationship/relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9.json
index 17efdd79d0..d7a97ac7cd 100644
--- a/mobile-attack/relationship/relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9.json
+++ b/mobile-attack/relationship/relationship--fff16b5e-49c2-45e2-8b3a-fd5f82c96dd9.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--5e92212a-4f3c-4c36-9aa3-33fbf6cd6966",
+    "id": "bundle--b4c05be7-892e-42bc-be7a-22fde6feb174",
     "spec_version": "2.0",
     "objects": [
         {
@@ -19,15 +19,14 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "modified": "2023-04-05T17:30:28.587Z",
+            "modified": "2025-04-16T21:52:48.285Z",
             "description": "[Ginp](https://attack.mitre.org/software/S0423) can download the device\u2019s contact list.(Citation: ThreatFabric Ginp)",
             "relationship_type": "uses",
             "source_ref": "malware--6146be90-470c-4049-bb3a-9986b8ffb65b",
             "target_ref": "attack-pattern--e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/tool/tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81.json b/mobile-attack/tool/tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81.json
index f875e260d8..89a57a1c74 100644
--- a/mobile-attack/tool/tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81.json
+++ b/mobile-attack/tool/tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81.json
@@ -1,59 +1,59 @@
 {
     "type": "bundle",
-    "id": "bundle--40062d7d-9041-4dbc-9083-4078c0436e1a",
+    "id": "bundle--275a507c-5a62-4031-b656-8b92a132cf90",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "tool",
+            "id": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
+            "created": "2019-09-04T15:38:56.070Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/software/S0408",
+                    "external_id": "S0408"
+                },
+                {
+                    "source_name": "FortiGuard-FlexiSpy",
+                    "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.",
+                    "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf"
+                },
+                {
+                    "source_name": "CyberMerchants-FlexiSpy",
+                    "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019.",
+                    "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html"
+                },
+                {
+                    "source_name": "FlexiSpy-Website",
+                    "description": "FlexiSpy. (n.d.). FlexiSpy. Retrieved September 4, 2019.",
+                    "url": "https://www.flexispy.com/"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:17.243Z",
+            "name": "FlexiSpy",
+            "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)\n\n[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)",
             "labels": [
                 "tool"
             ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_platforms": [
                 "Android"
             ],
             "x_mitre_domains": [
                 "mobile-attack"
             ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_contributors": [
                 "Emily Ratliff, IBM"
             ],
             "x_mitre_aliases": [
                 "FlexiSpy"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "tool--1622fd3d-fcfc-4d02-ac49-f2d786f79b81",
-            "type": "tool",
-            "created": "2019-09-04T15:38:56.070Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "external_references": [
-                {
-                    "external_id": "S0408",
-                    "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/software/S0408"
-                },
-                {
-                    "description": "K. Lu. (n.d.). Deep Technical Analysis of the Spyware FlexiSpy for Android. Retrieved September 10, 2019.",
-                    "url": "https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf",
-                    "source_name": "FortiGuard-FlexiSpy"
-                },
-                {
-                    "source_name": "CyberMerchants-FlexiSpy",
-                    "url": "http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html",
-                    "description": "Actis B. (2017, April 22). FlexSpy Application Analysis. Retrieved September 4, 2019."
-                },
-                {
-                    "source_name": "FlexiSpy-Website",
-                    "url": "https://www.flexispy.com/",
-                    "description": "FlexiSpy. (n.d.). FlexiSpy. Retrieved September 4, 2019."
-                }
-            ],
-            "modified": "2019-10-14T18:08:28.349Z",
-            "name": "FlexiSpy",
-            "description": "[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)\n\n[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/tool/tool--da21929e-40c0-443d-bdf4-6b60d15448b4.json b/mobile-attack/tool/tool--da21929e-40c0-443d-bdf4-6b60d15448b4.json
index 752172ad11..fe37495821 100644
--- a/mobile-attack/tool/tool--da21929e-40c0-443d-bdf4-6b60d15448b4.json
+++ b/mobile-attack/tool/tool--da21929e-40c0-443d-bdf4-6b60d15448b4.json
@@ -1,21 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--0a7e5ef3-c07d-4e62-a650-6bcaa46ce18a",
+    "id": "bundle--2087f8fc-867e-4f6e-bea8-907966c6c382",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-24T15:09:07.609Z",
-            "name": "Xbot",
-            "description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)",
-            "labels": [
-                "tool"
-            ],
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "type": "tool",
             "id": "tool--da21929e-40c0-443d-bdf4-6b60d15448b4",
             "created": "2017-10-25T14:48:48.609Z",
@@ -38,7 +26,19 @@
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ]
+            ],
+            "modified": "2025-04-16T21:22:17.393Z",
+            "name": "Xbot",
+            "description": "[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)",
+            "labels": [
+                "tool"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json
index ae6fea7dcc..ca005e78ca 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba.json
@@ -1,15 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--5d17becc-7582-4d1b-8407-87fc56f7d292",
+    "id": "bundle--62cf82ad-936f-4460-9df1-c4d9334d06ba",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-20T20:18:06.745Z",
-            "name": "Network Connection Creation",
-            "description": "Initial construction of a network connection, such as capturing socket information with a source/destination IP and port(s) (ex: Windows EID 5156, Sysmon EID 3, or Zeek conn.log)",
-            "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
-            "x_mitre_deprecated": false,
-            "x_mitre_version": "1.1",
             "type": "x-mitre-data-component",
             "id": "x-mitre-data-component--181a9f8c-c780-4f1f-91a8-edb770e904ba",
             "created": "2021-10-20T15:05:19.274Z",
@@ -18,8 +12,19 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-18T15:11:23.639Z",
+            "name": "Network Connection Creation",
+            "description": "The initial establishment of a network session, where a system or process initiates a connection to a local or remote endpoint. This typically involves capturing socket information (source/destination IP, ports, protocol) and tracking session metadata. Monitoring these events helps detect lateral movement, exfiltration, and command-and-control (C2) activities.\n\n*Data Collection Measures:*\n\n- Windows:\n    - Event ID 5156 \u2013 Filtering Platform Connection - Logs network connections permitted by Windows Filtering Platform (WFP).\n    - Sysmon Event ID 3 \u2013 Network Connection Initiated - Captures process, source/destination IP, ports, and parent process.\n- Linux/macOS:\n    - Netfilter (iptables), nftables logs - Tracks incoming and outgoing network connections.\n    - AuditD (`connect` syscall) - Logs TCP, UDP, and ICMP connections.\n    - Zeek (`conn.log`) - Captures protocol, duration, and bytes transferred.\n- Cloud & Network Infrastructure:\n    - AWS VPC Flow Logs / Azure NSG Flow Logs - Logs IP traffic at the network level in cloud environments.\n    - Zeek (conn.log) or Suricata (network events) - Captures packet metadata for detection and correlation.\n- Endpoint Detection & Response (EDR):\n    - Detect anomalous network activity such as new C2 connections or data exfiltration attempts.",
+            "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "ics-attack",
+                "mobile-attack",
+                "enterprise-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json
index 6f7f71dff2..a0c0c74d2a 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c.json
@@ -1,23 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--da4a50e8-bc4c-43de-a33c-8bd496afb904",
+    "id": "bundle--f609cd57-44dd-49d2-94fc-f335205a79ca",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "x-mitre-data-component",
+            "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
+            "created": "2021-10-20T15:05:19.274Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "x-mitre-data-component--3772e279-27d6-477a-9fe3-c6beb363594c",
-            "type": "x-mitre-data-component",
-            "created": "2021-10-20T15:05:19.274Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2021-10-20T15:05:19.274Z",
+            "modified": "2025-04-18T15:11:16.672Z",
             "name": "Network Traffic Content",
-            "description": "Logged network traffic data showing both protocol header and body values (ex: PCAP)",
+            "description": "The full packet capture (PCAP) or session data that logs both protocol headers and payload content. This allows analysts to inspect command and control (C2) traffic, exfiltration, and other suspicious activity within network communications. Unlike metadata-based logs, full content analysis enables deeper protocol inspection, payload decoding, and forensic investigations.\n\n*Data Collection Measures:*\n\n- Network Packet Capture (Full Content Logging)\n    - Wireshark / tcpdump / tshark\n        - Full packet captures (PCAP files) for manual analysis or IDS correlation. `tcpdump -i eth0 -w capture.pcap`\n    - Zeek (formerly Bro)\n        - Extracts protocol headers and payload details into structured logs. `echo \"redef Log::default_store = Log::ASCII;\" > local.zeek | zeek -Cr capture.pcap local.zeek`\n    - Suricata / Snort (IDS/IPS with PCAP Logging)\n        - Deep packet inspection (DPI) with signature-based and behavioral analysis. `suricata -c /etc/suricata/suricata.yaml -i eth0 -l /var/log/suricata`\n- Host-Based Collection\n    - Sysmon Event ID 22 \u2013 DNS Query Logging, Captures DNS requests made by processes, useful for detecting C2 domains.\n    - Sysmon Event ID 3 \u2013 Network Connection Initiated, Logs process-to-network connection relationships.\n    - AuditD (Linux) \u2013 syscall=connect, Monitors outbound network requests from processes. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Traffic Collection\n    - AWS VPC Flow Logs / Azure NSG Flow Logs / Google VPC Flow Logs, Captures metadata about inbound/outbound network traffic.\n    - Cloud IDS (AWS GuardDuty, Azure Sentinel, Google Chronicle), Detects malicious activity in cloud environments by analyzing network traffic patterns.",
             "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "ics-attack",
+                "mobile-attack",
+                "enterprise-attack"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json
index f47338e312..752add411b 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077.json
@@ -1,15 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--d924e52c-1de6-4a57-b16d-29f44e201428",
+    "id": "bundle--819c7af6-e83f-4900-8ec4-bdf3e26cf3e8",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-07T16:15:56.932Z",
-            "name": "Process Creation",
-            "description": "The initial construction of an executable managed by the OS, that may involve one or more tasks or threads. (e.g. Win EID 4688, Sysmon EID 1, cmd.exe > net use, etc.)",
-            "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
-            "x_mitre_deprecated": false,
-            "x_mitre_version": "1.1",
             "type": "x-mitre-data-component",
             "id": "x-mitre-data-component--3d20385b-24ef-40e1-9f56-f39750379077",
             "created": "2021-10-20T15:05:19.272Z",
@@ -18,8 +12,19 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-18T15:10:27.797Z",
+            "name": "Process Creation",
+            "description": "Refers to the event in which a new process (executable) is initialized by an operating system. This can involve parent-child process relationships, process arguments, and environmental variables. Monitoring process creation is crucial for detecting malicious behaviors, such as execution of unauthorized binaries, scripting abuse, or privilege escalation attempts.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n    - EDRs provide process telemetry, tracking execution flows and arguments.\n- Windows Event Logs:\n    - Event ID 4688 (Audit Process Creation): Captures process creation with associated parent process.\n- Sysmon (Windows):\n    - Event ID 1 (Process Creation): Provides detailed logging\n- Linux/macOS Monitoring:\n    - AuditD (execve syscall): Logs process creation.\n    - eBPF/XDP: Used for low-level monitoring of system calls related to process execution.\n    - OSQuery: Allows SQL-like queries to track process events (process_events table).\n    - Apple Endpoint Security Framework (ESF): Monitors process creation on macOS.\n- Network-Based Monitoring:\n    - Zeek (Bro) Logs: Captures network-based process execution related to remote shells.\n    - Syslog/OSSEC: Tracks execution of processes on distributed systems.\n- Behavioral SIEM Rules:\n    - Monitor process creation for uncommon binaries in user directories.\n    - Detect processes with suspicious command-line arguments. ",
+            "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "ics-attack",
+                "mobile-attack",
+                "enterprise-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6.json
index 9ca119f20b..8b2f1c9ea0 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6.json
@@ -1,28 +1,28 @@
 {
     "type": "bundle",
-    "id": "bundle--58d8fb87-ab87-4572-b2e4-2b40ce338d5a",
+    "id": "bundle--cd534c81-8040-4111-b969-cdbebcd99b3d",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-13T20:48:14.540Z",
+            "type": "x-mitre-data-component",
+            "id": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
+            "created": "2023-03-13T20:48:14.540Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:21.541Z",
             "name": "System Settings",
             "description": "Settings visible to the user on the device",
             "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
             "x_mitre_domains": [
                 "mobile-attack"
             ],
             "x_mitre_version": "1.0",
-            "type": "x-mitre-data-component",
-            "id": "x-mitre-data-component--56c2b384-77f8-461f-a71a-76f7888ebfb6",
-            "created": "2023-03-13T20:48:14.540Z",
-            "revoked": false,
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962.json
index 5a208f129d..02534de750 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962.json
@@ -1,28 +1,28 @@
 {
     "type": "bundle",
-    "id": "bundle--c44f3752-6fb6-4b28-9baa-0e7a28ddd14d",
+    "id": "bundle--d2f26270-9f84-4861-9bbf-590e9b38a9f8",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-13T19:59:14.491Z",
+            "type": "x-mitre-data-component",
+            "id": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
+            "created": "2023-03-13T19:59:14.491Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:21.246Z",
             "name": "API Calls",
             "description": "API calls utilized by an application that could indicate malicious activity",
             "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
             "x_mitre_domains": [
                 "mobile-attack"
             ],
             "x_mitre_version": "1.0",
-            "type": "x-mitre-data-component",
-            "id": "x-mitre-data-component--5ae32c6a-2d12-4b8f-81ca-f862f2be0962",
-            "created": "2023-03-13T19:59:14.491Z",
-            "revoked": false,
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa.json
index b18f51d7a9..c87b5433e9 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--613788f2-ad72-43f5-b5f7-a93e2adc70fa.json
@@ -1,6 +1,6 @@
 {
     "type": "bundle",
-    "id": "bundle--31621171-b707-494b-8f43-3f4493cf6fc6",
+    "id": "bundle--f2ef95ad-7819-4dcc-9abc-9312073a8385",
     "spec_version": "2.0",
     "objects": [
         {
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json
index e99122a4eb..1a6e534649 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f.json
@@ -1,23 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--89eb0f19-b8a2-4476-87f9-6dd67c4185e7",
+    "id": "bundle--02c31a22-7e58-4be1-a0c1-66fd5f0d2d8f",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "x-mitre-data-component",
+            "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
+            "created": "2021-10-20T15:05:19.272Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "x-mitre-data-component--61f1d40e-f3d0-4cc6-aa2d-937b6204194f",
-            "type": "x-mitre-data-component",
-            "created": "2021-10-20T15:05:19.272Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2021-10-20T15:05:19.272Z",
+            "modified": "2025-04-18T15:10:34.519Z",
             "name": "Process Termination",
-            "description": "Exit of a running process (ex: Sysmon EID 5 or Windows EID 4689)",
+            "description": "The exit or termination of a running process on a system. This can occur due to normal operations, user-initiated commands, or malicious actions such as process termination by malware to disable security controls.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n    - Monitor process termination events.\n- Windows Event Logs:\n    - Event ID 4689 (Process Termination) \u2013 Captures when a process exits, including process ID and parent process.\n    - Event ID 7036 (Service Control Manager) \u2013 Monitors system service stops.\n- Sysmon (Windows):\n    - Event ID 5 (Process Termination) \u2013 Detects when a process exits, including parent-child relationships.\n- Linux/macOS Monitoring:\n    - AuditD (`execve`, `exit_group`, `kill` syscalls) \u2013 Captures process termination via command-line interactions.\n    - eBPF/XDP: Monitors low-level system calls related to process termination.\n    - OSQuery: The processes table can be queried for abnormal exits.",
             "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "ics-attack",
+                "mobile-attack",
+                "enterprise-attack"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json
index a19f2c1bb8..3920e863c7 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0.json
@@ -1,15 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--d4de5815-c809-4474-996d-e5b5ed303648",
+    "id": "bundle--605991ac-e65f-4166-ad91-41f0ab5e4ace",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-07T16:14:39.124Z",
-            "name": "Command Execution",
-            "description": "The execution of a line of text, potentially with arguments, created from program code (e.g. a cmdlet executed via powershell.exe, interactive commands like >dir, shell executions, etc. )",
-            "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089",
-            "x_mitre_deprecated": false,
-            "x_mitre_version": "1.1",
             "type": "x-mitre-data-component",
             "id": "x-mitre-data-component--685f917a-e95e-4ba0-ade1-c7d354dae6e0",
             "created": "2021-10-20T15:05:19.273Z",
@@ -18,8 +12,19 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-18T15:11:30.145Z",
+            "name": "Command Execution",
+            "description": "Command Execution involves monitoring and capturing the execution of textual commands (including shell commands, cmdlets, and scripts) within an operating system or application. These commands may include arguments or parameters and are typically executed through interpreters such as `cmd.exe`, `bash`, `zsh`, `PowerShell`, or programmatic execution. Examples: \n\n- Windows Command Prompt\n    - dir \u2013 Lists directory contents.\n    - net user \u2013 Queries or manipulates user accounts.\n    - tasklist \u2013 Lists running processes.\n- PowerShell\n    - Get-Process \u2013 Retrieves processes running on a system.\n    - Set-ExecutionPolicy \u2013 Changes PowerShell script execution policies.\n    - Invoke-WebRequest \u2013 Downloads remote resources.\n- Linux Shell\n    - ls \u2013 Lists files in a directory.\n    - cat /etc/passwd \u2013 Reads the user accounts file.\n    - curl http://malicious-site.com \u2013 Retrieves content from a malicious URL.\n- Container Environments\n    - docker exec \u2013 Executes a command inside a running container.\n    - kubectl exec \u2013 Runs commands in Kubernetes pods.\n- macOS Terminal\n    - open \u2013 Opens files or URLs.\n    - dscl . -list /Users \u2013 Lists all users on the system.\n    - osascript -e \u2013 Executes AppleScript commands.\n\nThis data component can be collected through the following measures:\n\nEnable Command Logging\n\n- Windows:\n    - Enable PowerShell logging: `Set-ExecutionPolicy Bypass`, `Set-ItemProperty -Path \"HKLM:\\SOFTWARE\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging\" -Name EnableScriptBlockLogging -Value 1`\n    - Enable Windows Event Logging:\n        - Event ID 4688: Tracks process creation, including command-line arguments.\n        - Event ID 4104: Logs PowerShell script block execution.\n- Linux/macOS:\n    - Enable shell history logging in `.bashrc` or `.zshrc`: `export HISTTIMEFORMAT=\"%d/%m/%y %T \"`, `export PROMPT_COMMAND='history -a; history -w'`\n    - Use audit frameworks (e.g., `auditd`) to log command executions. Example rule to log all `execve` syscalls: `-a always,exit -F arch=b64 -S execve -k cmd_exec`\n- Containers:\n    - Use runtime-specific tools like Docker\u2019s --log-driver or Kubernetes Audit Logs to capture exec commands.\n\nIntegrate with Centralized Logging\n\n- Collect logs using a SIEM (e.g., Splunk) or cloud-based log aggregation tools like AWS CloudWatch or Azure Monitor. Example Splunk Search for Windows Event 4688:\n`index=windows EventID=4688 CommandLine=*`\n\nUse Endpoint Detection and Response (EDR) Tools\n\n- Monitor command executions via EDR solutions \n\nDeploy Sysmon for Advanced Logging (Windows)\n\n- Use Sysmon's Event ID 1 to log process creation with command-line arguments",
+            "x_mitre_data_source_ref": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "ics-attack",
+                "mobile-attack",
+                "enterprise-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2.json
index 145e90d3ed..ce09139cf8 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2.json
@@ -1,28 +1,28 @@
 {
     "type": "bundle",
-    "id": "bundle--ff516526-13b7-435f-80a8-fce65b3b1442",
+    "id": "bundle--b7ab7d1a-82e6-4702-84f4-0ae948ef44b8",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-13T20:00:38.029Z",
+            "type": "x-mitre-data-component",
+            "id": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
+            "created": "2023-03-13T20:00:38.029Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:22.260Z",
             "name": "Protected Configuration",
             "description": "Device configuration options that are not typically utilized by benign applications",
             "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
             "x_mitre_domains": [
                 "mobile-attack"
             ],
             "x_mitre_version": "1.0",
-            "type": "x-mitre-data-component",
-            "id": "x-mitre-data-component--6c62144a-cd5c-401c-ada9-58c4c74cd9d2",
-            "created": "2023-03-13T20:00:38.029Z",
-            "revoked": false,
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0.json
index 861472942d..3ccbd1dee2 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0.json
@@ -1,28 +1,28 @@
 {
     "type": "bundle",
-    "id": "bundle--24de0feb-08ea-4b26-b055-f2f1ea9b89a4",
+    "id": "bundle--3f4d8353-4097-4ed4-b064-03ecbb8fb15d",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-13T19:59:42.141Z",
+            "type": "x-mitre-data-component",
+            "id": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
+            "created": "2023-03-13T19:59:42.141Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:21.724Z",
             "name": "Network Communication",
             "description": "Network requests made by an application or domains contacted",
             "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
             "x_mitre_domains": [
                 "mobile-attack"
             ],
             "x_mitre_version": "1.0",
-            "type": "x-mitre-data-component",
-            "id": "x-mitre-data-component--764ee29e-48d6-4934-8e6b-7a606aaaafc0",
-            "created": "2023-03-13T19:59:42.141Z",
-            "revoked": false,
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6.json
index 4c734e2640..b481541c5b 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6.json
@@ -1,15 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--bd83673a-732b-4a6d-9840-51cac1b1e0fa",
+    "id": "bundle--6da2f268-9980-4bf4-959b-7f5384b066f1",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-10-20T20:22:45.613Z",
-            "name": "Host Status",
-            "description": "Logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications)",
-            "x_mitre_data_source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159",
-            "x_mitre_deprecated": false,
-            "x_mitre_version": "1.1",
             "type": "x-mitre-data-component",
             "id": "x-mitre-data-component--85a533a4-5fa4-4dba-b45d-f0717bedd6e6",
             "created": "2021-10-20T15:05:19.272Z",
@@ -18,8 +12,18 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-18T15:16:18.582Z",
+            "name": "Host Status",
+            "description": "Logging, messaging, and other artifacts that highlight the health and operational state of host-based security sensors, such as Endpoint Detection and Response (EDR) agents, antivirus software, logging services, and system monitoring tools. Monitoring sensor health is essential for detecting misconfigurations, sensor failures, tampering, or deliberate security control evasion by adversaries.\n\n*Data Collection Measures:*\n\n- Windows Event Logs:\n    - Event ID 1074 (System Shutdown): Detects unexpected system reboots/shutdowns.\n    - Event ID 6006 (Event Log Stopped): Logs when Windows event logging is stopped.\n    - Event ID 16 (Sysmon): Detects configuration state changes that may indicate log tampering.\n    - Event ID 12 (Windows Defender Status Change) \u2013 Detects changes in Windows Defender state.\n- Linux/macOS Monitoring:\n    - `/var/log/syslog`, `/var/log/auth.log`, `/var/log/kern.log`\n    - Journald (journalctl) for kernel and system alerts.\n- Endpoint Detection and Response (EDR) Tools:\n    - Monitor agent health status, detect sensor tampering, and alert on missing telemetry.\n- Mobile Threat Intelligence Logs:\n    - Samsung Knox, SafetyNet, iOS Secure Enclave provide sensor health status for mobile endpoints.",
+            "x_mitre_data_source_ref": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack",
+                "enterprise-attack"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json
new file mode 100644
index 0000000000..751de27c8d
--- /dev/null
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e.json
@@ -0,0 +1,30 @@
+{
+    "type": "bundle",
+    "id": "bundle--c9619016-9426-49b0-8e0c-66a889f54dd0",
+    "spec_version": "2.0",
+    "objects": [
+        {
+            "type": "x-mitre-data-component",
+            "id": "x-mitre-data-component--9bde2f9d-a695-4344-bfac-f2dce13d121e",
+            "created": "2021-10-20T15:05:19.272Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-18T15:10:31.145Z",
+            "name": "OS API Execution",
+            "description": "Calls made by a process to operating system-provided Application Programming Interfaces (APIs). These calls are essential for interacting with system resources such as memory, files, and hardware, or for performing system-level tasks. Monitoring these calls can provide insight into a process's intent, especially if the process is malicious.\n\n*Data Collection Measures:*\n\n- Endpoint Detection and Response (EDR) Tools:\n    - Leverage tools to monitor API execution behaviors at the process level.\n    - Example: Sysmon Event ID 10 captures API call traces for process access and memory allocation.\n- Process Monitor (ProcMon):\n    - Use ProcMon to collect detailed logs of process and API activity. ProcMon can provide granular details on API usage and identify malicious behavior during analysis.\n- Windows Event Logs:\n    - Use Event IDs from Windows logs for specific API-related activities:\n        - Event ID 4688: A new process has been created (can indirectly infer API use).\n        - Event ID 4657: A registry value has been modified (to monitor registry-altering APIs).\n- Dynamic Analysis Tools:\n    - Tools like Cuckoo Sandbox, Flare VM, or Hybrid Analysis monitor API execution during malware detonation.\n- Host-Based Logs:\n    - On Linux/macOS systems, leverage audit frameworks (e.g., `auditd`, `strace`) to capture and analyze system call usage that APIs map to.\n- Runtime Monitors:\n    - Runtime security tools like Falco can monitor system-level calls for API execution.\n- Debugging and Tracing:\n    - Use debugging tools like gdb (Linux) or WinDbg (Windows) for deep tracing of API executions in real time.",
+            "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "ics-attack",
+                "mobile-attack",
+                "enterprise-attack"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0"
+        }
+    ]
+}
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json
index 43ea6c3965..78d7b47dcc 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a.json
@@ -1,23 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--9331c158-8e2a-4c97-83f7-bbd0c40ae3c5",
+    "id": "bundle--70e9130c-4d1c-494f-85be-573fdf330d8e",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "x-mitre-data-component",
+            "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
+            "created": "2021-10-20T15:05:19.274Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "x-mitre-data-component--a7f22107-02e5-4982-9067-6625d4a1765a",
-            "type": "x-mitre-data-component",
-            "created": "2021-10-20T15:05:19.274Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2021-10-20T15:05:19.274Z",
+            "modified": "2025-04-18T15:11:20.168Z",
             "name": "Network Traffic Flow",
-            "description": "Summarized network packet data, with metrics, such as protocol headers and volume (ex: Netflow or Zeek http.log)",
+            "description": "Summarized network packet data that captures session-level details such as source/destination IPs, ports, protocol types, timestamps, and data volume, without storing full packet payloads. This is commonly used for traffic analysis, anomaly detection, and network performance monitoring.\n\n*Data Collection Measures:*\n\n- Network Flow Logs (Metadata Collection)\n    - NetFlow \n        - Summarized metadata for network conversations (no packet payloads).\n    - sFlow (Sampled Flow Logging)\n        - Captures sampled packets from switches and routers.\n        - Used for real-time traffic monitoring and anomaly detection.\n    - Zeek (Bro) Flow Logs\n        - Zeek logs session-level details in logs like conn.log, http.log, dns.log, etc.\n- Host-Based Collection\n    - Sysmon Event ID 3 \u2013 Network Connection Initiated\n        - Logs process-level network activity, useful for detecting malicious outbound connections.\n    - AuditD (Linux) \u2013 syscall=connect\n        - Monitors system calls for network connections. `auditctl -a always,exit -F arch=b64 -S connect -k network_activity`\n- Cloud & SaaS Flow Monitoring\n    - AWS VPC Flow Logs\n        - Captures metadata for traffic between EC2 instances, security groups, and internet gateways.\n    - Azure NSG Flow Logs / Google VPC Flow Logs\n        - Logs ingress/egress traffic for cloud-based resources.",
             "x_mitre_data_source_ref": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "ics-attack",
+                "mobile-attack",
+                "enterprise-attack"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43.json
index e2d1164198..da85687b14 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43.json
@@ -1,28 +1,28 @@
 {
     "type": "bundle",
-    "id": "bundle--a029eb0c-968f-4733-af19-26f86c52f09e",
+    "id": "bundle--f47e6db8-f441-4acc-a8fe-080e611804ba",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-13T20:00:08.487Z",
+            "type": "x-mitre-data-component",
+            "id": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
+            "created": "2023-03-13T20:00:08.487Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:21.394Z",
             "name": "Permissions Requests",
             "description": "Permissions declared in an application's manifest or property list file",
             "x_mitre_data_source_ref": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
             "x_mitre_domains": [
                 "mobile-attack"
             ],
             "x_mitre_version": "1.0",
-            "type": "x-mitre-data-component",
-            "id": "x-mitre-data-component--b1e0bb80-23d4-44f2-b919-7e9c54898f43",
-            "created": "2023-03-13T20:00:08.487Z",
-            "revoked": false,
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4.json
index cb4f075d1a..fe1e179f3c 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4.json
@@ -1,28 +1,28 @@
 {
     "type": "bundle",
-    "id": "bundle--62b8a210-d490-49fb-bc34-63ce769da972",
+    "id": "bundle--1e5e04e2-843b-4c55-8d87-97feff67c8b1",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-13T20:47:52.557Z",
+            "type": "x-mitre-data-component",
+            "id": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
+            "created": "2023-03-13T20:47:52.557Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:22.106Z",
             "name": "System Notifications",
             "description": "Notifications generated by the OS",
             "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
             "x_mitre_domains": [
                 "mobile-attack"
             ],
             "x_mitre_version": "1.0",
-            "type": "x-mitre-data-component",
-            "id": "x-mitre-data-component--bf0ff551-a5a7-40e5-bff9-f9405011b1f4",
-            "created": "2023-03-13T20:47:52.557Z",
-            "revoked": false,
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456.json
index 33cbcff870..66eaaba296 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456.json
@@ -1,28 +1,28 @@
 {
     "type": "bundle",
-    "id": "bundle--34a74699-dc54-40a4-90fa-9ef8bb479462",
+    "id": "bundle--7bf16a95-30bf-4525-903b-5e111016034c",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-13T20:47:24.038Z",
+            "type": "x-mitre-data-component",
+            "id": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
+            "created": "2023-03-13T20:47:24.038Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:21.873Z",
             "name": "Permissions Request",
             "description": "System prompts triggered when an application requests new or additional permissions",
             "x_mitre_data_source_ref": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
             "x_mitre_domains": [
                 "mobile-attack"
             ],
             "x_mitre_version": "1.0",
-            "type": "x-mitre-data-component",
-            "id": "x-mitre-data-component--e2f72131-14d1-411f-8e8c-aa3453dd5456",
-            "created": "2023-03-13T20:47:24.038Z",
-            "revoked": false,
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json b/mobile-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json
index 54a39a4a5e..e3337c0d2a 100644
--- a/mobile-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json
+++ b/mobile-attack/x-mitre-data-component/x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1.json
@@ -1,23 +1,30 @@
 {
     "type": "bundle",
-    "id": "bundle--4167ce87-da2a-42e2-b787-6c686727db5d",
+    "id": "bundle--c4aaf399-b318-4cf5-9612-e5c37575987e",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "x-mitre-data-component",
+            "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
+            "created": "2021-10-20T15:05:19.272Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "id": "x-mitre-data-component--ee575f4a-2d4f-48f6-b18b-89067760adc1",
-            "type": "x-mitre-data-component",
-            "created": "2021-10-20T15:05:19.272Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "modified": "2021-10-20T15:05:19.272Z",
+            "modified": "2025-04-18T15:10:37.873Z",
             "name": "Process Metadata",
             "description": "Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.",
             "x_mitre_data_source_ref": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "ics-attack",
+                "mobile-attack",
+                "enterprise-attack"
+            ],
             "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-source/x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159.json b/mobile-attack/x-mitre-data-source/x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159.json
index d5d4250fa3..891b67ff61 100644
--- a/mobile-attack/x-mitre-data-source/x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159.json
+++ b/mobile-attack/x-mitre-data-source/x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--f87cddab-2260-459d-beca-87130fbe9a21",
+    "id": "bundle--d657192d-e205-4a70-85a5-84444b736e54",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-04-20T18:38:40.409Z",
-            "name": "Sensor Health",
-            "description": "Information from host telemetry providing insights about system status, errors, or other notable functional activity",
-            "x_mitre_platforms": [
-                "Linux",
-                "Windows",
-                "macOS",
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "enterprise-attack",
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_contributors": [
-                "Center for Threat-Informed Defense (CTID)"
-            ],
-            "x_mitre_collection_layers": [
-                "Host"
-            ],
             "type": "x-mitre-data-source",
             "id": "x-mitre-data-source--4523e7f3-8de2-4078-96f8-1227eb537159",
             "created": "2021-10-20T15:05:19.272Z",
@@ -41,8 +19,30 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T20:39:11.418Z",
+            "name": "Sensor Health",
+            "description": "Information from host telemetry providing insights about system status, errors, or other notable functional activity",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Linux",
+                "Windows",
+                "macOS",
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "enterprise-attack",
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.1",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Center for Threat-Informed Defense (CTID)"
+            ],
+            "x_mitre_collection_layers": [
+                "Host"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-source/x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8.json b/mobile-attack/x-mitre-data-source/x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8.json
index 263406daa3..c457ee5825 100644
--- a/mobile-attack/x-mitre-data-source/x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8.json
+++ b/mobile-attack/x-mitre-data-source/x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8.json
@@ -1,27 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--d86ee5e7-6be5-4cea-99e9-75bf2c8ca08a",
+    "id": "bundle--c3c9bac5-4bc7-4ce3-9652-9fea2c1b8ef3",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-13T19:36:25.108Z",
-            "name": "User Interface",
-            "description": "Visual activity on the device that could alert the user to potentially malicious behavior.",
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_collection_layers": [
-                "Device"
-            ],
             "type": "x-mitre-data-source",
             "id": "x-mitre-data-source--55ba7d30-887f-42c1-a24e-c4e90aff24b8",
             "created": "2023-03-13T19:36:25.108Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -33,9 +19,23 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:22:20.681Z",
+            "name": "User Interface",
+            "description": "Visual activity on the device that could alert the user to potentially malicious behavior.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_collection_layers": [
+                "Device"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json b/mobile-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json
index e7575729e8..5d0f9f6f7b 100644
--- a/mobile-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json
+++ b/mobile-attack/x-mitre-data-source/x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089.json
@@ -1,35 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--61f1d69e-ed32-4535-b398-ab0c59df1d41",
+    "id": "bundle--d13c1632-1b5e-48c7-b9dc-a3c2da7b7b6c",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-04-20T18:38:00.625Z",
-            "name": "Command",
-            "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command  Line)(Citation: Audit OSX)",
-            "x_mitre_platforms": [
-                "Containers",
-                "Linux",
-                "Network",
-                "Windows",
-                "macOS",
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "enterprise-attack",
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_contributors": [
-                "Center for Threat-Informed Defense (CTID)",
-                "Austin Clark, @c2defense"
-            ],
-            "x_mitre_collection_layers": [
-                "Container",
-                "Host"
-            ],
             "type": "x-mitre-data-source",
             "id": "x-mitre-data-source--73691708-ffb5-4e29-906d-f485f6fa7089",
             "created": "2021-10-20T15:05:19.273Z",
@@ -55,8 +29,36 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-18T15:11:26.880Z",
+            "name": "Command",
+            "description": "A directive given to a computer program, acting as an interpreter of some kind, in order to perform a specific task(Citation: Confluence Linux Command  Line)(Citation: Audit OSX)",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Containers",
+                "Linux",
+                "Network Devices",
+                "Windows",
+                "macOS",
+                "Android",
+                "iOS",
+                "ESXi"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "ics-attack",
+                "mobile-attack",
+                "enterprise-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Center for Threat-Informed Defense (CTID)",
+                "Austin Clark, @c2defense"
+            ],
+            "x_mitre_collection_layers": [
+                "Container",
+                "Host"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json b/mobile-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json
index 5b91974bff..5546093a53 100644
--- a/mobile-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json
+++ b/mobile-attack/x-mitre-data-source/x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3.json
@@ -1,35 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--64a3fe35-37b5-4a0d-a365-1e3eb6590876",
+    "id": "bundle--4097cdc7-5bbc-42ab-9a24-055d187abe71",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-04-20T18:38:13.356Z",
-            "name": "Network Traffic",
-            "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)",
-            "x_mitre_platforms": [
-                "IaaS",
-                "Linux",
-                "Windows",
-                "macOS",
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "enterprise-attack",
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_contributors": [
-                "Center for Threat-Informed Defense (CTID)",
-                "ExtraHop"
-            ],
-            "x_mitre_collection_layers": [
-                "Cloud Control Plane",
-                "Host",
-                "Network"
-            ],
             "type": "x-mitre-data-source",
             "id": "x-mitre-data-source--c000cd5c-bbb3-4606-af6f-6c6d9de0bbe3",
             "created": "2021-10-20T15:05:19.274Z",
@@ -45,8 +19,36 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-18T15:11:13.424Z",
+            "name": "Network Traffic",
+            "description": "Data transmitted across a network (ex: Web, DNS, Mail, File, etc.), that is either summarized (ex: Netflow) and/or captured as raw data in an analyzable format (ex: PCAP)",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "IaaS",
+                "Linux",
+                "Windows",
+                "macOS",
+                "Android",
+                "iOS",
+                "ESXi"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "ics-attack",
+                "mobile-attack",
+                "enterprise-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Center for Threat-Informed Defense (CTID)",
+                "ExtraHop"
+            ],
+            "x_mitre_collection_layers": [
+                "Cloud Control Plane",
+                "Host",
+                "Network"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-source/x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203.json b/mobile-attack/x-mitre-data-source/x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203.json
index b44071d996..277e4629a4 100644
--- a/mobile-attack/x-mitre-data-source/x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203.json
+++ b/mobile-attack/x-mitre-data-source/x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203.json
@@ -1,27 +1,13 @@
 {
     "type": "bundle",
-    "id": "bundle--4595f198-190e-40e2-8151-9be2d132d787",
+    "id": "bundle--bf6eaf83-4eb9-4732-9acd-b5409a80e18a",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-03-13T19:30:41.131Z",
-            "name": "Application Vetting",
-            "description": "Application vetting report generated by an external cloud service.",
-            "x_mitre_platforms": [
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_collection_layers": [
-                "Report"
-            ],
             "type": "x-mitre-data-source",
             "id": "x-mitre-data-source--e156f007-c5bf-45cc-8dd5-d442ffb0d203",
             "created": "2023-03-13T19:30:41.131Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "revoked": false,
             "external_references": [
                 {
@@ -33,9 +19,23 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-16T21:22:20.420Z",
+            "name": "Application Vetting",
+            "description": "Application vetting report generated by an external cloud service.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Android",
+                "iOS"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_collection_layers": [
+                "Report"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json b/mobile-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json
index 8ae3242988..faf44aa085 100644
--- a/mobile-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json
+++ b/mobile-attack/x-mitre-data-source/x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22.json
@@ -1,31 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--c9c7ec73-5ddf-403e-8ce2-6942771d6e41",
+    "id": "bundle--fb3f4f2f-4224-4c65-86fa-7b93dc17839e",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2023-04-20T18:38:26.515Z",
-            "name": "Process",
-            "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)",
-            "x_mitre_platforms": [
-                "Linux",
-                "Windows",
-                "macOS",
-                "Android",
-                "iOS"
-            ],
-            "x_mitre_deprecated": false,
-            "x_mitre_domains": [
-                "enterprise-attack",
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.1",
-            "x_mitre_contributors": [
-                "Center for Threat-Informed Defense (CTID)"
-            ],
-            "x_mitre_collection_layers": [
-                "Host"
-            ],
             "type": "x-mitre-data-source",
             "id": "x-mitre-data-source--e8b8ede7-337b-4c0c-8c32-5c7872c1ee22",
             "created": "2021-10-20T15:05:19.272Z",
@@ -46,8 +24,32 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-18T15:10:24.655Z",
+            "name": "Process",
+            "description": "Instances of computer programs that are being executed by at least one thread. Processes have memory space for process executables, loaded modules (DLLs or shared libraries), and allocated memory regions containing everything from user input to application-specific data structures(Citation: Microsoft Processes and Threads)",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_platforms": [
+                "Linux",
+                "Windows",
+                "macOS",
+                "Android",
+                "iOS",
+                "ESXi"
+            ],
+            "x_mitre_deprecated": false,
+            "x_mitre_domains": [
+                "ics-attack",
+                "mobile-attack",
+                "enterprise-attack"
+            ],
+            "x_mitre_version": "1.2",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_contributors": [
+                "Center for Threat-Informed Defense (CTID)"
+            ],
+            "x_mitre_collection_layers": [
+                "Host"
+            ]
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-matrix/x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc.json b/mobile-attack/x-mitre-matrix/x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc.json
index 2db29392cf..928be43a1f 100644
--- a/mobile-attack/x-mitre-matrix/x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc.json
+++ b/mobile-attack/x-mitre-matrix/x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc.json
@@ -1,35 +1,38 @@
 {
     "type": "bundle",
-    "id": "bundle--bf6e5806-8711-4a9c-a30b-f94c23384b5a",
+    "id": "bundle--fb902104-afa2-45f0-b751-f4bdb102e6a2",
     "spec_version": "2.0",
     "objects": [
         {
-            "tactic_refs": [
-                "x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210",
-                "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17"
+            "type": "x-mitre-matrix",
+            "id": "x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc",
+            "created": "2018-10-17T00:14:20.652Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/matrices/mobile-attack",
+                    "external_id": "mobile-attack"
+                }
             ],
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "type": "x-mitre-matrix",
-            "id": "x-mitre-matrix--5104d5f0-16b7-4aec-8ae3-0a90cd5494fc",
-            "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "1.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "mobile-attack",
-                    "url": "https://attack.mitre.org/matrices/mobile-attack"
-                }
-            ],
-            "x_mitre_deprecated": true,
-            "revoked": false,
-            "description": "Below are the tactics and techniques representing the two MITRE ATT&CK Matrices for Mobile. The Matrices cover techniques involving device access and network-based effects that can be used by adversaries without device access. The Matrices contains information for the following platforms: Android, iOS.",
-            "modified": "2022-04-06T15:44:04.736Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "modified": "2025-04-18T18:00:50.259Z",
             "name": "Network-Based Effects",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "description": "Below are the tactics and techniques representing the two MITRE ATT&CK Matrices for Mobile. The Matrices cover techniques involving device access and network-based effects that can be used by adversaries without device access. The Matrices contains information for the following platforms: Android, iOS.",
+            "tactic_refs": [
+                "x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210",
+                "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17"
+            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": true,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-matrix/x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b.json b/mobile-attack/x-mitre-matrix/x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b.json
index 0eb974c4e3..6752946da7 100644
--- a/mobile-attack/x-mitre-matrix/x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b.json
+++ b/mobile-attack/x-mitre-matrix/x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b.json
@@ -1,9 +1,27 @@
 {
     "type": "bundle",
-    "id": "bundle--81c514f9-7d49-46c0-9031-d8020f0b4767",
+    "id": "bundle--1f2f00ca-445a-4d3a-b9ef-9e64a2f333df",
     "spec_version": "2.0",
     "objects": [
         {
+            "type": "x-mitre-matrix",
+            "id": "x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b",
+            "created": "2018-10-17T00:14:20.652Z",
+            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "revoked": false,
+            "external_references": [
+                {
+                    "source_name": "mitre-attack",
+                    "url": "https://attack.mitre.org/matrices/mobile-attack",
+                    "external_id": "mobile-attack"
+                }
+            ],
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-17T20:51:13.569Z",
+            "name": "Mobile ATT&CK",
+            "description": "Below are the tactics and technique representing the MITRE ATT&CK Matrix for Mobile. The Matrix contains information for the following platforms: Android, iOS.",
             "tactic_refs": [
                 "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6",
                 "x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756",
@@ -18,28 +36,13 @@
                 "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981",
                 "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e"
             ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "type": "x-mitre-matrix",
-            "id": "x-mitre-matrix--a382db5e-d009-4135-b893-0e0ff021c95b",
-            "created": "2018-10-17T00:14:20.652Z",
-            "x_mitre_version": "2.0",
-            "external_references": [
-                {
-                    "source_name": "mitre-attack",
-                    "external_id": "mobile-attack",
-                    "url": "https://attack.mitre.org/matrices/mobile-attack"
-                }
-            ],
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "x_mitre_deprecated": false,
-            "revoked": false,
-            "description": "Below are the tactics and technique representing the MITRE ATT&CK Matrix for Mobile. The Matrix contains information for the following platforms: Android, iOS.",
-            "modified": "2022-04-06T15:43:22.080Z",
-            "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
-            "name": "Mobile ATT&CK",
-            "x_mitre_attack_spec_version": "2.1.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "2.0",
+            "x_mitre_attack_spec_version": "3.2.0"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6.json
index 394878b985..8b787e20fa 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6.json
@@ -1,32 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--bb7f367a-80ba-420c-9015-91713de6581e",
+    "id": "bundle--ecf4a727-a704-4668-ade7-861d5b21c723",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6",
             "type": "x-mitre-tactic",
+            "id": "x-mitre-tactic--0a93fd8e-4a83-4c15-8203-db290e5f2ac6",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "TA0027",
+                    "source_name": "mitre-attack",
                     "url": "https://attack.mitre.org/tactics/TA0027",
-                    "source_name": "mitre-attack"
+                    "external_id": "TA0027"
                 }
             ],
-            "modified": "2020-01-27T14:02:36.744Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:21:59.963Z",
             "name": "Initial Access",
             "description": "The adversary is trying to get into your device.\n\nThe initial access tactic represents the vectors adversaries use to gain an initial foothold onto a mobile device.",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_shortname": "initial-access"
         }
     ]
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981.json
index 3194777c2c..3aba5e2a61 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981.json
@@ -1,32 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--3ebee79b-e761-482a-afee-844fa1385214",
+    "id": "bundle--c1b805c7-fa09-4aa0-9925-c6daff921fc1",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981",
             "type": "x-mitre-tactic",
+            "id": "x-mitre-tactic--10fa8d8d-1b04-4176-917e-738724239981",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "TA0036",
+                    "source_name": "mitre-attack",
                     "url": "https://attack.mitre.org/tactics/TA0036",
-                    "source_name": "mitre-attack"
+                    "external_id": "TA0036"
                 }
             ],
-            "modified": "2020-01-27T14:06:42.009Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:00.114Z",
             "name": "Exfiltration",
             "description": "The adversary is trying to steal data.\n\nExfiltration refers to techniques and attributes that result or aid in the adversary removing files and information from the targeted mobile device.\n\nIn the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_shortname": "exfiltration"
         }
     ]
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54.json
index de7881daa2..c5d4d33a2b 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54.json
@@ -1,32 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--6472188a-62a4-41fc-bfb1-cc070370fb14",
+    "id": "bundle--950a23f3-7ae2-4dec-a7b0-8bc695c3d5da",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54",
             "type": "x-mitre-tactic",
+            "id": "x-mitre-tactic--363bbeff-bb2a-4734-ac74-d6d37202fe54",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "TA0028",
+                    "source_name": "mitre-attack",
                     "url": "https://attack.mitre.org/tactics/TA0028",
-                    "source_name": "mitre-attack"
+                    "external_id": "TA0028"
                 }
             ],
-            "modified": "2020-01-27T14:03:15.455Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:00.260Z",
             "name": "Persistence",
             "description": " The adversary is trying to maintain their foothold.\n\nPersistence is any access, action, or configuration change to a mobile device that gives an attacker a persistent presence on the device. Attackers often will need to maintain access to mobile devices through interruptions such as device reboots and potentially even factory data resets.",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_shortname": "persistence"
         }
     ]
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8.json
index ede22832c1..a4a5d0fff6 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8.json
@@ -1,32 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--68e146dc-3852-4a5f-8d64-adba0404b4d6",
+    "id": "bundle--f1364986-231a-4ca2-ba19-aa1c07be0b62",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8",
             "type": "x-mitre-tactic",
+            "id": "x-mitre-tactic--3e962de5-3280-43b7-bc10-334fbc1d6fa8",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "TA0029",
+                    "source_name": "mitre-attack",
                     "url": "https://attack.mitre.org/tactics/TA0029",
-                    "source_name": "mitre-attack"
+                    "external_id": "TA0029"
                 }
             ],
-            "modified": "2020-01-27T14:03:49.343Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:00.414Z",
             "name": "Privilege Escalation",
             "description": " The adversary is trying to gain higher-level permissions.\n\nPrivilege escalation includes techniques that allow an attacker to obtain a higher level of permissions on the mobile device. Attackers may enter the mobile device with very limited privileges and may be required to take advantage of a device weakness to obtain higher privileges necessary to successfully carry out their mission objectives.",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_shortname": "privilege-escalation"
         }
     ]
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3.json
index cc1723aadc..6c1e6df414 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3.json
@@ -1,32 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--a598ca50-def6-4fc6-86a2-4a75e509a780",
+    "id": "bundle--368aff6d-e7bb-464f-a0c4-8a1b00a78792",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3",
             "type": "x-mitre-tactic",
+            "id": "x-mitre-tactic--3f660805-fa2e-42e8-8851-57f9e9b653e3",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "TA0037",
+                    "source_name": "mitre-attack",
                     "url": "https://attack.mitre.org/tactics/TA0037",
-                    "source_name": "mitre-attack"
+                    "external_id": "TA0037"
                 }
             ],
-            "modified": "2020-01-27T14:06:59.132Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:00.567Z",
             "name": "Command and Control",
             "description": "The adversary is trying to communicate with compromised devices to control them.\n\nThe command and control tactic represents how adversaries communicate with systems under their control within a target network. There are many ways an adversary can establish command and control with various levels of covertness, depending on system configuration and network topology. Due to the wide degree of variation available to the adversary at the network level, only the most common factors were used to describe the differences in command and control. There are still a great many specific techniques within the documented methods, largely due to how easy it is to define new protocols and use existing, legitimate protocols and network services for communication. \n\nThe resulting breakdown should help convey the concept that detecting intrusion through command and control protocols without prior knowledge is a difficult proposition over the long term. Adversaries' main constraints in network-level defense avoidance are testing and deployment of tools to rapidly change their protocols, awareness of existing defensive technologies, and access to legitimate Web services that, when used appropriately, make their tools difficult to distinguish from benign traffic.\n\nAdditionally, in the mobile environment, mobile devices are frequently connected to networks outside enterprise control such as cellular networks or public Wi-Fi networks. Adversaries could attempt to evade detection by communicating on these networks, and potentially even by using non-Internet Protocol mechanisms such as Short Message Service (SMS). However, cellular networks often have data caps and/or extra data charges that could increase the potential for adversarial communication to be detected.",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_shortname": "command-and-control"
         }
     ]
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756.json
index d688212bfc..79fd8f6f2a 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756.json
@@ -1,32 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--03956c6e-f07c-44a2-a0cd-17f7c1d0fdbe",
+    "id": "bundle--8b7274c1-adee-4c10-8115-cc0b4049b3f3",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756",
             "type": "x-mitre-tactic",
+            "id": "x-mitre-tactic--4a800987-a3a8-4d56-a1bd-0d7171431756",
             "created": "2020-01-27T14:00:49.089Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "TA0041",
                     "source_name": "mitre-attack",
-                    "url": "https://attack.mitre.org/tactics/TA0041"
+                    "url": "https://attack.mitre.org/tactics/TA0041",
+                    "external_id": "TA0041"
                 }
             ],
-            "modified": "2020-01-27T14:00:49.089Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:00.730Z",
             "name": "Execution",
             "description": "The adversary is trying to run malicious code.\n\nExecution consists of techniques that result in adversary-controlled code running on a mobile device. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data.",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_shortname": "execution"
         }
     ]
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e.json
index 76ad74432f..4fafda12ad 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e.json
@@ -1,32 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--c077c22e-3343-47e2-b4c4-c5d3a9e3db15",
+    "id": "bundle--f8d3ba12-1aca-4dc5-aff2-2bcc4faff832",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e",
             "type": "x-mitre-tactic",
+            "id": "x-mitre-tactic--6ebce653-294a-444a-bffb-14c04c8d137e",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "TA0034",
+                    "source_name": "mitre-attack",
                     "url": "https://attack.mitre.org/tactics/TA0034",
-                    "source_name": "mitre-attack"
+                    "external_id": "TA0034"
                 }
             ],
-            "modified": "2020-01-27T16:09:15.308Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:00.876Z",
             "name": "Impact",
             "description": "The adversary is trying to manipulate, interrupt, or destroy your devices and data.\n\nThe impact tactic consists of techniques used by the adversary to execute his or her mission objectives but that do not cleanly fit into another category such as Collection. Mission objectives vary based on each adversary's goals, but examples include toll fraud, destruction of device data, or locking the user out of his or her device until a ransom is paid.",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_shortname": "impact"
         }
     ]
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10.json
index 1896d7fc2c..ec7d519e8f 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10.json
@@ -1,32 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--2f9970a1-6c24-4d3a-9fdd-6efa4edc6601",
+    "id": "bundle--cd0191b7-00a7-4069-a292-eaba0108f3f9",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10",
             "type": "x-mitre-tactic",
+            "id": "x-mitre-tactic--6fcb36b8-3776-483b-8699-42215714fb10",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "TA0031",
+                    "source_name": "mitre-attack",
                     "url": "https://attack.mitre.org/tactics/TA0031",
-                    "source_name": "mitre-attack"
+                    "external_id": "TA0031"
                 }
             ],
-            "modified": "2020-01-27T14:05:02.718Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:01.017Z",
             "name": "Credential Access",
             "description": "The adversary is trying to steal account names, passwords, or other secrets that enable access to resources.\n\nCredential access represents techniques that can be used by adversaries to obtain access to or control over passwords, tokens, cryptographic keys, or other values that could be used by an adversary to gain unauthorized access to resources. Credential access allows the adversary to assume the identity of an account, with all of that account's permissions on the system and network, and makes it harder for defenders to detect the adversary. With sufficient access within a network, an adversary can create accounts for later use within the environment.",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_shortname": "credential-access"
         }
     ]
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba.json
index 1d524ec295..7266f23db8 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba.json
@@ -1,32 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--230ae215-6caa-43e4-8bf4-658d3a55dcea",
+    "id": "bundle--fb9d0687-d634-4bed-bc83-4c5d0882d967",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba",
             "type": "x-mitre-tactic",
+            "id": "x-mitre-tactic--7a0d25d3-f0c0-40bf-bf90-c743871b19ba",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "TA0035",
+                    "source_name": "mitre-attack",
                     "url": "https://attack.mitre.org/tactics/TA0035",
-                    "source_name": "mitre-attack"
+                    "external_id": "TA0035"
                 }
             ],
-            "modified": "2020-01-27T14:06:10.915Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:01.179Z",
             "name": "Collection",
             "description": "The adversary is trying to gather data of interest to their goal.\n\nCollection consists of techniques used to identify and gather information, such as sensitive files, from a target network prior to exfiltration. This category also covers locations on a system or network where the adversary may look for information to exfiltrate.",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_shortname": "collection"
         }
     ]
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f.json
index b0e301e458..ebccfd699b 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f.json
@@ -1,32 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--98e9da84-b2c2-42fa-bda7-c39a7bbb3d57",
+    "id": "bundle--25e65b5d-a3db-444d-82de-4d05950fede5",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f",
             "type": "x-mitre-tactic",
+            "id": "x-mitre-tactic--7be441c2-0095-4b1e-8125-fa8ffda29b0f",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "TA0033",
+                    "source_name": "mitre-attack",
                     "url": "https://attack.mitre.org/tactics/TA0033",
-                    "source_name": "mitre-attack"
+                    "external_id": "TA0033"
                 }
             ],
-            "modified": "2020-01-27T14:05:37.854Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:01.345Z",
             "name": "Lateral Movement",
             "description": "The adversary is trying to move through your environment.\n\nLateral movement consists of techniques that enable an adversary to access and control remote systems on a network and could, but does not necessarily, include execution of tools on remote systems. The lateral movement techniques could allow an adversary to gather information from a system without needing additional tools, such as a remote access tool.",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_shortname": "lateral-movement"
         }
     ]
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df.json
index 41aba85b9a..e28f06bdc5 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df.json
@@ -1,32 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--7f5339ef-01b7-4ea4-afed-05f6087515f4",
+    "id": "bundle--9083debe-9962-46a3-b81b-ff3f7d833f18",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df",
             "type": "x-mitre-tactic",
+            "id": "x-mitre-tactic--987cda6d-eb77-406b-bf68-bcb5f3d2e1df",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "TA0030",
+                    "source_name": "mitre-attack",
                     "url": "https://attack.mitre.org/tactics/TA0030",
-                    "source_name": "mitre-attack"
+                    "external_id": "TA0030"
                 }
             ],
-            "modified": "2020-01-27T14:04:46.497Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:01.500Z",
             "name": "Defense Evasion",
             "description": " The adversary is trying to avoid being detected.\n\nDefense evasion consists of techniques an adversary may use to evade detection or avoid other defenses. Sometimes these actions are the same as or variations of techniques in other categories that have the added benefit of subverting a particular defense or mitigation. Defense evasion may be considered a set of attributes the adversary applies to all other phases of the operation.",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_shortname": "defense-evasion"
         }
     ]
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210.json
index 2b86d88d22..d1496b7c4b 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210.json
@@ -1,18 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--6dbcfc7b-64c0-42ae-8dbe-394d5e0caf7b",
+    "id": "bundle--a635b4aa-f7eb-4bfb-ba15-1f5aaf7483d1",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-11-07T21:01:17.781Z",
-            "name": "Network Effects",
-            "description": "The adversary is trying to intercept or manipulate network traffic to or from a device.\n\nThis category refers to network-based techniques that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself. These include techniques to intercept or manipulate network traffic to and from the mobile device.",
-            "x_mitre_deprecated": true,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_shortname": "network-effects",
             "type": "x-mitre-tactic",
             "id": "x-mitre-tactic--9eb4c21e-4fa8-44c9-b167-dbfc455f9210",
             "created": "2018-10-17T00:14:20.652Z",
@@ -28,8 +19,17 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.0.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-18T18:00:48.173Z",
+            "name": "Network Effects",
+            "description": "The adversary is trying to intercept or manipulate network traffic to or from a device.\n\nThis category refers to network-based techniques that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself. These include techniques to intercept or manipulate network traffic to and from the mobile device.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": true,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_shortname": "network-effects"
         }
     ]
 }
\ No newline at end of file
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1.json
index ae8a8e12d9..58919dcbb3 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1.json
@@ -1,32 +1,32 @@
 {
     "type": "bundle",
-    "id": "bundle--98de9c36-10bd-4e82-8691-2ff46f71f70e",
+    "id": "bundle--5911aa13-2d4f-45ad-a2ce-2a2b1c97ac9b",
     "spec_version": "2.0",
     "objects": [
         {
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "object_marking_refs": [
-                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
-            ],
-            "id": "x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1",
             "type": "x-mitre-tactic",
+            "id": "x-mitre-tactic--d418cdeb-1b9f-4a6b-a15d-2f89f549f8c1",
             "created": "2018-10-17T00:14:20.652Z",
             "created_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
             "external_references": [
                 {
-                    "external_id": "TA0032",
+                    "source_name": "mitre-attack",
                     "url": "https://attack.mitre.org/tactics/TA0032",
-                    "source_name": "mitre-attack"
+                    "external_id": "TA0032"
                 }
             ],
-            "modified": "2020-01-27T16:09:00.466Z",
+            "object_marking_refs": [
+                "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
+            ],
+            "modified": "2025-04-16T21:22:01.668Z",
             "name": "Discovery",
             "description": "The adversary is trying to figure out your environment.\n\nDiscovery consists of techniques that allow the adversary to gain knowledge about the characteristics of the mobile device and potentially other networked systems. When adversaries gain access to a new system, they must orient themselves to what they now have control of and what benefits operating from that system give to their current objective or overall goals during the intrusion. The operating system may provide capabilities that aid in this post-compromise information-gathering phase.",
-            "x_mitre_version": "1.0",
-            "x_mitre_attack_spec_version": "2.1.0",
             "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
             "x_mitre_shortname": "discovery"
         }
     ]
diff --git a/mobile-attack/x-mitre-tactic/x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17.json b/mobile-attack/x-mitre-tactic/x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17.json
index d8410f6632..efc728ed50 100644
--- a/mobile-attack/x-mitre-tactic/x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17.json
+++ b/mobile-attack/x-mitre-tactic/x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17.json
@@ -1,18 +1,9 @@
 {
     "type": "bundle",
-    "id": "bundle--7ba4b78d-72a5-4431-a62b-028dfeb2ec9a",
+    "id": "bundle--bd05e4a0-4c21-4ce5-ba19-0ba4e031c87d",
     "spec_version": "2.0",
     "objects": [
         {
-            "modified": "2022-11-07T21:01:36.112Z",
-            "name": "Remote Service Effects",
-            "description": "The adversary is trying to control or monitor the device using remote services.\n\nThis category refers to techniques involving remote services, such as vendor-provided cloud services (e.g. Google Drive, Google Find My Device, or Apple iCloud), or enterprise mobility management (EMM)/mobile device management (MDM) services that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself.",
-            "x_mitre_deprecated": true,
-            "x_mitre_domains": [
-                "mobile-attack"
-            ],
-            "x_mitre_version": "1.0",
-            "x_mitre_shortname": "remote-service-effects",
             "type": "x-mitre-tactic",
             "id": "x-mitre-tactic--e78d7d60-41b5-49b7-b0a9-5c5d4cbabe17",
             "created": "2018-10-17T00:14:20.652Z",
@@ -28,8 +19,17 @@
             "object_marking_refs": [
                 "marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168"
             ],
-            "x_mitre_attack_spec_version": "3.0.0",
-            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5"
+            "modified": "2025-04-18T18:00:48.346Z",
+            "name": "Remote Service Effects",
+            "description": "The adversary is trying to control or monitor the device using remote services.\n\nThis category refers to techniques involving remote services, such as vendor-provided cloud services (e.g. Google Drive, Google Find My Device, or Apple iCloud), or enterprise mobility management (EMM)/mobile device management (MDM) services that an adversary may be able to use to fulfill his or her objectives without access to the mobile device itself.",
+            "x_mitre_modified_by_ref": "identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5",
+            "x_mitre_deprecated": true,
+            "x_mitre_domains": [
+                "mobile-attack"
+            ],
+            "x_mitre_version": "1.0",
+            "x_mitre_attack_spec_version": "3.2.0",
+            "x_mitre_shortname": "remote-service-effects"
         }
     ]
 }
\ No newline at end of file